Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Why Does a Firewall Device Fail to Connect to the NSM Server?

0

0

Article ID: KB4548 KB Last Updated: 25 May 2010Version: 9.0
Summary:
Sometimes a firewall managed by Juniper Networks NetScreen-Security Manager (NSM) fails to connect to the NSM server. There can be various reasons for this. This article describes one possible scenario.
Symptoms:
Symptoms:
  •   The get nsm command shows that the NSM agent is enabled and the device is in a disconnected state.
  •   The set nsm enable command does not restore the connection to the NSM server.
Solution:
To connect a firewall device to the NSM server, perform the following steps:

Log in to the NSM device server via SSH or Telnet.

  Navigate to the following directory: 

/usr/netscreen/DevSvr/var/errorLog

Open the log file deviceDaemon.0 and verify if you are seeing the following error messages in this log file:

[11/08/2004 15:55:43.018] [Error] [3209110176-nsCryptoMTMPlug.c:2157] Database request returned 7 != MTMPLUGDB_DONE
[11/08/2004 15:55:43.018] [Notice] [3209110176-nthConnPlug.c:226] NTHCONN: device 172.19.51.220 denied connection due to unknown unique external ID
[11/08/2004 15:55:43.019] [Warning] [3209110176-sessionPlug.c:1968] datalink disappeared 00001060
[11/08/2004 15:55:58.465] [Error] [3209110176-nsCryptoMTMPlugDb.c:337] empty record

 
This error message indicates that there is a mismatch of the keys between the device and NSM. The issue is resolved by doing an RMA/Activate of the device from NSM.

RMA/Activate procedure creates new set of keys to be exchanged between the device and NSM Server

 From the NSM UI, right click on the device & select RMA Device. Follow the wizard for the NSM agent communication to be disconnected

 To Activate the device -  Right click on the device again & select Activate Device, follow the wizard & the NSM agent communication will get established.

For more information on RMA/Activate of the device refer to Replacing a Failed Firewall in Juniper Networks NetScreen-Security Manager

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search