Craig's Tip #77 (3.8 Site-Site VPN slave server that won't start VPN services)

I have a couple of questions:

Does this problem happen in IKE mode, Legacy mode, or both ?

If there's a replica of root on another server on the slave's segment, I
assume this is enough of a 'fix' to allow the services to start properly?

Thanks
Adrian James

Quote:
"Update: Aug 24, 2004: I am hearing that there is a design bug with
BorderManager 3.8 Site-to-Site VPN that requires the slave server to contact
a replica of the Root partition in order to launch. This means (for now)
that you need to put a replica of Root on the VPN slave server. This makes
sense in terms of what I have seen with my workaround, which simply allows
the slave server to contact a Root replica through a backup link.   It is,
of course, exceedingly poor NDS design in many cases to have to put a root
replica on a VPN slave server, and I assume that Novell will start taking
steps to address this.  (Also, I have not yet confirmed this yet in more
than one instance).  As noted below, if you are already in the situation
where your slave VPN is down, and you can't bring it up in order to get NDS
synched, I have a work-around, and I can do it for you if you need help."

0
Adrian
8/29/2004 9:55:44 PM
novell.bordermanager.vpn 2677 articles. 0 followers. Follow

3 Replies
706 Views

Similar Articles

[PageSpeed] 35

In article <AhsYc.705$ML2.472@prv-forum2.provo.novell.com>, Adrian James 
wrote:
> Does this problem happen in IKE mode, Legacy mode, or both ?

So far, I've only encountered it in IKE mode, but I never tried to test a 
legacy mode connection extensively at the same time.  In one case, I believe 
legacy continued to work, through the IKE-based VPN did not.
> 
> If there's a replica of root on another server on the slave's segment, I
> assume this is enough of a 'fix' to allow the services to start properly?

Probabably.  Just not tested (by me) yet.


Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

0
Craig
8/30/2004 10:19:11 PM
On Sun, 29 Aug 2004 21:55:44 GMT, Adrian James<ajames@davis.ca> wrote:

>If there's a replica of root on another server on the slave's segment, I
>assume this is enough of a 'fix' to allow the services to start properly?

Indeed, having a replica of root nearby (on the same segment) works.
I just had reason to test this.

I'm currently on hold with NTS to see if there is a way, short of
placing servers in public space or driving more than 10 hours, to
force the tunnel to come up.  I'll post the findings.

So far, it doesn't look good...

-Paul
0
pguest
9/26/2004 1:05:42 AM
In article <h65cl0l4u2m24pv7lr4jgdmopqb030rker@4ax.com>,  wrote:
> I'm currently on hold with NTS to see if there is a way, short of
> placing servers in public space or driving more than 10 hours, to
> force the tunnel to come up.
>
If you are talking about getting the tunnel up without a root replica, 
there are ways.  You may be able to use IPX across an IPRELAY tunnel to 
get NDS synched, to bring up the tunnel, and then switch to using a VPN 
tunnel instead.  It's kind of ugly, but should be doable completely 
remotely via rconag6.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

0
Craig
10/2/2004 6:13:20 PM
Reply:

Similar Artilces:

VPN Site to Site & Client to site/site's ?
Hi there, We managed to get our 5.0/5.1 & 6.0 tree over av WAN moved to a BM3.7 VPN based solution. Everything's working really good, finally,,, Though, just one issue or maybe,, question,, with a site-to-site VPN for 1 tree with 1 master & 2 slaves, are a client -to - site VPN connection ment to be able to connect to all the servers...?? That is; central network = 192.168.0.0 with the master works ok from client, branch network1 = 192.168.1.0 1st slave does not work from client, branch network1 = 192.168.2.0 2nd slave does not work from client, In nwa...

BorderManager 3.8 VPN site to site
A costumer has two BorderManager 3.8 servers running on Netware 6.5 sp1. A VPN site to site connection is configured. After the installation of the IP Domestic stack on both servers, the stack seems to be corrupt. ( At console : perl nwccdbm38:\tcpip\instal.pl -f ) MONITOR.NLM , NWCONFIG cannot be started. And at the server boot proces, the time synchronization is timing out due to the lack of an IP connection. When the server is running the time synchronization has been established after a while. Tried to manually copy the TCPIP, TCP and BSDSOCK nlm. ( DOMESTIC ) from te servi...

Bordermanager 3.8 Site-Site VPN
Hi all! I am testing VPN SITE to SITE on BM 3.8 at the moment, I have client-site working already but I can't get the site-site to work. Which Certificates should be on the servers?? and where do I have to put them?? Any ideas?? In article <BUoxb.11513$I04.4852@prv-forum2.provo.novell.com>, Stefan ten Hoeve wrote: > Which Certificates should be on the servers?? and where do I have to put > them?? > The BMgr 3.8 iManager should have created special VPN certs, and put then where they are needed. Did you allow iManager to create certs for...

Edir' sync' over Cisco site-to-site VPN
Can anyone confirm if Edirectory syncs across a Cisco site-to-site VPN connection ? It does - confirmed. -- Edison Ortiz Novell Product Support Forum SysOp (No Email Support, Thanks !) ...

BM 3.8
Hiya.. Having a spot of trouble with two Bordermanager 3.8 servers. One is setup as per Craigs (rather handy) book as a master and I'm setting up the second as a slave. From iManager on the master server, when adding the slave server I get the following message: *** The Site To Site service was modified partially. The Site To Site service was not modified due to following reasons: - Failed to create Site to Site member:SLAVE-FWVPNS2SMASTER-FW.Servers.Org *** I've changed the server names to protect the innocent. All the info on the page has been filled in correc...

VPN Client
I have a Border Manager 3.7 server with a Site to Site and Client to Site VPN enabled. The VPN client can access all information of the WAN except for the site that is accross the Site to Site VPN. The client to site is configured to encrypt this network. From the internal network the remote site accross the VPN site to site works fine. Any help would be appreciated Rob C Rob, This is really working as designed. If you want a vpn client to access the other site, you'll need to enable client-site on the other BM server. -- Lance Reynolds, CNE &l...

Urgent: Site-to-Site VPN, change of Master's IP address
Hi Guys I'm having some problems with my VPN site-to-site config here. It's a BM 3.8SP4. I've changed the public IP address of the master site, and I need to create the VPN site-to-site again. I've gone to vpncfg, and removed the VPN configuration. Then I've entered the new IP config, created the new minfo.vpn and all. No matter what I try, it still displays the old IP under 'Display VPN Server configuration', and if I go into NWAdmin32, under site-to-site it displays the old IP, as well as under client-to-site, the protected network is still the old...

VPN site to site; client on one end can't copy file
BM 3.6 sp361a and 36c02, plus a handful of 'after patches', NW SP51 sp5, running site to site vpn. I can login across VPN, map drives, navigate directories but, when I try to copy a file it will get so far then bomb. Error says "can not copy <filename>: the remote computer is not available" however the login is still intact and the server across the VPN is still repsonding.... All sites are IP; IPX does still reside on servers and VPN does permit IPX traffic back and forth but clients are IP only. From what I can see when this happens, the client...

VPN Client to site can't access service on DMZ
Hello there. I have a Bordermanager 3.6 configured with 3 NIC's, Private, Public and DMZ zones. I have a IIS on my DMZ and have made filters to allow HTTP port 80 from 2 public IP-addresses and http port 80 from Private to DMZ. I can access my ISS from my PRIVATE net, but not when i'm connected via VPN on my BM3.6. I guess i need a rule allowing access from Client-to-site VPN clients to my DMZ or what ? regards Anders Sekkelund The IP-adresses for my 3 NIC's are: Private: 10.10.100.4 255.255.0.0 DMZ: 172.20.1.1 255.255.0.0 Public: 192.38.16...

Cannot Start Reporting Services ;The found version is 'T.0.8.39'. The expected version is 'C.0.8.39'.
I reinstalled reporting services on a default instance but I am getting this error?Does anyone know how to fix this...

Site to Site VPN on NBM 3.8
Hello, We are preparing to setup our first Site to Site VPN with BorderManager 3.8 Each site currently is in it own tree with in one partition, and we are wondering if they need to be in the same tree, and if so how to proceed to bring the two trees into one. If they do not have to be in the same tree what will be be the conditions we will live with. Will we be confined to logging into one tree at a time to access resources, and then logging into the other tree to access the resources in that tree? Thanks for your help! Brent H. The Newton Group, Inc. Brenth, It...

ERROR [HY000] [MySQL][ODBC 3.51 Driver]Can't connect to MySQL server on 'IP Address of the server'(10048) ERROR [HY000] [MySQL][ODBC 3.51 Driver]Can't connect to MySQL server on 'IP of the server' (10
Hi, I am randomly getting the following error message in my application. ERROR [HY000] [MySQL][ODBC 3.51 Driver]Can't connect to MySQL server on 'IP Address of the server'(10048) ERROR [HY000] [MySQL][ODBC 3.51 Driver]Can't connect to MySQL server on 'IP of the server' (10048) I am using .Net 2.0 with VS2005 having ODBC 3.51.14 Driver.  Can any body point out the core reasons of the above error message? Thanks. Nouman Khawaja. I do have the same problem, help me out. Thanks  If the going seems easy, You are going DownHill... When I was writing ...

VPN upgrade site 2 site 3.7 -> 3.8
Major issue,, We had a VPN site with 3 nodes in 3.7, initialy an upgrade to 3.8 with the legacy option was working fine. But,, when we started to create a "non-legacy" VPN to move these servers to,, it wiped the 3.7/legacy VPN from the master completly when abending during the iManager creation of the new VPN. After that,, we off course didn't have any VPN, so,, we'll do it the hard way instead,, or at least, that's what we thought. All servers were in the same TREE, even though it was partitioned. Right now,, without any VPN up'n'running, crea...

VPN 3.6 slave to VPN 3.8 master
I have more or less gone through what I could to set this up. I exported the BM 3.8 master encryption key (minfo.vpn) and imported that to the BM 3.6 slave without any issue. I then created the slave (sinfo.vpn) file. I had setup the vpn tunnel ip's as 192.168.10.1 and when these were both masters, clients could access either one perfectly. We know the VPN's work. I changed 1 to a slave, but I halted what I was doing as I noted that the master and slave networks both are using 192.168.0.x for the private IP's. Questions: 1. Can a 3.6 slave talk to a 3.8 master?...

Web resources about - Craig's Tip #77 (3.8 Site-Site VPN slave server that won't start VPN services) - novell.bordermanager.vpn

Resources last updated: 1/3/2016 3:48:51 PM