Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Not able to connect or select the device from NSM.



Article ID: KB9836 KB Last Updated: 27 May 2010Version: 6.0
The device is unable to connect to the NSM server or is shown in a Down state on NSM. What is causing this issue?  This article describes several possible root causes for this issue.
Symptoms & Errors:
  • Device cannot connect to NSM
  • NSM reports the device is Down

There could be several possible root causes as to why a device is not connecting properly to NSM:

  • Cause A: Device issue. 
    Confirm if other devices are able to connect to NSM in order to verify if this is a global connectivity issue with the device server.  If all the firewalls are down, the device server process has most likely stopped or crashed and needs to be restarted. For information on restarting, consult: KB7092 - NSM:'Restart' Dev Server
  • Cause B: NSM parameters either not set or not enabled. 
    To verify if the NSM parameters are set and enabled on the Firewall device, review the output from the firewall CLI command shown below. 
    get nsm

    To reset the nsm communication parameters within the firewall issue the following two commands:

    unset nsm ena
    set nsm ena

    This will cause the device to "reset" nsm communications. This will often restore connections that were previously down.

  • Cause C: NSM Source-interface or default virtual router (default-vr) changed from trust-vr. 
    Verify the device can successfully ping the NSM server (Note, ping must be permitted on the NSM server in order for ping to work.). There should not be any errors about the NSM server being unreachable.

    Firewalls always source NSM communications from the trust virtual router (trust-vr). The trust-vr is the default virtual router under normal circumstances. If your installation uses a different virtual router as the default vr, please see: KB13209 - Routing issue can prevent firewall from connecting to NSM server. For additional information regarding source interface settings, consult: KB4389 - How Do I Manage a Device Through a VPN via Juniper Networks NSM?
    To set the source interface on the firewall directly, issue the CLI command:
    set nsm server x.x.x.x primary src-int [ interface ] command.

    To determine if your firewall has a different vr than the trust-vr set for the default vr, check the output of the following command:
    get vr

    ns500-> get vr
    * indicates default vrouter
    A - AutoExport, R - RIP, N- NHRP, O - OSPF, B - BGP, P - PIM

    ID  Name       Vsys       Owner  Routes MRoutes Flags
    *   1          untrust-vr Root   shared 4/max   0/max
        2          trust-vr   Root   shared 15/max  0/max

    The above output shows that the default vr for this firewall is the untrust-vr. Please see: KB13209 - Routing issue can prevent firewall from connecting to NSM server.

  • Cause D: Policy or another firewall is blocking communication.
    Another possibility is a firewall policy or an external firewall  is blocking the packets destined for the NSM device server.   For assistance with viewing a policy log, consult: KB4260 - Viewing Policy Reports

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search