I am trying to learn how to manage SSL VPN from NSM. I am running NSM 2008-2r1 and SSL 6.3R3. I followed the documentation but the DMI agent in SSL never makes a good connection. The log shows the agent connected and then connection lost. The NSM box shows that the SSL Box has never made the first connection.
Any suggestions as to how to troubleshoot this would be greatly appreciated.
Solved - the admin login that the NSM will use needs to be assigned to the .administrators role. Documentation on adding SSL to NSM does not make that clear!
Solved - the admin login that the NSM will use needs to be assigned to the .administrators role. Documentation on adding SSL to NSM does not make that clear!
I'm not sure what the issue is, but I would check or try the following:
Login to the SA, click on Auth Servers.
Click on Administrators.
Click on Users tab.
Click new, add a username and password for the NSM and save.
Click on Admin Realms, Admin Users, Role Mapping.
Edit the first rule (i.e. current admin account link) and add the account name just created to the Rule (i.e. If username is "nsm" assign the .Administrators Role and save.
Login to the NSM.
Add the device.
Enter the Device Name and select "Device is not reachable".
Select "SA" from the OS Name Menu, Platform, Version, and check/enter the IP of the NSM.
Continue by entering the account details (username and password) for the NSM account previously created, then add an additional "First time connect One-Time-Password" password and make a note of the auto-generated device ID.
Log back into the SA, click on System, Configuration, DMI Agent.
Enable the Agent, enter the IP of the NSM, the Device ID (step 11), and enter the One-Time-Password.
Save Changes.
Once this is completed, the DMI agent will attempt to contact the NSM. This can take up to one minute.
Go back to the NSM, click Devices, Device List Tab, and check for an "Up" status.
Once it's UP, you can import the device and start to manage the box using the NSM.
If this approach fails or you run into an issue, let me know. I vaguely remember having an issue with one of our four boxes, but I just ripped everything out and went through the above. I hope this helps.
Attempted to follow the steps listed, but I'm getting my log filled with:
2009-09-10 13:30:16 ive [127.0.0.1] System()[] - Outbound DMI Agent failed to connect to host: X.X.X.X, port: 7804.
I ran tcpdump on both the internal and port 1 interfaces and cannot see a single attempt to contact the NSM. Does this only work over the management interface?
Nope - it works just fine on the internal interface - actually does not work on the external. I run against an SA2000 with no management I/F. This is a "duh" thing but that message obviously means that the boxes aren't talking. I am out of the office with no access to logs or my notes on configuring this stuff.
Have you done the obvious and validated communication from a ping perspective between the two boxes? Validated that the password you use on the SA matches the one you setup on NSM for 1st communications?
