Troubleshooting Windows Host UNREACHABLE!

[Matt Calhoun]

I have many windows hosts that have been configured identically (as far as I can tell) and I can connect to all but one of them. Anyone have an idea of why this may be happening?

- Up to date on all windows patches

- Have rebooted

$ ansible myhost -m win_ping -o -vvvv                                                                                                                                                                                       

Using /Users/[redacted]/Dropbox/Code/[redacted]/[redacted]/ansible.cfg as config file

Loaded callback oneline of type stdout, v2.0

<myhost> ESTABLISH WINRM CONNECTION FOR USER: [redacted]@MYDOMAIN.LOCAL on PORT 5985 TO myhost

<myhost> EXEC Set-StrictMode -Version Latest

(New-Item -Type Directory -Path $env:temp -Name "ansible-tmp-1447277903.29-206977271531324").FullName | Write-Host -Separator '';

myhost | UNREACHABLE!

$ telnet myhost 5985

Trying 10.159.15.11...

Connected to myhost.mydomain.local.

Escape character is '^]'.

C:\Windows\system32>hostname

myhost

C:\Windows\system32>winrm get winrm/config/service

Service

    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

    MaxConcurrentOperations = 4294967295

    MaxConcurrentOperationsPerUser = 1500

    EnumerationTimeoutms = 240000

    MaxConnections = 300

    MaxPacketRetrievalTimeSeconds = 120

    AllowUnencrypted = true [Source="GPO"]

    Auth

        Basic = true [Source="GPO"]

        Kerberos = true

        Negotiate = true

        Certificate = false

        CredSSP = false

        CbtHardeningLevel = Relaxed

    DefaultPorts

        HTTP = 5985

        HTTPS = 5986

    IPv4Filter = * [Source="GPO"]

    IPv6Filter = * [Source="GPO"]

    EnableCompatibilityHttpListener = false

    EnableCompatibilityHttpsListener = false

    CertificateThumbprint

[Trond Hindenes]

Can you test regular psremoting from another windows host to the problematic machine using the same port (5985) and the same auth scheme (Kerberos) that you are (seemlingly) using in your Ansible config?

[J Hawkesworth]

Worth checking if Window Remote Management service is running and if using a domain user that the domain user a member of the WinRMRemoteWMIUsers__ group too.

Jon

[Matt Calhoun]

I have verified that PSRemoting seems to be working fine on this host. From another windows box...

PS C:\> Invoke-Command -ComputerName myhost -port 5985 -Authentication Kerberos -ScriptBlock { Get-Content c:\windows\system32\drivers\etc\hosts  } -credential myaccount

<Prompted for and enter password here>

# Copyright (c) 1993-2009 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.

#       127.0.0.1       localhost

#       ::1             localhost

[J Hawkesworth]

try hitting it again with ansible and check the event logs for any evidence of a login attempt.

if its not getting that far... is there a proxy between controller and windows host (guessing a bit here, not much experience with proxies)?

possibly firewall rules kicking in?  bear in mind different profiles which may or may not be affecting connection from controller to windows target differently from windows to windows

will try and think of more ideas.

[Calhoun, Matt]

I see a sucessful connection listed in the event logs, and in my original post demonstrated that I could telnet in on the WinRM port, so no firewall blocking. There is also no proxy or anything in between. I can connect to over 100 different servers, many on the same subnet as myhost, but this is the only one giving me trouble.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/ZebLwqaxYpo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0433d886-3b8b-413a-ae39-3c0f1c2b65a3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[J Hawkesworth]

Is this machine Server 2008 R2 by any chance?  WMF 3.0 had an irritating bug where it would allocate a tiny memory quota for winrm so things would fail a lot.  Hotfix for the fix as described in the blue box here: http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep

Just comparing my winrm get winrm/config/service with yours and my last line states

'AllowRemoteAccess = true' - do you have that?

Jon