cancel
Showing results for 
Search instead for 
Did you mean: 

NSM and SSL VPN - can't make them talk

SOLVED
muttbarker_
Valued Contributor

NSM and SSL VPN - can't make them talk

I am trying to learn how to manage SSL VPN from NSM. I am running NSM 2008-2r1 and SSL 6.3R3. I followed the documentation but the DMI agent in SSL never makes a good connection. The log shows the agent connected and then connection lost. The NSM box shows that the SSL Box has never made the first connection.

Any suggestions as to how to troubleshoot this would be greatly appreciated.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
muttbarker_
Valued Contributor

Re: NSM and SSL VPN - can't make them talk

Solved - the admin login that the NSM will use needs to be assigned to the .administrators role. Documentation on adding SSL to NSM does not make that clear!

View solution in original post

12 REPLIES 12
muttbarker_
Valued Contributor

Re: NSM and SSL VPN - can't make them talk

Glad to hear you got it working! And welcome to the Juniper Forums.



Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
muttbarker_
Valued Contributor

Re: NSM and SSL VPN - can't make them talk

Solved - the admin login that the NSM will use needs to be assigned to the .administrators role. Documentation on adding SSL to NSM does not make that clear!

View solution in original post

firewall72_
Frequent Contributor

Re: NSM and SSL VPN - can't make them talk

Hi,

I'm not sure what the issue is, but I would check or try the following:

  1. Login to the SA, click on Auth Servers.
  2. Click on Administrators.
  3. Click on Users tab.
  4. Click new, add a username and password for the NSM and save.
  5. Click on Admin Realms, Admin Users, Role Mapping.
  6. Edit the first rule (i.e. current admin account link) and add the account name just created to the Rule (i.e. If username is "nsm" assign the .Administrators Role and save.
  7. Login to the NSM.
  8. Add the device.
  9. Enter the Device Name and select "Device is not reachable".
  10. Select "SA" from the OS Name Menu, Platform, Version, and check/enter the IP of the NSM.
  11. Continue by entering the account details (username and password) for the NSM account previously created, then add an additional "First time connect One-Time-Password" password and make a note of the auto-generated device ID.
  12. Log back into the SA, click on System, Configuration, DMI Agent.
  13. Enable the Agent, enter the IP of the NSM, the Device ID (step 11), and enter the One-Time-Password.
  14. Save Changes.
  15. Once this is completed, the DMI agent will attempt to contact the NSM. This can take up to one minute.
  16. Go back to the NSM, click Devices, Device List Tab, and check for an "Up" status.
  17. Once it's UP, you can import the device and start to manage the box using the NSM.

If this approach fails or you run into an issue, let me know. I vaguely remember having an issue with one of our four boxes, but I just ripped everything out and went through the above. I hope this helps.

-John

firewall72_
Frequent Contributor

Re: NSM and SSL VPN - can't make them talk

I guess I was too late, sorry...

Glad you got it working.

jpayne_
Occasional Contributor

Re: NSM and SSL VPN - can't make them talk

Attempted to follow the steps listed, but I'm getting my log filled with:

2009-09-10 13:30:16 ive [127.0.0.1] System()[] - Outbound DMI Agent failed to connect to host: X.X.X.X, port: 7804.

I ran tcpdump on both the internal and port 1 interfaces and cannot see a single attempt to contact the NSM. Does this only work over the management interface?

muttbarker_
Valued Contributor

Re: NSM and SSL VPN - can't make them talk

Nope - it works just fine on the internal interface - actually does not work on the external. I run against an SA2000 with no management I/F. This is a "duh" thing but that message obviously means that the boxes aren't talking. I am out of the office with no access to logs or my notes on configuring this stuff.

Have you done the obvious and validated communication from a ping perspective between the two boxes? Validated that the password you use on the SA matches the one you setup on NSM for 1st communications?

jpayne_
Occasional Contributor

Re: NSM and SSL VPN - can't make them talk

Yep, ping works, and I've double (and triple) checked the passwords Smiley Sad
muttbarker_
Valued Contributor

Re: NSM and SSL VPN - can't make them talk

What version of NSM and what version of SA?

jpayne_
Occasional Contributor

Re: NSM and SSL VPN - can't make them talk

2009.1r1 and 6.4