Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[NorthStar] How to resolve when cmdg-rest process is shown as FATAL



Article ID: KB36455 KB Last Updated: 05 Feb 2021Version: 1.0

On installation of NorthStar 6.0 and above, when looking at supervisorctl status to check on processes, cmdg-rest status is shown as FATAL.


When looking at service northstar status, the following is seen:

kroot@ns1:~\[root@ns1 ~]# service northstar status

Processes status:
analytics:elasticsearch          RUNNING   pid 3566, uptime 109 days, 15:26:57
analytics:esauthproxy            RUNNING   pid 3559, uptime 109 days, 15:26:57
analytics:logstash               RUNNING   pid 16084, uptime 3:42:34
analytics:netflowd               RUNNING   pid 13755, uptime 109 days, 15:24:25
analytics:pipeline               RUNNING   pid 3562, uptime 109 days, 15:26:57
bmp:bmpMonitor                   RUNNING   pid 6405, uptime 85 days, 23:06:57
collector:worker1                RUNNING   pid 16312, uptime 3:42:03
collector:worker2                RUNNING   pid 16314, uptime 3:42:03
collector_main:es_publisher      STOPPED   Oct 29 11:40 AM
collector_main:task_scheduler    STOPPED   Oct 29 11:40 AM
config:cmgd                      STOPPED   Oct 29 11:41 AM
config:cmgd-rest                 FATAL     Exited too quickly (process log may have details)​

Looking further at the cmgd-rest.msg log file, noticed a number of docker errors:

docker: Error response from daemon: driver failed programming external connectivity on endpoint cmgd-rest (91ee78c507a042b75f5af8986c76e3f9ac64bf90fcf5bf2df7b57c11831e7795):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 5000 -j DNAT --to-destination ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1)).
Known issue with Docker and Centos 7.  It is due to a timing conflict between docker and firewalld (which replaces iptables in centos 7)

This is due to a timing conflict between docker and firewalld.  The workaround for this ​is to issue the following at the NorthStar CLI:

kroot@ns1:~\[root@ns1 ~]# supervisorctl restart docker:dockerd
docker:dockerd: stopped
docker:dockerd: started

If this still does not work, proceed with the following:

systemctl stop firewalld
systemctl disable firewalld
supervisorctl restart docker:dockerd
supervisorctl restart config:cmgd
supervisorctl restart config:cmgd-rest
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search