NSM 2010, Can't import configuration from device



  • Hi,

    We have 2 NSM, 2007r3 and 2010.
    The 2010 works without any problem.
    The problem is that when I try to add device (SSG running ScreenOS 6.3r3) to the 2010 NSM, the NSM “succsessfully” add the device, but at the end it write me: “Device could not connect to NSM…”.

    I’ve looked at the log of the SSG and I see this message every minute:
    “NSM: Cannot connect to NSM server at 10.100.100.101. Reason: 6, disconnected by peer (read == 0) (3 connect attempt(s))”

    In the NSM logfile (/usr/netscreen/DevSvr/var/errorLog/deviceDaemon.0) I see (every minute):

    “[04/07/2010 10:50:27.991] [Error] [1119936-nsRSA.c:189] RSA invalid header
    [04/07/2010 10:50:27.991] [Error] [1119936-nsCryptoMTMPlug.c:1403] Could not verify connect message!
    [04/07/2010 10:50:27.991] [Error] [1119936-nsCryptoMTMPlug.c:2203] nsCryptoMTMPlugServerRecv_S1() failed
    [04/07/2010 10:50:27.991] [Warning] [1119936-nthConnPlug.c:374] NTHCONN: SSP device 172.16.2.102 (domainId 1, deviceId 32): denied connection due to key exchange failure
    [04/07/2010 10:50:27.991] [Notice] [1119936-sessionPlug.c:3581] session returns NETPLUG_SEND_DISCONNECTED”

    It seems there is a mismatch between the SSH of the SSG and the NSM (although the NSM were able to connect via ssh to the SSG).
    I tried to delete the nsm keys from the SSG, and reset the known_hosts files at the NSM, but still the same proble.

    I will appreate any help!.

    Dayan Shay.



  • After some support we found out the problem.
    We are tring to monitor a SSG, which doesn’t support FIPS.

    Simply disable the FIPS from the configuration file in the NSM.



  • Just an idea because I had same problem : some special caracters in password could not been understood by NSM
    If you have special caracters just try to change and put a easy password to see if this resolv the problem
    It"s just an idea… I’m not sure this is your problem


 

32
Online

38.4k
Users

12.7k
Topics

44.5k
Posts