Screen OS

I am trying to add a SSG firewall to a fresh NSM 2012.2R7 install. Everytime I try to add the device in NSM under device is reachable, the deive will auto detect device peramerters, but the device will fail during "Adding Device and Waiting for Device to connect to NSM."

Firewall Info:

Product Name: SSG5-Serial
Serial Number: xxxxxxxxxxxxxxxxxx, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r12.0, Type: Firewall+VPN

Event on SSG

2014-08-20 11:50:34 system info  00538 NSM: Cannot connect to NSM server at
                                       MY IP Reason: 6,
                                       disconnected by peer (read == 0) (169
                                       connect attempt(s))

I have tried to add the device by selecting the Device is not reachable option, but when I click next, the drop down box for both Platform and Managed OS Version are empty.

Thank You

Sounds like there is an error on NSM.  Are you able to reach NSM from the device?

I am able to traceroute to the server but not ping. The following ports are open on the server:

Hi,

Discovery from NSM to FW normally is through SSH. It is a good sign that it is working in your case.

The second part that is failing is when the device contacts NSM - this normally is over port 7800. The firewall reports that the peer (NSM here) disconnected the connection.

- is there any NAT-ing device between the FW and NSM?

- is your NSM server listening on port 7800? if not, change the port number under Configuration > Admin > NSM

- do you see incoming connection attempts on NSM, from the FW?

- There is a NAT device in the middle, but the firewall is properly receiving traffic from the NSM public IP address. I configured a mip under Administer -> Servers -> server-1 (NSM1.JPG). Is there more I have to do for the MIP when I reference it during the auto detect phase of adding a new device (NSM2.JPG)?

- I am unsure of whether the NSM is listening on port 7800. I didn't see the tree to access Configuration > Admin > NSM, could you please be more specific.

-Sorry for not knowing, but how do I check the NSM for traffic? The NSM host OS (administered by my sysadmin team) can see the traffic coming from the firewall.

Is there any way to get the drop down menu's to populate while adding the device as "Device is Not Reachable" (NSM3.JPG)?

Thank You

What do you have performing the translation?  Is it allowing traffic initiated from the firewall to NSM?  Remember, the firewall will always initiate the connection to NSM on port 7800.  Only time that NSM will initiate a connection to the firewall is when you first add the device as reachable.

It appears that the translation is working properly. My sysadmin sent me the following log.

> gproDDM.log:2014/08/20-08:59:31.448 notice [DDH-7:34-0] Device at x.x.x.x does not support netconf

> gproDDM.log:2014/08/20-09:33:29.765 notice [DDH-7:37-0] Device at x.x.x.x does not support netconf

> gproDDM.log:2014/08/20-11:06:31.983 notice [DDH-5:40-0] Device at x.x.x.x does not support netconf

> gproDDM.log:2014/08/20-11:57:06.206 notice [DDH-5:43-0] Device at x.x.x.x does not support netconf

> gproDDM.log:2014/08/21-07:06:18.992 notice [DDH-18:49-0] Device at x.x.x.x does not support netconf

> gproDDM.log:2014/08/21-07:21:02.440 notice [DDH-6:53-0] Device at x.x.x.x does not support netconf

> gproDDM.log:2014/08/21-07:26:52.031 notice [DDH-15:55-0] Device at x.x.x.x does not support netconf

Thank You

My sysadmin gave provided me with the following log: