ScreenOS Firewalls (NOT SRX)
Reply
Contributor
WViljoen
Posts: 43
Registered: ‎03-07-2008
0
Accepted Solution

NSM Management of SSG350

Hello all Guru`s

 

I have 8 SSG 350 Firewalls I need to manage through NSM. These all all brand new configured.

 

I thought it would be nice to do the following because my Management Network is totally separate from my User Network.

 

Create a separate vr called mgt-vr.
Set this vr as the management vr which automatically sets it as the default vr

Put the built in MGT zone in the created mgt-vr

Put ethernet0/3 in the built-in MGT zone

 

I can manage the deivice through WEB, SSH, SSL, TELNET but when adding the device to NSM it gets past the part where it gathers all the firewall information automatically. After clicking next it just times out saying the device configuration could not be downloaded and that I should import it manually. I also tried doing it the other way around by configuring the device as unreachable in NSM and then running the commands on the  FW. No luck though. I get error codes: 

 

## 2009-05-19 15:13:53 : NetPlugConnect:netPlugConfiguredState - Callback funcs are bounded
## 2009-05-19 15:13:53 : NetPlugConnect:netPlugConfiguredState - Callback funcs are bounded
## 2009-05-19 15:13:53 : NetPlugConnect:netPlugOutgoingState - Outgoing connection in progress
## 2009-05-19 15:13:53 : soRead: read(103, 8a09260, 4) failed [errno=0]
## 2009-05-19 15:13:53 : netPlugSetFlow turns off flow
## 2009-05-19 15:13:53 : Storage type undefined
## 2009-05-19 15:13:53 : nsSelectLoop returns 5
## 2009-05-19 15:13:53 : Logs dropped, total=2, back-pressured=0
## 2009-05-19 15:14:08 : nsSelectLoop returns 2
## 2009-05-19 15:14:08 : NetPlugConnect:netPlugConfiguredState - Callback funcs are bounded
## 2009-05-19 15:14:08 : NetPlugConnect:netPlugConfiguredState - Callback funcs are bounded
## 2009-05-19 15:14:08 : NetPlugConnect:netPlugOutgoingState - Outgoing connection in progress
## 2009-05-19 15:14:08 : soRead: read(104, 8a09260, 4) failed [errno=0]
## 2009-05-19 15:14:08 : netPlugSetFlow turns off flow
## 2009-05-19 15:14:08 : Storage type undefined
## 2009-05-19 15:14:08 : nsSelectLoop returns 5
## 2009-05-19 15:14:23 : nsSelectLoop returns 2

 

and something in the line of cannot connect to NSM ...Reason 6.

 

I did set the default interface for the NSM server through the CLI but I cannot select ethernet0/3 through WEB. 

 

Some posts I read state the the communications agent runs from the trust-vr

I tried adding a route pointing to the mgt-vr -did not help

Setting the mgt-vr as the default vr and management vr should of made this vr the fisrt table to look in for a route yet if I run get route cli it still first checks the trust-vr even after a restart.

 

 

I tried putting the MGT zone in the trust-vr but still I get the same symtoms. 

Is it possible that I will need to use a custom zone in the trust-vr for all management. 

Surely Juniper thought about this when they created a MGT zone and surely there are other people that have management network and user network split?

 

 

Please advise!!

 

 

Werner Viljoen
XON Group of Companies
JNCIA-FWV; JNCIS-FWV; JNCIA-SSL; JNCIA-M; JNCIS-M; JNCIA-IDP; JNCIA-WX; JNCIA-DX; JNSS-S; JNSS-WX; JNSS-DX
Contributor
WViljoen
Posts: 43
Registered: ‎03-07-2008
0

Re: NSM Management of SSG350

Looks like it does not matter which zone it is or vr. The issue must be with something on my NSM. I get the following debug informatio from my firewall:

 

Firewall:

 

## 2009-05-20 19:55:42 : NSM agent received -1 bytes (bufsize = 4)
## 2009-05-20 19:55:42 : Agent detected connection failure due to read error
## 2009-05-20 19:55:42 : soRead: read(108, 8476440, 4) failed [errno=0]
## 2009-05-20 19:55:42 : Agent disconnect; cause:smileysad:6- disconnected by peer (read
## 2009-05-20 19:55:42 : Agent Crypto plug(layer) disconnect; cause:smileysad:6- disconn)
## 2009-05-20 19:55:42 : Agent: Destroying MTM crypto plug; cause:6- disconnect)
## 2009-05-20 19:55:42 : Agent disconnect; cause:smileysad:6- disconnected by peer (read
## 2009-05-20 19:55:42 : IMSAGENT flow/xport disconnects, cause:smileysad:6- disconnecte
## 2009-05-20 19:55:42 : Agent at imsAgentConnectingState, Discounnect cause=(6)
## 2009-05-20 19:55:42 : netPlugSetFlow turns off flow
## 2009-05-20 19:55:42 : Data transferred disabled:  dataXfer-->>0
## 2009-05-20 19:55:42 : Connection failed.  Wait for next retry

 

 Please help!!

Werner Viljoen
XON Group of Companies
JNCIA-FWV; JNCIS-FWV; JNCIA-SSL; JNCIA-M; JNCIS-M; JNCIA-IDP; JNCIA-WX; JNCIA-DX; JNSS-S; JNSS-WX; JNSS-DX
Contributor
WViljoen
Posts: 43
Registered: ‎03-07-2008
0

Re: NSM Management of SSG350

This is not the Ideal Solution but after reinstallin my NSM with a clean install it worked 100 %

 

sudo su -

 

sh upgrade-os.sh nsm2008.2r1_servers_linux_x86.sh --ofline

 

Werner Viljoen
XON Group of Companies
JNCIA-FWV; JNCIS-FWV; JNCIA-SSL; JNCIA-M; JNCIS-M; JNCIA-IDP; JNCIA-WX; JNCIA-DX; JNSS-S; JNSS-WX; JNSS-DX
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.