[j-nsp] Adding vsd-less cluster to NSM 20091.r1

Alexey Kholmov alexei at twine-networks.com
Sun Mar 14 08:10:52 EDT 2010


Hi,

we have 2 NSMXpress devices running in HA mode. The NSM version is  
2009.1r1.
We are trying to add a cluster of two isg2000 in VSD-less mode.

Using the NSM GUI we add the cluster and then the 1st member. The  
connection from NSM to the member isg2000 device works fine, the nsm  
related config is sent to the firewall. But when the firewall tries to  
connect to the NSM device server we see following entries in the /var/ 
netscreen/DevSvr/errorLog/deviceDaemon.0

[03/14/2010 12:22:55.970] [Error] [3086997184-nsRSA.c:189] RSA invalid  
header
[03/14/2010 12:22:55.970] [Error] [3086997184-nsCryptoMTMPlug.c:1403]  
Could not verify connect message!
[03/14/2010 12:22:55.970] [Error] [3086997184-nsCryptoMTMPlug.c:2203]  
nsCryptoMTMPlugServerRecv_S1() failed
[03/14/2010 12:22:55.970] [Warning] [3086997184-nthConnPlug.c:374]  
NTHCONN: SSP device 10.247.1.52 (domainId 1, deviceId 30): denied  
connection due to key exchange failure
[03/14/2010 12:22:55.971] [Notice] [3086997184-sessionPlug.c:3581]  
session returns NETPLUG_SEND_DISCONNECTED

We searched the net for solution and found following solution, the  
devices are still able to establish the SSP connection to NSM. The / 
var/netscreen/DevSvr/errorLog/deviceDaemon.0  file has following  
entries:

[03/14/2010 12:23:48.015] [Warning] [3086997184-nsCryptoMTMPlug.c: 
2184] Device is attempting a first connection but DB thinks reconnect,  
repairing
[03/14/2010 12:23:48.015] [Error] [3086997184-nsCryptoMTMPlug.c:897]  
Validation of key exchange request failed!
[03/14/2010 12:23:48.015] [Warning] [3086997184-nthConnPlug.c:374]  
NTHCONN: SSP device 10.247.1.52 (domainId 1, deviceId 30): denied  
connection due to OTP mismatch
[03/14/2010 12:23:48.015] [Notice] [3086997184-sessionPlug.c:3581]  
session returns NETPLUG_SEND_DISCONNECTED

We tried also to import the device as not reachable - but the result  
was the same.

Could you please advise us how to proceed?

Thanks
Alex


More information about the juniper-nsp mailing list