Novell is now a part of Micro Focus

Solving VPN Client-to-Site Connection Failures from NMAS

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 4 Jan 2005

Solving VPN Client-to-Site Connection Failures from NMAS

By R. Anupkumar and Chitra A. Gurjar


When an existing server is added to another eDirectory tree, the added server's tree keys do not synchronize with the other servers in the tree. When BorderManager 3.8 is installed on the newly added server, the client-to-site connection to this VPN server using NMAS enhanced password authentication method will fail.

The Problem

When a user tries to establish a VPN client-to-site connection from a Windows VPN client to a BorderManager 3.8 VPN Server (added as a read/write replica to an eDirectory tree), using NMAS Enhanced Password authentication, the following errors are likely to be encountered.

Error displayed on NMASMON on the server:
	ERROR: -1460 CCS_GetPartitionKey:LTSSPerformX 
Error displayed on the VPN client machine:
	?Failed receiving server DH public value. An unknown error was 	reported by the authentication gateway?

These errors in the client and server side can lead to a connection failure. The common causes of -1460 errors are:

  • Incomplete component installation on the servers
  • Misconfigured information

These errors, which can also occur due to unsynchronized security domain keys, can occur in two ways:

  • While adding a server to an existing tree, if the user removes the eDirectory and then add the server as a read/write replica to the tree, the server keys may not get synchronized.
  • If the added server is third or higher in an existing tree, it will not hold any replica. After adding the replica (need be atleast read/write, if the user wants to use VPN Services), the server keys may not get synchronized.

The Solution

SDIDIAG is a tool and a diagnostic utility that examines the server's tree keys across the directory tree. It determines whether the keys are synchronized and synchronizes them if necessary. This utility has two versions:

  • An executable for Windows
  • An NLM file for Netware

For more information on SDIDIAG and related terms, refer to the following TIDs:

  • TID10086669 - Using SDIDIAG switches and options.
  • TID10088626 - Using SDIDIAG to gather specific SDKey information from servers.

The following TID provides detailed information on Security Domain Infrastructure (SDI) and NICI versions: TID10081773 - SDIDIAG switches, options and information.

Sample Problem and Solution

Suppose there are two or more servers in the tree. Another server was added to the tree by removing the eDirectory from it and re-installing the eDirectory. BorderManager 3.8 with Support Pack 2 was then installed on this server.

To simulate this situation,

  1. Create some users on the secondary server and authenticate them by the NMAS method - Enhanced Password or higher levels.
  2. Run the NMASMON utility on this server.

From any client, while trying to establish a client-to-site connection with the NBM server, the same errors as mentioned in the Problem section are likely to be displayed in the client and server. The following steps helps you in addressing these problems Note: These steps can also be executed using the SDIDIAG.nlm from any Netware Server connected to the network.


From ConsoleOne, check whether the server with BorderManager 3.8 installed holds the read/write replica. If it does not, make the server a read/write replica.

To synchronize the tree keys, the server should be a read/write replica.


From a Windows client which is connected to the network, run SDIDIAG.exe.


The tool prompts you for the server IP address, user name (Full DN) and password. After you provide all the credentials, a SDIDIAG prompt as shown below appears SDIDIAG> Step4 To check key or domain issues run the command as shown below SDIDIAG> CK -N This is a diagnostic command, which displays the issues with security domain servers. This can include any writable replica as specified by the "-N" option with the respective container DN The result of the command appears as follows(Figure 1) Figure 1 As observed, the synchronization of tree keys needs to be done with a specific server. Step 5 Execute the following command with the option to re-synchronize the security domain as shown below: SDIDIAG> RD -N This will re-synchronize the security domain with all servers holding writable replicas of the specified container DN partition (as given after the -N option). Now execute the CK -N diagnostic command as explained in Step 4. The result appears as follows (Figure 2) This indicates that the security domain server keys are synchronized. After resynchronizing the server using SDIDIAG tool, the server can authenticate the users for any NMAS methods.


The tree synchronization activity using the SDIDIAG tool can be done quickly and esily. Once all the servers in a tree are synchronized, the NMAS authentication methods, such as Enhanced Password and the LDAP method, work perfectly. The SDIDIAG tool ships with NW 6.5 sp1 and can be downloaded at:

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates