Mender - Enrolment Duplicates & Firewall Settings

Hi,

Two questions regarding device enrolment & checkin to hosted Mender I was hoping you could advise on:

Firstly, we’ve been setting up some new Pi’s and have seen an issue with one board mapping itself to a previously enrolled board, i.e. instead of a new device enrolment request we get a 2nd enrolment request on an already existing device.

We’ve tried decommissioning the device, re-flashing both boards, changing memory cards but get the same problem each time and are not sure what’s causing it, the base image is the same we’ve used on 90+ previous Pi’s without issue so its a bit of a head scratcher

Would you be able to give some pointers on what this could possibly be or where to start investigating?

Secondly (I did ask this previously but on a very old topic), we have a few deployed Pi’s on sites which use firewalls with ip whitelists. I assume the pi’s are trying to connect to hosted.mender.io?

Is there a fixed IP address that could be added to the firewall for mender.io or is it rotating/dynamic?

I’ve also noticed that the NTP service is being blocked so the system clock is incorrect, was wondering if that may cause issues as well if correct times are needed for interacting with Mender as we have seen inconsistencies around when devices checkin

Any assistance would be greatly appreciated, if you require any further details please let me know

Many thanks,
Alex

Hello @AlexC,

If your devices are enrolling as the same device in Mender, it means they share the same identity. The mender client obtains the identity data running the script /usr/share/mender/identity/mender-device-identity. Can you please check the output of this script, and verify you get different values on the two distinct devices?

You can also customize this script and provide your use-case specific identity in the form of one or multiple lines, formatted as key=value.

Regarding your second question: you can white-list hosted.mender.io, but as this is an alias to an application load balancer, there is no guarantee that the IP addresses associated with this host name won’t change in the future. It is your responsibility periodically refreshing the list of IP addresses bound to this name. Please note that you’ll also need to whitelist AWS S3, because when the devices download the artifacts, they do it connecting directly to S3.

Thanks for the quick response,

We’ll run that script when we next have access to the devices and report back findings

If needed sounds like we can generate a new identity for the device having issues

And I figured as much regarding network access, I’ll pass those details on

Many thanks,
Alex

Hi,

A colleague has had a look at this today, connecting the two Pi’s to the WiFi network, logging in and running the identity script - we’re seeing same MAC identity reported on both boards (I’ve just noticed the SSH fingerprints are the same too), see picture

Would you have any ideas?

Thanks again,
Alex

Sorry for bumping this after so long, ended up needed elsewhere for a while

Planning to get back to looking back into this issue shortly, @tranchitella did you have any thoughts on the above regarding reports of same MAC / identity?

Thanks