Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[NSM] How to manage Admin Password change on Junos devices via NSM templates



Article ID: KB21606 KB Last Updated: 11 Aug 2011Version: 1.0
This article describes the issue of NSM being unable to connect to SRX 3600 firewalls after password change.
Many companies have password change policies that require login passwords for firewalls to be changed on a regular schedule. This password change can be managed using NSM but sometimes results in eventual loss of communication with the devices.

For example:
  1. Five SRX 3600 clusters are running JunOS 10.2r2.11, and NSM 2010.X (or 2011.X).
  2. Using NSM, customer successfully changed the password under system -> login -> user -> admin.
  3. Successfully able to logon to all 10 SRX devices with the new password.
  4. Eventually NSM lost access to all 10 devices, and they all showed in the NSM status display as DOWN.
  5. The following messages appeared in the messages log repeatedly:
    Failed password for netscreen from port 7804 ssh2
    Connection closed by
  6. Customer then logged on to all 10 devices and changed the password back to the previous one, and then did the same in NSM.
  7. Now all 10 devices are accessible from NSM again.

It is clear from the errors that the password change for the admin user was applied only to one side. In fact, NSM is expecting the password used for communication from the device to be the same as it was, prior to the change.

The solution described below will ensure that the password updates are applied to all the proper places in NSM.

You got to have 2 different templates for this workflow.

  1. Enable Tools > Preferences > System Properties > 'Enable Save Password for Templates in Template Operations in NSM.
  2. Create a Junos template for root-authentication. (Add the new password in Configuration > System > Root Authentication).
  3. Create another template for Admin Password. (Add the new password in Info -> Admin Password).
  4. Apply the root-authentication template on the device with highest priority. Select the Remove Conflicting Device Values check box before applying.
  5. Apply the Admin Password template on the device with the lowest priority. Select the Remove Conflicting Device Values check box before applying.
  6. Template Operations > Remove Templates > Select the Admin Password template from the available list . Select the Retain Password from Template checkbox.
  7. Now update the device.
The above steps will ensure that both root-authentication and admin passwords are in sync and the same gets into the device too. Verify by restarting the devSvr that the SRX device is able to connect back to NSM.

This can be applied to all SRX devices managed by NSM in one update.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search