Troubleshooting issues with the network access control feature
This topic provides troubleshooting information about the issues that are specific to the network access control (NAC) feature. By enabling the NAC option with the NetBackup web UI or API, you can specify IP addresses or IP address ranges that can or cannot access web APIs.
For more information on the network access control feature, see the NetBackup Security and Encryption Guide.
Table:
Sr. No. | Issue | Possible reason | Resolution |
|---|---|---|---|
1 | While configuring NAC, the following error occurs: The network access control configuration is not valid. With the following details: The IP address IP_address of the requesting host is not added in the list of allowed CIDR ranges or IP addresses. | IP address of the host that is requesting configuration changes is not added with the 'Allow' action. | Ensure that the IP address of the host that is requesting configuration changes is added with the 'Allow' action. |
2 | NetBackup web UI or CLI is accessed from the primary server host and request times out. | The NetBackup Service Layer (NBSL) service is down. | Ensure that the NBSL service is up and running. |
3 | On NetBackup 11.0 or earlier hosts, the bpnbat -login command fails with the following error: Web authentication failed. | The NAC option is enabled and the IP address of the host is not present in the list or the action is 'Deny'. | Refer to the NetBackup Security and Encryption Guide for NAC configurations. Check if audit records with category "CONNECTION" exist and if the IP address of the requesting host is in audits. |
4 | CLI fails with EXIT STATUS 1851 | NAC is enabled and IP address of host has the 'Deny' action. | Refer to the NetBackup Security and Encryption Guide for NAC configurations. Check if audit records with category "CONNECTION" exist and if the IP address of the requesting host is in audits. Run the following command: nbauditreport -ctgy CONNECTION -fmt DETAIL | grep "requestor_IP_address" |
5 | NetBackup Administration Console fails with the following error: An unknown error has occurred during initialization | NAC is enabled and IP address of the host is not present in the list or is present in the list with action 'Deny'. | Refer to the NetBackup Security and Encryption Guide for NAC configurations. Check if audit records on the primary server host with category CONNECTION exist and if the IP address of the requesting host in the audits exists under attribute 'Peer IP'. |
6 | NetBackup IT Analytics fails with error code 403. | NAC is enabled and IP address of the host (ITA Data Collector in this case) is not present in the list or is present in the list with action 'Deny'. | Refer to the NetBackup Security and Encryption Guide for NAC configurations. Check if audit records on the primary server host with category CONNECTION exist and if the IP address of the requesting host in the audits exists under attribute 'Peer IP'. |
7 | In Kubernetes cluster configuration, using simplified deployment fails with the following error: Network access control denied the host access | NAC configuration is enabled on the setup, however the IP address of the required cluster node is not added with action 'Allow'. | Allow the IP address of the required cluster node in NAC configuration until bootstrap of the node. Once the required operation is done, remove entry of the IP address from the NAC configuration. |
8 | In case of NetBackup Flex Scale deployment, NAC configuration update from Flex Scale UI fails with the following error even if the required host is added in the 'Allow' list. | The HTTP requests are routed through private management gateway that hides the actual IP address of the source. | The NAC option is not supported on NetBackup Flex Scale, therefore the NAC option should not be used on NetBackup FlexScale. |