Fabric OS Encryption Administrator's Guide
234 Fabric OS Encryption Administrator’s Guide
53-1002159-03
LUN policy troubleshooting
6
LUN policy troubleshooting
Table 14 may be used as an aid in troubleshooting problems related to LUN policies.
TABLE 14 LUN policy troubleshooting
Case Reasons for the LUN getting disabled by
the encryption switch
Action taken If you do not need to save the data: If you need to save the data:
1 The LUN was modified from encrypt
policy to cleartext policy but metadata
exists.
LUN is disabled.
Reason code:
Metadata exists
but the LUN
policy is cleartext.
Issue the cryptocfg --enable -LUN
command on one path of the LUN.
This erases the metadata on the
LUN and the LUN is then enabled
with cleartext policy. Issue the
cryptocfg --discoverLUN
command on other paths of the
LUN in the DEK cluster to enable
the LUN.
Modify the LUN back to encrypt
policy.
2 The LUN was set up with an encrypt
policy and the LUN was encrypted
(metadata is present on the LUN), but
the DEK for the key ID present in the
metadata does not exist in the key
vault.
LUN is disabled.
Reason code:
Metadata exists
but the DEK for
the key ID from
the metadata
does not exist.
Modify the LUN policy to cleartext.
The subsequent handling is same
as in case 1.
Make sure the key vault has the
DEK and when the DEK gets
restored to the key vault, perform
one of the following tasks on one
of the paths of the LUN to enable
the LUN:
• Issue the cryptocfg
--discoverLUN command
• Remove the LUN from the
container and then add it
back
• Bounce the target port
Then issue the cryptocfg
--discoverLUN command on
other paths of the LUN in the
DEK cluster.
3 The LUN was set up with an encrypt
policy and the LUN was encrypted
(metadata is present on the LUN), but
the current state of the LUN is
cleartext instead of encrypted.
LUN is disabled.
Reason code:
Metadata exists,
but the LUN
policy is indicated
as cleartext.
Modify the LUN policy to cleartext.
The subsequent handling is the
same as in case 1.
Remove the LUN from the
container and then add the LUN
back with the LUN state as
encrypted, or issue the cryptocfg
--enable -LUN command on one
of the paths of the LUN which will
enable the LUN by using the
appropriate key. Then issue the
cryptocfg --discoverLUN
command on other paths of the
LUN in the DEK cluster to enable
the LUN.