Symptoms
Backups, recoveries and communications fail on client with the following errors:
'nsrexecd: SYSTEM error: There is already a machine using the name (client_name). Either choose a different name for your machine, or delete the "NSR peer information" entry for (client_name) on host: (host_name)'
'nsrexecd: SYSTEM error: Connection reset by peer'
nsrexecd.exe may cause application faults on one or more clients, including the server or storage nodes.
Cause
The res\nsrladb folder is the home of the new certificate-based host authentication (nsrauth). It contains both the individual client's local certificate, and a cached copy of all hosts with whom it has communicated.
At the first connection, a host will request and receive the certificate for the host it connects to, and cache that hosts certificate for future comparison. Barring directed recoveries and storage nodes, a standard environment would have each client certificate cached on the NetWorker server and Storage Nodes, and the server's certificate cached on each client and Storage Node. These cached certificates are reflected in the Local Hosts branch of the Configuration tree
When a client is reinstalled, the certificate is generated anew locally on the client; this causes the server's cached copy of the client's certificate to be invalidated, causing the errors. The same condition results by simply renaming the nsrladb on the client.
Resolution
The NSR peer information is set at the client level, not at the server level. In other words: you must connect to the NSRLA not the NSR database. To perform this, you must connect via "nsradmin -p nsrexec" or "nsradmin -p nsrexecd". "nsradmin" by itself will connect to the NetWorker server.
Delete the non-matching / cached old certificate of the client (client_name) on the NetWorker host generating the error message (host_name). In the event the NetWorker server was upgraded / reinstalled, the server certificate must be removed from each client using nsrauth strong authentication. In either event, the corrective operation is the same and one of the following:
- Delete the certificate for the client which has been updated from any host with a copy of the old one via Local Hosts in NMC
- Delete the old/cached certificate from the affected client using the command line
To clear the peer information of the client machine (from server)
nsradmin -s <host_name> -p nsrexec
nsradmin> delete type: nsr peer information; peer hostname: <client_name>
To clear the peer information on the client machine
nsradmin -p nsrexec
nsradmin> print type: nsr peer information
delete
For further support see:
Additional Information
You can safely delete all certificates, as they will be refreshed at next connection anyway. As there may be exist peer information for both long name (FQDN) and short name. Please note that certificate caching is only enabled for clients whose authentication method includes nsrauth as part of its value.
Workaround depending on version:
- Disabling nsrauth on server and storage nodes only (and restarting NW) will address this problem for good.
- Set the NetWorker server to nsrauth or nsrauth/oldauth mode.
Oldauth mode cannot be used for NetWorker server if using with NMC 8.0.
A NetWorker 7.5.x, 7.6.x or 8.0 servers in oldauth mode cannot be used with NMC 8.0, which by default is in nsrauth/oldauth mode.