Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

NetWorker: How to clear NSR peer information mismatches automatically using nsradmin -C

Summary: Correct mismatched NSR peer information resources between a NetWorker server and its clients.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

NSR peer information resources contain the public keys for remote hosts used during RPCSEC_GSS authentication (nsrauth). When there is a peer certificate mismatch between two NetWorker hosts. NetWorker communication attempts may report a certificate mismatch, peering issue, credential too weak, server rejected credential, so forth.

Example:
 

nve:~ # nsradmin -p nsrexecd -s lnx-srvr01.networker.lan
143820:nsradmin: Unable to establish RAP connection with lnx-srvr01.networker.lan: Unable to authenticate with nsrexecd on host lnx-srvr01.networker.lan for RAP credentials: Authentication error; why = Server rejected credential

These errors appear in the NetWorker systems /nsr/logs/daemon.raw. These errors may also appear in backup session logs under /nsr/logs/policy/POLICY_NAME/WORKFLOW_NAME.

NetWorker: How to use nsr_render_log to render .raw log files

 

The cause of the mismatch can vary; however, the nsradmin utility can be used to check and clear peer certificate mismatches.

 

To list the number of mismatched NSR peer information resources, run the following command on the NetWorker server:

nsradmin -p nsrexecd -C  "NSR peer information"

To attempt to correct NSR peer information mismatches, run the following command on the NetWorker server:

nsradmin -p nsrexecd -C -y "NSR peer information"

 

WARNING: This operation can compromise the security of a NetWorker server. If a malicious host with the same name and IP address as an existing client is installed on the server’s network, clearing the NSR peer information may delete the legitimate client, allowing the malicious host to replace the legitimate certificate and impersonate the client. For this to occur, the legitimate client must be powered off while the malicious client exists on the server s network. This specific scenario is unlikely; however, be aware of this risk before performing the procedure.

Example output:

# nsradmin -p nsrexec -C "NSR peer information"

Validate "NSR peer information" resources

Synopsis: For each NSR peer information resource in saturn.emc.com's NSRLA database, verify the 'NW instance ID' and 'certificate' attributes match those found in the peer's NSRLA resource.

Peer 1 of 2

 Hostname: mars.emc.com

 Instance ID: 7dda5dc7-00000004-e064f199-56a140c6-00010c00-6c9ab329

 * The "NSR peer information" resource for mars.emc.com in saturn.lss.emc.com's NSRLA database is out of date. The "NW instance ID" attribute does not match the one stored in mars.emc.com's NSRLA resource. To correct the problem, delete the NSR peer information resource for mars.emc.com in saturn.emc.com's NSRLA database.

 Matching certificates: No

Peer 2 of 2

 Hostname: jupiter.emc.com

 Instance ID: 3900ad0a-00000004-f05b6935-56aba1de-00010c00-b6e8a329

 Matching certificates: Yes

Summary:

NSR peer information resources checked:       2

        RAP connect errors:                   0

        RAP query errors:                     0

        Resource mismatches:                  1

        Resources corrected:                  0

Peers with mismatched certificates/instance IDs: mars.emc.com

Total errors:                                 1

Review the output for errors in clearing peer information. 
 

NOTE: It may be necessary to run this command on multiple NetWorker systems where GSS auth errors are observed. For example if Client_A is reporting GSS auth errors, run the `nsradmin -C -y -p nsrexecd "NSR peer information"` command on both the NetWorker server and Client_A.
 

In some instances, it may be necessary to manually delete peer information: NetWorker: Fixing inconsistent NSR peer information

Additional Information

Other uses of nsradmin -C are detailed in: NetWorker: How to Use NetWorker nsradmin -C Resource Validation

Affected Products

NetWorker

Products

NetWorker, NetWorker Series
Article Properties
Article Number: 000022820
Article Type: How To
Last Modified: 31 Oct 2024
Version:  6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.