Security

We upgraded from 2008.2r2 to 2009.1r1.  Our two IDP-75s and some (but not all) SSG5/5GT's showed down.  Per the release notes, we tried RMA'ing the IDP-75 and then tried activating them but then never connect.

The DevSvr and GUISvr are both running, and on the IDP's the agent is running.  We rebooted the IDP's and NSM Server but they never complete the 1st connect.

Anyone else have this problem?

Hey Joe - I just finished upgrading my NSM to 2009.1 - I had the same problem with my IDP 75. I ended up selecting the "device is not reachable" option and then did whole "cut and paste" routine. After doing so and a reboot of the IDP it came up fine and is now in an up state.

I would suggest you do that with both the IDP and the SSG5's.

Nerver Mind!  I figured it out  and it work perfect!

Now all I have to do is get the Update Attack Database to work (it's broke after the upgrade!).

Thanks again!

Hello,

I'm having the same problem with SRX 210 gateway.

Can you explain the "cat and paste" routine please ?

Thanks in advance,

Mounira REMINI

Security Engineer

Mounira - "cut and paste" as I used it refered to selecting the device is not reachable as your install option. You then have to "cut and "paste" some commands from the NSM to the ScreenOS box.

For the SRX210 the "device is not reachable" install method is the one you should be using. You select that option, fill in the type and version and then take the commands displayed, enter them into the SRX and the SRX should communicate with the NSM and be reachable. From that point you do an import of the config.

Did that part work, or do you need to do that still?

hello muttbarker,

Thank you for your reply. 

I didn't know that you call this operation "cut and paste"  

I already did that on the creation of my SRX gateway, and it worked successfully, but unfortunately it's still not working for me when RMA'ing and activating the device.

I opened a case on Juniper and I did a secure meeting with a Juniper engineer, we didn't find a solution.

Actually he is trying to reproduce the problem. 

The error message that we are getting on NSM is as follow " No record found in database for this incoming connection. Could be wrong device-id or it is removed by user." ...If someone can help

N.B. : the device id is correctly configured !

I'll update this post as soon as we find a solution

Thanks

Mounira REMINI

Security Engineer

For what it is worth, I am experiencing exactly the same problem.  This is with 2009.1r1 and both 10.0.R1.8 and 10.0.R2.10 on an SRX240. I have an up to date schema and have tried both the "reachable" and "unreachable" methods for adding the device.  In both cases I get the same error in the logs: "No record found in database for this incoming connection. Could be wrong device-id or it is removed by user."

Did you ever get a resolution to this?

Hi,

Just got the same problem with an SRX210 and NSM 2008.r2a.

Did anyone find a solution to the "No record found in database for this incoming connection. Could be wrong device-id or it is removed by user." problem?

Regards

Hello,

Here is the explanation that I got from Juniper support about this issue :

The root cause is that,  when we RMA an SRX device, NSM changes its device ID of the SRX
 in its DB. While activating, NSM still supplies the old device id in UI, which goes to
SRX along with the commands. And then SRX tries to connect with the old device id. So,
the connection will fail in NSM.
This behavior is changed in the latest release, and the issue is resolved

The issue seems to be resolved in NSM 2010. I haven't test it yet .

Mounira