cancel
Showing results for 
Search instead for 
Did you mean: 
dno
Level 7
Report Inappropriate Content
Message 1 of 5

NSS disabled

Hi,

Got a pair Sidewinders (peer-to-peer), HA work just fine until recently the member fw could not longer join the cluster. Getting the following error:

Waiting to start 'scobrad' because 'nss' is disabled

Waiting to start 'scobrap' because 'nss' is disabled

Waiting to start 'ccmd'  because 'nss' is disabled

Waiting to start 'entrelayp'  because 'nss' is disabled

We are scheduled for downtime and planning to re-create the cluster. Im not sure this will resolve the issue.

Any advice is appreciated.


Thank you.

dno

4 Replies
ballen
Level 7
Report Inappropriate Content
Message 2 of 5

Re: NSS disabled

Are any of your partitions full?  Run "df" and check (/dev will always be 100%, so you can ignore that one).  If that's not the problem, check through the audit again or look in /var/log/daemond.log and see if there is a more informative error in there.

Without knowing the root issue, it's difficult to say if breaking and rejoining the pair will fix the problem.  You may want to file a ticket so support can fully review the audit.

dno
Level 7
Report Inappropriate Content
Message 3 of 5

Re: NSS disabled

Hi Ballen,

Thank you. I have checked the disk space already and we are not running low on any of the partition.

snippet from my daemod.log entry:

****************

'nss' i s not ready

...

...

Waiting to start 'hostd' because 'nss' is not running

...

..

Starting 'restart-all' ..... Invalid configuration data ....can't parse state table file '/etc/server.conf'

...

******************

What service is using the server.conf? Looks like the serveral components services cannot be started if server.conf could not read.

Any particular incident that could possibly bring down the nss service?

dno

oreeh
Level 10
Report Inappropriate Content
Message 4 of 5

Re: NSS disabled

> Invalid configuration data ....can't parse state table file '/etc/server.conf'

Check /etc/server.conf for any errors - it's a simple text file.

After fixing the errors restart nss.

Edited to add:

If unsure compare it with the working one from the other cluster member.

Message was edited by: oreeh on 12/22/09 8:43:17 AM CET
ballen
Level 7
Report Inappropriate Content
Message 5 of 5

Re: NSS disabled

dno,

server.conf is the config file for the servers/daemons on the Sidewinder.  This doesn't include any proxies.  Like oreeh said, you can grab a copy of server.conf from the working pair memeber and compare it.

I don't know for sure what could have caused this.  Some guesses are a patch installation, config restore, improper shutdown if the firewall was writing to the file, or if someone (another admin) improperly edited the file.  Without seeing the audit.raw from when the problem initially started happening, it's tough to say why the firewall can no longer read the state table for server.conf.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community