Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to identify the cause of a DMI device connection failure from the NSM server

0

0

Article ID: KB13953 KB Last Updated: 07 May 2013Version: 3.0
Summary:
How to identify the cause of a DMI device connection failure from the NSM server
Symptoms:

Cause:

Solution:
When a device is able to reach the NSM server and establishes the connection on TCP port 7804 but then the server rejects and closes the connection with the device; there are different possible reasons depending on the error message observed.

When troubleshooting DMI device connectivity issues, monitor the /usr/netscreen/DevSvr/var/errorLog/deviceDaemon.0 and /usr/netscreen/GuiSvr/var/errorLog/nbiservice.log.  Below are some examples of common error messages and possible root causes:

From deviceDaemon.0 log:

Error sample 1:
[Notice] Incoming TCP connection from SSH, device ip 172.24.31.242
[Notice] [1119936-sshPlugDb.c:854] svrTLSDbServerGetClientData is called.
[Error] [1119936-sshPlugDb.c:571] No record found in database for this incoming connection. Could be wrong device-id or it is removed by user.


The above message indicates that the device-id is not recognized by NSM. Verify on the device that the device-id is entered correctly. If the device was deleted from NSM, the actual device would still try to connect indefinitely and this message would constantly appear in the log file.  In that case, disable the NSM DMI agent on the device if it is no longer used.
Error sample 2:
[Error] SshPlug(x.x.x.x): Failed to verify hmac. It could be caused by OTP mismatch.

This error indicates that the device ID is found in the NSM database; however the OTP (one-time password) also known as “hmac” or “Secret” defined for that device-ID is not matching between NSM and the device.

Error sample 3:
[Error] [1119936-sshPlug.c:110] SSHPLUG(X.X.X.X): userauth failure
[Error] [1119936-sshPlug.c:954] SSHPLUG(X.X.X.X): failed on user auth request


From the above error, can conclude from this message that the device-ID and OTP are correctly defined, however NSM cannot establish the 2nd phase authentication for the DMI configuration management channel. For SA/IC devices: Verify that the admin username used for NSM connectivity has been created and that the password for the admin account matches between NSM and the device. With these devices, this error can also occur when Host Checker is enabled for Admin user via Realm or Role configuration. Turn off Host Checker if enabled for admin user on the SA/IC device.

For JUNOS devices: verify the device root username and password has been entered correctly, or that a special NSM admin user has been created on the device.

Error sample 4:
[Notice] NTHCONN: device X.X.X.X (domainId X, deviceId X) successfully established secure SSH tunnel
[Notice] [sshPlug.c] SSHPLUG(X.X.X.X): ssh connection is established.


The above message will be displayed when a successful connection is completed between the device DMI agent and the NSM DevSvr process.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search