NSM client is unable to connect to NSM server (NSMXpress)

Fahad_khan · ‎10-21-2008

Dear folks,

NSM client is not connecting to NSM server (NSMXpress Appliance). I have added new certificates (on server and Client machine) both , but still unable to connect

Kindly help

regards,

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting +92-301-8247638 end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting +92-321-2370510 end_of_the_skype_highlighting

CB · ‎05-09-2008

Hi Fahad,

can you offer a little more information, such as :

what version of nsm are you currently running ?
what is the exact error you are getting (is the connection authenticated, hangng on loading data etc)

At a guess, i have seen some problems when connecting remotely, which was due to the TLS handshake not completing properly, to resolve you could try reducing the MTU of the network card.

Hope this helps

Kind regards

Colin

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.

Fahad_khan · ‎10-21-2008

version is 2008.2r1

Client use to stuck on "connecting"

regards,

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting +92-301-8247638 end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting +92-321-2370510 end_of_the_skype_highlighting

Fahad_khan · ‎10-21-2008

further,

var/log/messages shows this

Aug 23 04:02:06 HOK-NSMXPRESS-DC-A rsyslogd: [origin software="rsyslogd" swVersion="2.0.5" x-pid="2077" x-info="http://www.rsyslog.com"][x-configInfo udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart
Aug 23 04:02:54 HOK-NSMXPRESS-DC-A su(pam_unix)[15499]: session opened for user nsm by (uid=0)
Aug 23 04:02:54 HOK-NSMXPRESS-DC-A su(pam_unix)[15499]: session closed for user nsm
Aug 23 04:02:54 HOK-NSMXPRESS-DC-A su(pam_unix)[15866]: session opened for user nsm by (uid=0)
Aug 23 04:02:55 HOK-NSMXPRESS-DC-A su(pam_unix)[15866]: session closed for user nsm
Aug 23 04:02:55 HOK-NSMXPRESS-DC-A su(pam_unix)[16202]: session opened for user nsm by (uid=0)
Aug 23 04:02:55 HOK-NSMXPRESS-DC-A su(pam_unix)[16202]: session closed for user nsm
Aug 23 04:03:55 HOK-NSMXPRESS-DC-A su(pam_unix)[16670]: session opened for user nsm by (uid=0)
Aug 23 04:03:55 HOK-NSMXPRESS-DC-A su(pam_unix)[16670]: session closed for user nsm
Aug 23 04:03:55 HOK-NSMXPRESS-DC-A su(pam_unix)[17038]: session opened for user nsm by (uid=0)
Aug 23 04:03:55 HOK-NSMXPRESS-DC-A su(pam_unix)[17038]: session closed for user nsm
Aug 23 04:03:55 HOK-NSMXPRESS-DC-A su(pam_unix)[17374]: session opened for user nsm by (uid=0)
Aug 23 04:03:55 HOK-NSMXPRESS-DC-A su(pam_unix)[17374]: session closed for user nsm

regards,

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting +92-301-8247638 end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting +92-321-2370510 end_of_the_skype_highlighting

CB · ‎05-09-2008

Hi Muhammad,

try running on the console of the nsmXpress server the following.

#tail -f /var/netscreen/GuiSvr/errorLog/guiDaemon.0

Then try connecting with your client, monitor for TLS connect, and success, if you fail to see this, then its a authentication failure, probably due to fragmentation.

Kind regards

Colin

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.

Fahad_khan · ‎10-21-2008

yes I am unable to see any TLS connect thing?? what should i do next??

thanks in advance

regards,

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting +92-301-8247638 end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting +92-321-2370510 end_of_the_skype_highlighting

Daniele · ‎11-06-2007

Hi Muhammed,

check in the logfile:

/var/netscreen/GuiSvr/errorLog/guiDaemon.0

These are the logs when a GUI client tries to connnect:

=====

[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:1678] GUITLSPLUG: Started guiTlsPlugConstruct()
[08/30/2009 23:12:25.529] [Notice] [1266304-connectionMgr.c:2521] Incoming Tls Gui TCP connection from guiTls, device ip 172.30.73.137
[08/30/2009 23:12:25.529] [Notice] [1266304-connectionMgr.c:2552] connMgrIncomingGuiTlsPlugHandler: debug one
[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:207] guiTlsPlugSetupChannel: entry fd = 286
[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:1372] guiTlsPlugConnect: NETPLUG_CONNECT_ACCEPT phase channel = 0x86bcca48
[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:1891] guiTlsPlugStartup: port = 7808
[08/30/2009 23:12:25.529] [Error] [1266304-guiTlsPlug.c:1925] guiTlsPlugStartup:: exit
[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:858] guiTlsPlugSSLConnect entry plug state = 3
[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:861] guiTlsPlugSSLConnect: debug one
[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:893] GUITLSPLUG:     SSL_ERROR_WANT_READ
[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:937] GUITLSPLUG: guiTlsPlugSSLConnect success
[08/30/2009 23:12:25.529] [Notice] [1266304-connectionMgr.c:2559] connMgrIncomingGuiTlsPlugHandler: debug 1.5
[08/30/2009 23:12:25.529] [Notice] [1266304-connectionMgr.c:2563] connMgrIncomingGuiTlsPlugHandler: debug two - location = guiTls
[08/30/2009 23:12:25.529] [Notice] [1266304-connectionMgr.c:2568] connMgrIncomingGuiTlsPlugHandler: debug three
[08/30/2009 23:12:25.529] [Notice] [1266304-connectionMgr.c:2588] connMgrIncomingGuiTlsPlugHandler: exit
[08/30/2009 23:12:25.529] [Notice] [1266304-guiTlsPlug.c:2401] guiTlsPlugIncomingHandler: finished
[08/30/2009 23:12:25.613] [Notice] [1266304-guiTlsPlug.c:1984] GUITLSPLUG: Received HANDSHAKE state = 4
[08/30/2009 23:12:25.613] [Notice] [1266304-guiTlsPlug.c:858] guiTlsPlugSSLConnect entry plug state = 4
[08/30/2009 23:12:25.613] [Notice] [1266304-guiTlsPlug.c:893] GUITLSPLUG:     SSL_ERROR_WANT_READ
[08/30/2009 23:12:25.613] [Notice] [1266304-guiTlsPlug.c:937] GUITLSPLUG: guiTlsPlugSSLConnect success
[08/30/2009 23:12:26.653] [Notice] [1266304-guiTlsPlug.c:1984] GUITLSPLUG: Received HANDSHAKE state = 4
[08/30/2009 23:12:26.653] [Notice] [1266304-guiTlsPlug.c:858] guiTlsPlugSSLConnect entry plug state = 4
[08/30/2009 23:12:26.657] [Notice] [1266304-guiTlsPlug.c:893] GUITLSPLUG:     SSL_ERROR_WANT_READ
[08/30/2009 23:12:26.657] [Notice] [1266304-guiTlsPlug.c:937] GUITLSPLUG: guiTlsPlugSSLConnect success
[08/30/2009 23:12:26.701] [Notice] [1266304-guiTlsPlug.c:1984] GUITLSPLUG: Received HANDSHAKE state = 4
[08/30/2009 23:12:26.701] [Notice] [1266304-guiTlsPlug.c:858] guiTlsPlugSSLConnect entry plug state = 4
[08/30/2009 23:12:26.701] [Notice] [1266304-guiTlsPlug.c:931] GUITLSPLUG: ---- guiTlsPlugSSLConnect succeded ----
[08/30/2009 23:12:26.701] [Notice] [1266304-guiTlsPlug.c:809] guiTlsPlugSSLConnectComplete: state = NS_GUITLS_PLUG_DATA_TRANSFER_STATE
[08/30/2009 23:12:26.701] [Notice] [1266304-connectionMgr.c:1417] connMgrGuiTlsDataHandler: entry
[08/30/2009 23:12:26.701] [Notice] [1266304-connectionMgr.c:1472] connMgrGuiTlsDataHandler: else block
[08/30/2009 23:12:26.701] [Notice] [1266304-connectionMgr.c:1483] Incoming GuiClient TLS connection, from ac1e4989 ipaddr = -1407301239 port = 7808
[08/30/2009 23:12:26.701] [Notice] [1266304-gdNetConfig.c:955] incomingTlsGuiConnection: Incoming TLS GUI connection 47544c53
[08/30/2009 23:12:26.701] [Notice] [1266304-connectionMgr.c:826] Setting transport mask 10000000
[08/30/2009 23:12:26.701] [Notice] [1266304-guiTlsPlug.c:793] guiTlsPlugBuildStacksReq: success
[08/30/2009 23:12:26.701] [Notice] [1266304-guiTlsPlug.c:834] GUITLSPLUG: GUI Server finished TLS Handshake with GUI Client and is now in Data Transfer state.
[08/30/2009 23:12:26.701] [Notice] [1266304-guiTlsPlug.c:937] GUITLSPLUG: guiTlsPlugSSLConnect success
[08/30/2009 23:12:27.992] [Notice] [82924464-nsAuthGUIComm.c:325] client version(2009.1r1), server version(2009.1r1)
====

If you don't see the first lines, it can be a problem for the NSM client to reach the NSM server on port TCP/7808.

Ciao

Daniele

***Contributor at Router Freak blog***

sr · ‎08-24-2009

I'm having also quite similar problem (NSM on RH5), after upgrading from 2008.1r2 to 2008.2r2a. Here's the end of the guiDaemon.0:

So far OK, as compared to Danieles post:

[01/12/2010 14:14:41.808] [Notice] [37772176-nsAuthGUIComm.c:325] client
version(2008.2r2a), server version(2008.2r2a)

Here start the problems:

[01/12/2010 14:14:45.722] [Error] [38103952-nsAccessCtrl.c:3533]
nsSetDbMgrFind() failed

[01/12/2010 14:14:45.722] [Error] [38103952-nsAccessCtrl.c:3669]
nsAccessCtrlHandleImplicitActivity failed for activity - ImplicitShared

[01/12/2010 14:14:45.722] [Error] [38103952-nsAccessCtrl.c:4005]
nsAccessCtrlProcessAdminSet(adminId=1) failed

[01/12/2010 14:14:45.722] [Error] [38103952-nsAccessCtrl.c:7640]
nsAccessCtrlUploadUserPerms(admin='xxx') failed

[01/12/2010 14:14:45.724] [Error] [38103952-gdPreproc.c:573]
nsAccessCtrlUserConstruct(adminName='xxx', domainPath='global')
failed

[01/12/2010 14:14:45.724] [Error] [38103952-syncNetAppAPI.c:3511]
Command rejected

[01/12/2010 14:14:46.401] [Error] [36694928-nsAccessCtrl.c:3533]
nsSetDbMgrFind() failed

[01/12/2010 14:14:46.401] [Error] [36694928-nsAccessCtrl.c:3669]
nsAccessCtrlHandleImplicitActivity failed for activity - ImplicitShared

[01/12/2010 14:14:46.401] [Error] [36694928-nsAccessCtrl.c:4005]
nsAccessCtrlProcessAdminSet(adminId=1) failed

[01/12/2010 14:14:46.401] [Error] [36694928-nsAccessCtrl.c:7640]
nsAccessCtrlUploadUserPerms(admin='xxx') failed

[01/12/2010 14:14:46.403] [Error] [36694928-gdPreproc.c:573]
nsAccessCtrlUserConstruct(adminName='xxx', domainPath='global')
failed

[01/12/2010 14:14:46.403] [Error] [36694928-syncNetAppAPI.c:3511]
Command rejected

[01/12/2010 14:14:47.068] [Error] [37772176-nsAccessCtrl.c:3533]
nsSetDbMgrFind() failed

[01/12/2010 14:14:47.068] [Error] [37772176-nsAccessCtrl.c:3669]
nsAccessCtrlHandleImplicitActivity failed for activity - ImplicitShared

[01/12/2010 14:14:47.068] [Error] [37772176-nsAccessCtrl.c:4005]
nsAccessCtrlProcessAdminSet(adminId=1) failed

[01/12/2010 14:14:47.068] [Error] [37772176-nsAccessCtrl.c:7640]
nsAccessCtrlUploadUserPerms(admin='xxx') failed

[01/12/2010 14:14:47.070] [Error] [37772176-gdPreproc.c:573]
nsAccessCtrlUserConstruct(adminName='xxx', domainPath='global')
failed

[01/12/2010 14:14:47.070] [Error] [37772176-syncNetAppAPI.c:3511]
Command rejected

[01/12/2010 14:14:47.672] [Error] [38103952-nsAccessCtrl.c:3533]
nsSetDbMgrFind() failed

[01/12/2010 14:14:47.672] [Error] [38103952-nsAccessCtrl.c:3669]
nsAccessCtrlHandleImplicitActivity failed for activity - ImplicitShared

[01/12/2010 14:14:47.672] [Error] [38103952-nsAccessCtrl.c:4005]
nsAccessCtrlProcessAdminSet(adminId=1) failed

[01/12/2010 14:14:47.672] [Error] [38103952-nsAccessCtrl.c:7640]
nsAccessCtrlUploadUserPerms(admin='xxx') failed

[01/12/2010 14:14:47.674] [Error] [38103952-gdPreproc.c:573]
nsAccessCtrlUserConstruct(adminName='xxx', domainPath='global')
failed

[01/12/2010 14:14:47.674] [Error] [38103952-syncNetAppAPI.c:3511]
Command rejected

[01/12/2010 14:14:48.328] [Error] [36694928-nsAccessCtrl.c:3533]
nsSetDbMgrFind() failed

[01/12/2010 14:14:48.328] [Error] [36694928-nsAccessCtrl.c:3669]
nsAccessCtrlHandleImplicitActivity failed for activity - ImplicitShared

[01/12/2010 14:14:48.328] [Error] [36694928-nsAccessCtrl.c:4005]
nsAccessCtrlProcessAdminSet(adminId=1) failed

[01/12/2010 14:14:48.329] [Error] [36694928-nsAccessCtrl.c:7640]
nsAccessCtrlUploadUserPerms(admin='xxx') failed

[01/12/2010 14:14:48.331] [Error] [36694928-gdPreproc.c:573]
nsAccessCtrlUserConstruct(adminName='xxx', domainPath='global')
failed

[01/12/2010 14:14:48.331] [Error] [36694928-syncNetAppAPI.c:3511]
Command rejected

[01/12/2010 14:14:48.983] [Error] [37772176-nsAccessCtrl.c:3533]
nsSetDbMgrFind() failed

[01/12/2010 14:14:48.983] [Error] [37772176-nsAccessCtrl.c:3669]
nsAccessCtrlHandleImplicitActivity failed for activity - ImplicitShared

[01/12/2010 14:14:48.983] [Error] [37772176-nsAccessCtrl.c:4005]
nsAccessCtrlProcessAdminSet(adminId=1) failed

[01/12/2010 14:14:48.983] [Error] [37772176-nsAccessCtrl.c:7640]
nsAccessCtrlUploadUserPerms(admin='xxx') failed

[01/12/2010 14:14:48.985] [Error] [37772176-gdPreproc.c:573]
nsAccessCtrlUserConstruct(adminName='xxx', domainPath='global')
failed

[01/12/2010 14:14:48.985] [Error] [37772176-syncNetAppAPI.c:3511]
Command rejected

[01/12/2010 14:14:49.587] [Error] [38103952-nsAccessCtrl.c:3533]
nsSetDbMgrFind() failed

[01/12/2010 14:14:49.587] [Error] [38103952-nsAccessCtrl.c:3669]
nsAccessCtrlHandleImplicitActivity failed for activity - ImplicitShared

[01/12/2010 14:14:49.587] [Error] [38103952-nsAccessCtrl.c:4005]
nsAccessCtrlProcessAdminSet(adminId=1) failed

[01/12/2010 14:14:49.587] [Error] [38103952-nsAccessCtrl.c:7640]
nsAccessCtrlUploadUserPerms(admin='xxx') failed

[01/12/2010 14:14:49.589] [Error] [38103952-gdPreproc.c:573]
nsAccessCtrlUserConstruct(adminName='xxx', domainPath='global')
failed

[01/12/2010 14:14:49.589] [Error] [38103952-syncNetAppAPI.c:3511]
Command rejected

What could be the reason?

Br,

hansk

sr · ‎08-24-2009

Just to tell you, that my problem get solved by upgrading to 2009.1.

hansk

NSM client is unable to connect to NSM server (NSMXpress)

Re: NSM client is unable to connect to NSM server (NSMXpress)

Re: NSM client is unable to connect to NSM server (NSMXpress)

Re: NSM client is unable to connect to NSM server (NSMXpress)

Re: NSM client is unable to connect to NSM server (NSMXpress)

Re: NSM client is unable to connect to NSM server (NSMXpress)

Re: NSM client is unable to connect to NSM server (NSMXpress)

Re: NSM client is unable to connect to NSM server (NSMXpress)

Re: NSM client is unable to connect to NSM server (NSMXpress)