NetWorker: How to clear NSR peer information mismatches automatically using nsradmin -C

NSR peer information resources contain the public keys for remote hosts used during RPCSEC_GSS authentication (nsrauth). When there is a peer certificate mismatch between two NetWorker hosts. NetWorker communication attempts may report a certificate mismatch, peering issue, credential too weak, server rejected credential, so forth.

Example:
 

nve:~ # nsradmin -p nsrexecd -s lnx-srvr01.networker.lan
143820:nsradmin: Unable to establish RAP connection with lnx-srvr01.networker.lan: Unable to authenticate with nsrexecd on host lnx-srvr01.networker.lan for RAP credentials: Authentication error; why = Server rejected credential

These errors appear in the NetWorker systems /nsr/logs/daemon.raw. These errors may also appear in backup session logs under /nsr/logs/policy/POLICY_NAME/WORKFLOW_NAME.

NetWorker: How to use nsr_render_log to render .raw log files

The cause of the mismatch can vary; however, the nsradmin utility can be used to check and clear peer certificate mismatches.

To list the number of mismatched NSR peer information resources, run the following command on the NetWorker server:

nsradmin -p nsrexecd -C  "NSR peer information"

To attempt to correct NSR peer information mismatches, run the following command on the NetWorker server:

nsradmin -p nsrexecd -C -y "NSR peer information"

Example output:

# nsradmin -p nsrexec -C "NSR peer information"

Validate "NSR peer information" resources

Synopsis: For each NSR peer information resource in saturn.emc.com's NSRLA database, verify the 'NW instance ID' and 'certificate' attributes match those found in the peer's NSRLA resource.

Peer 1 of 2

 Hostname: mars.emc.com

 Instance ID: 7dda5dc7-00000004-e064f199-56a140c6-00010c00-6c9ab329

 * The "NSR peer information" resource for mars.emc.com in saturn.lss.emc.com's NSRLA database is out of date. The "NW instance ID" attribute does not match the one stored in mars.emc.com's NSRLA resource. To correct the problem, delete the NSR peer information resource for mars.emc.com in saturn.emc.com's NSRLA database.

 Matching certificates: No

Peer 2 of 2

 Hostname: jupiter.emc.com

 Instance ID: 3900ad0a-00000004-f05b6935-56aba1de-00010c00-b6e8a329

 Matching certificates: Yes

Summary:

NSR peer information resources checked:       2

        RAP connect errors:                   0

        RAP query errors:                     0

        Resource mismatches:                  1

        Resources corrected:                  0

Peers with mismatched certificates/instance IDs: mars.emc.com

Total errors:                                 1

Review the output for errors in clearing peer information. 
 

In some instances, it may be necessary to manually delete peer information: NetWorker: Fixing inconsistent NSR peer information

Other uses of nsradmin -C are detailed in: NetWorker: How to Use NetWorker nsradmin -C Resource Validation