Hello all Guru`s
I have 8 SSG 350 Firewalls I need to manage through NSM. These all all brand new configured.
I thought it would be nice to do the following because my Management Network is totally separate from my User Network.
Create a separate vr called mgt-vr.
Set this vr as the management vr which automatically sets it as the default vr
Put the built in MGT zone in the created mgt-vr
Put ethernet0/3 in the built-in MGT zone
I can manage the deivice through WEB, SSH, SSL, TELNET but when adding the device to NSM it gets past the part where it gathers all the firewall information automatically. After clicking next it just times out saying the device configuration could not be downloaded and that I should import it manually. I also tried doing it the other way around by configuring the device as unreachable in NSM and then running the commands on the FW. No luck though. I get error codes:
## 2009-05-19 15:13:53 : NetPlugConnect:netPlugConfiguredState - Callback funcs are bounded
## 2009-05-19 15:13:53 : NetPlugConnect:netPlugConfiguredState - Callback funcs are bounded
## 2009-05-19 15:13:53 : NetPlugConnect:netPlugOutgoingState - Outgoing connection in progress
## 2009-05-19 15:13:53 : soRead: read(103, 8a09260, 4) failed [errno=0]
## 2009-05-19 15:13:53 : netPlugSetFlow turns off flow
## 2009-05-19 15:13:53 : Storage type undefined
## 2009-05-19 15:13:53 : nsSelectLoop returns 5
## 2009-05-19 15:13:53 : Logs dropped, total=2, back-pressured=0
## 2009-05-19 15:14:08 : nsSelectLoop returns 2
## 2009-05-19 15:14:08 : NetPlugConnect:netPlugConfiguredState - Callback funcs are bounded
## 2009-05-19 15:14:08 : NetPlugConnect:netPlugConfiguredState - Callback funcs are bounded
## 2009-05-19 15:14:08 : NetPlugConnect:netPlugOutgoingState - Outgoing connection in progress
## 2009-05-19 15:14:08 : soRead: read(104, 8a09260, 4) failed [errno=0]
## 2009-05-19 15:14:08 : netPlugSetFlow turns off flow
## 2009-05-19 15:14:08 : Storage type undefined
## 2009-05-19 15:14:08 : nsSelectLoop returns 5
## 2009-05-19 15:14:23 : nsSelectLoop returns 2
and something in the line of cannot connect to NSM ...Reason 6.
I did set the default interface for the NSM server through the CLI but I cannot select ethernet0/3 through WEB.
Some posts I read state the the communications agent runs from the trust-vr
I tried adding a route pointing to the mgt-vr -did not help
Setting the mgt-vr as the default vr and management vr should of made this vr the fisrt table to look in for a route yet if I run get route cli it still first checks the trust-vr even after a restart.
I tried putting the MGT zone in the trust-vr but still I get the same symtoms.
Is it possible that I will need to use a custom zone in the trust-vr for all management.
Surely Juniper thought about this when they created a MGT zone and surely there are other people that have management network and user network split?
Please advise!!