Pros and Cons of IP Service Affinity (ip_service_affinity)

Go to solution
jeremyeperdue
Giga Expert

‎10-24-2015 06:35 AM

I think using the ip_service_affinity property to be very valuable and time saving. But this is set false by default so I ask, what are the downsides of using it?

reference : Credentials - ServiceNow Wiki

------------------------------------------------------------------------------------

Update & Summary

I put this together for internal use and thought I would share to see if it can help anyone else. Doug, please correct me if I am incorrect about anything.

With OOB discovery, it tracks the credential that is used for a successful login, but not the device type. An example; A Windows machine is interrogated for the first time. ServiceNow Discovery determines it is a Windows Device and begins trying all the Windows based credentials in the credential table until it finds one that works. There is a credential affinity created here saying, next time you try to discover this device, use the credential that works. All subsequent discoveries will try the last working credential first.

This is great until we see network devices such as a router or switch. In these cases, there are multiple ports open, primarily, SSH and SNMP. Due to the OOB ordering of probes, Discovery tries SSH first because it sees port 22 open. It iterates through all the SSH credentials and because we are not authorized via SSH to discover the device, it ultimately fails then moves to SNMP. Using the same logic mentioned above, if the device has been discovered previously, it attempts to use the SNMP credential set in the affinity table and we authenticate and continue discovery.

The failed UNIX (SSH) attempts at the beginning of the discovery take time. So here is where IP Service Affinity should come in. With IP Affinity, the first time you discover the target and say SSH failed but SNMP was successful in classification we tag that IP to have that port 161 affinity.   So the second, third, tenth time we discover it and see port 161 and port 22 open we go right to the SNMP classification bypassing the SSH classify because we have already learned that it's been successful with SNMP.

My Primary Focus : We are spending time trying to authenticate via SSH when SNMP is the way the devices are setup for discovery. From Routers and Switches, to our Network Appliances (Riverbeds), they all use SNMP to authenticate yet still try SSH first and this can be a time consuming process. Or so I thought. Here are my results;

Step 1) Ran Test Discovery in our DEV instance.

                  Baseline set at 10 hours 41 minutes

Step 2) Set IP Affinity to true and re-ran discovery.

                  This step took 11 hours 1 minute

Step 3) Ran again after the affinities were created.

                  Discovery took 10 hours 58 minutes

Next I reordered SNMP to 2 and SSH to 3 on probe priority, 11 hours 9 minutes.

I am reverting everything to OOB as there was no noticeable improvement in time.

Message was edited by: Jeremy Perdue

Labels:
  • 5,206 Views
1 ACCEPTED SOLUTION

Go to solution
doug_schulze
ServiceNow Employee
ServiceNow Employee

‎10-27-2015 08:29 AM

Jeremy,



I've been on the fence with this property ever since they started white boarding it.   I do see the value in it especially when you think about how discovery works out of box.. for a refresher for those that may not know for reference...



When we see an active IP address we attempt to classify the target based on the classification priority as defined on the port probes.   So if an IP address showed it had port 135 (WMI) , port 22 (SSH) in a state of open by default order we would attempt to pass windows credentials and when/if that fails we would then move onto the next protocol in order that being SSH. This would happen every time we discover that IP address when the same ports represent as "open" so you are always going to have a WMI authentication error in your discovery logs.



Well what this IP Affinity does is the first time you discover the target and say SSH was successful in classification we tag that IP to have that port 22 affinity.   So the 2nd , third, tenth time we discover it and see port 135 and port 22 open we go right to the SSH classification bypassing the wmi classify because we have already learned that its been successful with SSH.



So you can see the value in that right off the bat, just like our credential mechanics (dscy_credentials_affinity) we have already learned how to talk to that IP and it will help save troubleshooting errors down the line that should be ignored anyway helping your day to day discovery admin'n ..   Im just concerned how that will be represented in fluid IP allocation environments, what if one IP is a windows host today but DHCP or re-allocation of IP ranges makes it a SSH host tomorrow...



I do have no fear though, I trust in our awesome Dev team they've never let me down in the past and trust this will be a value add to day to day discovery work.



Hope that helps!



-Doug


View solution in original post

10 REPLIES 10

Go to solution
doug_schulze
ServiceNow Employee
ServiceNow Employee
In response to jeremyeperdue

‎10-27-2015 02:39 PM

For that problem, change the classification priority on your Discovery Definition > port probes.   Swap SNMP and SSH.. this way when you come across a router/switch it does SNMP first and never should try SSH (unless you are having access issues)..


Go to solution
jasonaranha
Kilo Expert
In response to doug_schulze

‎12-13-2017 07:43 AM

Hi doug.schulze , I have encountered this problem & see it being an issue , we have response recieived from port 135 wmi and port 5989 wbem from IP SCAN, earlier seem like the discovery for the IP was not able to authenicate via windows Credentials to the IP. so the IP_service_affinity for the IP Scan stored "wbem" port as the default port for discovery in IP_service_affinity , now we have proper authorization on this devices with windows Credentials still it is unable to get scanned as default wbem port , i have raise an hi case of this and they have directed me to this blog . Do you know how are other addressing this issue .


0 Helpfuls

Go to solution
doug_schulze
ServiceNow Employee
ServiceNow Employee
In response to jasonaranha

‎01-09-2018 01:57 PM

Hey Jason, I havent had much of a need to use the IP Service Affinity always thought it would cause grief just as you note above and why we were able to get a property in discovery definition to shut it off...


0 Helpfuls

Go to solution
jasonaranha
Kilo Expert
In response to doug_schulze

‎01-18-2018 12:18 PM

I removed the entry in Table and was able to discover windows CI successful after that. Seem like either we should give the user a option to run an clean discovery [by deleting all the entry in IP Service Affinity table for that IP ] .   This will make life much easier instead of someone who does not want raise an Hi case to resolve such issue. deleting few entry in IP Affinity Table should be not be a big deal while i can totally understand doing this for large subnet discovery could potentially slow down the discovery process.


0 Helpfuls

Go to solution
erik_alvarez
ServiceNow Employee
ServiceNow Employee

‎01-23-2020 12:56 PM

Hi @doug.schulze  and @jeremyeperdue  , firstly thanks for this post, it's very useful. I was wondering if the information in the post has changed withing this two years of last edit?  the concern DOug mentions about reassignation of ip addresses.

0 Helpfuls