Troubleshooting NSR tunnel

Published   Read time 3 min(s) 33 sec(s)   (1493 views).  NetWorker  

NSR tunnel is a configurable feature found in NetWorker 8.0 and later that enables communications through a firewall by using a single TCP service port. You create an NSR tunnel resource on two separate hosts: the server and the proxy. The tunnel creates a connection between the Server in the secure network and the Proxy in the insecure network. NetWorker data passes between the secure and insecure network through the tunnel.

This article lists some common NSR Tunnel error messages that appear in the /nsr/logs/daemon.raw file and possible resolutions to the errors seen.

SYSTEM warning: A NSR tunnel end was closed unexpectedly

This message appears on the Proxy and Server hosts when the tunnel connection closes unexpectedly. For example when the autostart attribute in the NSRLA database is Restart now or a host reboot occurs.

If the tunnel connection does not reestablish after this message appears, an inactivity timeout on the firewall can cause the tunnel connection to close unexpectedly. Resolve this issue in one of the following ways:

  • Ensure that the keepalive interval attribute value in the Server and Proxy NSRLA database is less than the firewall timeout value. NOTE: If you change the keepalive interval value, set the autostart attribute to Restart Now.
  • Increase the firewall timeout to a value greater than the value specified in the keepalive interval attribute.
NSR warning Accepted connection from remote address ip_address does not match entry for the NSR tunnel attribute 'server address' of tunnel instance 'TUN_name'; closing connection

This messages appears on the Proxy host when the real IP address of the Server does not match the value specified in the server address attribute in the NSRLA database.

To resolve this issue, ensure that the server address attribute in the NSRLA database is:

  • The real IP address of the Server host.
  • The same value on the Proxy and Server hosts.
SYSTEM warning Unable to connect to [ip_address]:7232 for NSR tunnel instance 'TUN_name': Connection refused

This message appears on the initiating host when the nsrtund daemon is not running on the listening host.

To resolve this issue:

  • Ensure that the autostart attribute value in the NSRLA database is not disabled.
  • Try to start the nsrtund daemon in one of the following ways:
    • Stop and start the nsrexecd daemon on the listening host.
    • Set the value in the autostart attribute value in the NSRLA database on the listening host to Restart Now.
SYSTEM severe Unable to open /dev/net/tun driver for NSR tunnel instance 'TUN_name': No such file or directory

This message appears on the Proxy or Server host if you did not install or load the tunnel driver.

To resolve this issue:

  • Log in as root.
  • Type: /usr/sbin/nsr_install_tun
  • Start the nsrtund daemon in one of the following ways:
    • Stop the nsrexecd daemon on the host and restart it.
    • Set the autostart attribute in the NSRLA database to Restart Now.
SYSTEM warning An error was encountered while reading from ip_address for NSR tunnel instance 'TUN_name': Connection reset by peer

This message appears on the Proxy or Server host when the firewall uses TCP Intercept in Intercept mode and intercepts requests from the initiating host. When the intercept occurs, the tunnel connection closes and NSR tunnel establishes another connection which the firewall intercepts.

You will see messages similar to the following repeated in the daemon.raw file:

SYSTEM warning An error was encountered while reading from the network
interface for NSR tunnel instance 'TUN_name': Connection reset by peer
NSR warning NSR tunnel instance 'TUN_name' is now closed.
NSR notice Successfully connected to ip_address for NSR tunnel
instance 'TUN_name'
NSR notice NSR tunnel instance 'TUN_name' via ip_address is now active.
SYSTEM warning An error was encountered while reading from the network
interface for NSR tunnel instance 'TUN_name': Connection reset by
peer.

To resolve this issue, exclude the tunnel connection from the TCP Intercept configuration.

Tunnel process starts but the tunnel connection does not establish

When the nsrtund process starts but fails to establish the tunnel connection, review the attribute values in the NSRLA database on the Proxy and Server hosts. For all required fields, ensure the values are the same on the Server and Proxy hosts.