Troubleshooting BorderManager Licensing Issues
Articles and Tips: article
Border Services Engineer
Novell Worldwide Support
Novell Worldwide Support
Novell Worldwide Support
01 Aug 2000
This AppNote presents troubleshooting information that will help you identify whether your BorderManager issues are BorderManager-related or are generated by licensing problems. It also provides steps for resolving these issues.
A lot of BorderManager support calls are generated by licensing problems. Almost all of these issues are problems with Novell Licensing Services, and are thus independent of BorderManager. The goal of this AppNote is to provide some license installation tips, along with troubleshooting steps that should be carried out to identify whether the issue is related to BorderManager or not.
Assuming all the steps described in the document have been carried out, the call should be escalated to Novell's OS support group, along with the information described, so that a quick resolution to the problem can be achieved.
License Installation Tips
This section outlines several tips relating to the installation and deletion of Novell product licenses.
Installing and Deleting Licenses
BorderManager licenses can be installed in several different ways:
Through the NetWare Administrator (NWAdmin) utility. After starting NWADMN32.EXE, select Tools | Novell LIcensing Services | Add Licenses.
Through the LICINST module that comes with BorderManager (see the documentation accompanying the software for details).
Through the NWCONFIG utility. After loading this module, select License Options | Install Licenses.
Through these methods, it is possible to install all BorderManager product licenses (trial and non-trial), as well as NetWare standard and runtime licenses.
Note: If installation of licenses through NWAdmin fails, try to install them using the LICINST or NWCONFIG modules.
Should problems arise with licensing, try to delete any licenses that are not being used. For example, if you have a runtime license of NetWare 5.x as well as a full license, delete the runtime license.
If you are having problems deleting licenses using NWAdmin (for example, you are seeing the "User has insufficient rights to delete licenses" error), try deleting them via NWCONFIG. The text-based NWCONFIG utility does not have the same object dependencies as the graphical NWAdmin utility.
BorderManager 3.5 and NetWare Support Packs
If you are running BorderManager v3.5 on top of NetWare 5, make sure that you install the BM35SP1.EXE patch before installing NW5SP5.EXE. If this patch is installed after NW5SP5, delete the NLSLSP object and licenses, rerun SETUPNLS.NLM (load SETUPNLS at the server console), and reinstall the licenses.
Note: The BM35SP1 patch must be applied in order for BorderManager licensing to function on NetWare 5.1.
"No BorderManager Licenses Available" Message
If you are running BorderManager 3.0 on a NetWare server with the NW4SP8.EXE or NW5SP5.EXE patches applied, you will most likely get "No BorderManager Licenses Available" error messages when trying to administer BorderManager via NWAdmin. To solve this problem, download and install the BM3LICFX.EXE patch for licensing to work successfully. You will also have to delete the NLS_LSP<BorderManager_server_name< object in NWAdmin and recreate it by loading SETUPNLS.NLM at the server console.
If you are running the NetWare runtime license and are having connection problems with the "No Licenses Available" error message (for example, when using the VPN Client or IPX-IP Gateway/Proxy Servers running Single Sign-On via CLNTRUST), make sure that:
You are not simply running out of licensed connections. The easiest way to verify this is by seeing how many licenses are in use for the NetWare 5 runtime license and making sure it is within the number of connections you purchased. To do this, run NWAdmin and right-click on the License object, which is identified by name and by SN (serial number). Select Details | General to view the number of license units currently in use.
The client is releasing the connections correctly. When the user logs in, the "in use" count should increment. When the user logs out, the "in use" count should decrement.
Note: There were issues using the old NetWare 2.x clients where the licenses got tied up and users would get "no licenses available" errors in Policy Manager, even though the authentication still worked. This is strictly a cosmetic issue, as everything still worked fine. If you are using the 3.x clients and the "in use" count doesn't decrement, there may be a problem with our interface to NLS. If you experience this, you should open a call with the OS support group.
Upgrading from BorderManager 3.0 to 3.5
If you have upgraded BorderManager from 3.0 to 3.5 and get error messages related to BorderManager 3.0 in NWAdmin when trying to configure the BorderManager server, you will need to verify that the NWAdmin DLLs loaded in memory are from the 3.5 server, and not the 3.0 server. (You can use the ListDLLs utility described in the "Troubleshooting Tools" section to obtain more information on loaded DLLs.)
When upgrading from BorderManager 3.0 to 3.5, the original 3.0 licenses will remain present and will not be cleaned up. If there are no remaining servers using BorderManager 3.0, these licenses should be manually removed by deleting the BorderManager 3.0 license objects via NWAdmin.
Only the user who installed the licenses will be able to administer the licenses.
If you try to administer, delete, or generally manipulate the license objects as a user that did not install them, you will get a rights error by default. To work around this, manually assign other users as trustees of these license objects. (Refer to TID #10013723 entitled "Understanding NetWare 5 Licensing" at http://support.novell.com for complete instructions.)
If the user who originally installed the licenses is deleted from the tree, no licensing operations can occur until you recreate the user with the same username and configuration. The licensing operations look at the username information, not the userID!
If problems persist after making these changes, contact the NDS support team.
This section lists troubleshooting steps to take to resolve your problem and to determine whether it is related to BorderManager or NLS.
Check for Latest Product Patches
Verify that the BorderManager server is patched to the latest patch level. Below is a matrix of current core OS and BorderManager patches that need to be applied. (Certain components may require newer versions of specific modules that are not listed here.)
BorderManager and NetWare OS Versions
BorderManager 3.0 running on NetWare 4.x
nw4sp8a.exe, bm3sp2.exe, bm3licfx.exe, nlslsp5a.exe, admn519f.exe
BorderManager 3.5 running on NetWare 4.x
nw4sp8a.exe, bm35sp1.exe, nlslsp5a.exe, admn519f.exe
BorderManager 3.5 running on NetWare 5
nw5sp5.exe, bm35sp1.exe, admn519f.exe
BorderManager 3.5 running on NetWare 5.1
NW51SP1.EXE or e51sp1.exe, bm35sp1.exe, admn519f.exe
NLSLSP5A.EXE is a deployment tool to assist you in installing or upgrading NLS throughout the entire network. It contains the same NLS modules as NW5SP5.EXE, NW51SP1.EXE, and E51SP1.EXE. Installing licenses with this tool can also automate the process of making sure all servers in the NDS tree are running the same version of NLSLSP.
Check License Version Numbers
All installed licenses should have the same 5.0 version number. The "data version" number is displayed in NWAdmin for the License Certificate SN: serial_number object when you select Details | General.
If licenses are installed on a server running a version of NLS older than NW5SP4, they will be version 4.0.
If the license was originally installed prior to the NW5SP4 Support Pack, the licenses stay at version 4.0 even after the installation of this patch; they are not updated to version 5.0. To update the objects to version 5.0, you must delete the licensing objects and reinstall them by typing the "LOAD SETUPNLS" command at the server console and selectin "Licensing Options | Install Licenses" in NWCONFIG.
If licenses are installed from an LSP provider running NW5SP4 or newer, the version will show 5.0. Version 5.0 is backwards compatible, but version 4.0 licenses are not forward compatible (that is, a version 4.0 LSP cannot read or locate a version 5.0 license certificate).
To facilitate the synchronizing of server licensing versions, install the NLSLSP5A.EXE patch. This patch, described above, is installed from a client and extends to all servers in the tree.
If the client running NWAdmin is connected to an LSP server running an older version of NLSLSP, it will not be able to find licenses installed with version 5.0. This results in a "No BorderManager Licenses available" error. To fix this, set BorderManager as the Preferred Server or Primary Connection and run NWAdmin from the BorderManager server.
Check License Object and Search Method
Verify that the NLS_LSP<BorderManager_Server_Name< object exists and that the "License search method" is to the root of the tree (assuming that the NLS licenses exist above this container). Make sure that the NLS_LSP<Border- Manager_server_name< | Details page indicates the "Notify" field which exists after NW5SP5 is applied. If not, delete the object and recreate it via the "LOAD SETUPNLS" command at the server console.
If this NLS_LSP object exists in another container, make sure that a replica for that container exists on the BorderManager server so that no NDS tree walking is required. The "SET DSTRACE=+RESNAMERN" command enables debug error messages of resolve name requests, which is often useful to identify whether you're walking a tree or not.
Check for NDS or TIMESYNC Issues
Verify that no NDS or TIMESYNC issues exist on the network. This is done by:
Verifying that the DSREPAIR Report Synchronization Status screen reports no DS errors and that all partitions are synchronized correctly.
Verifying that the DSREPAIR Time Synchronization screen reports no errors in the "Time is in Sync" field.
Note: If errors exist in either of the above areas, contact the OS/DS support team to resolve these issues before proceeding.
Check for Required License Objects
Verify that all required license objects for BorderManager are installed. This implies that the Connection and Server license objects for NetWare 5.x should be installed, as well as the license container objects and serial numbers for all BorderManager services (Proxy, Access Control, Client VPN, Site-to-Site VPN, Gateways, and/or authentication services). This can be done in either of two ways: using NWCONFIG or using NWAdmin.
Using NWCONFIG. Load NWCONFIG, select License Options, and then select Remove Licenses. Highlight each license and press <Enter< to verify that: (1) the appropriate license mentioned above exists; and (2) all information about that license is correct (see Figure 1).
Figure 1: Checking the License Contents in NWCONFIG.
After you read the License Contents information and press <Enter<, be sure to answer "No" to the prompt asking if you want to delete the license.
Using NWAdmin. In NWAdmin, verify that the BorderManager licensing objects exist in the same container as the BorderManager server. Also make sure that the following are true:
NWAdmin is running from the BorderManager server and not from another non-BorderManager server in the network. This is most easily done by making sure that the BorderManager server is listed as the Primary Connection (indicated by an asterisk) when you right-click on Network Neighborhood and select NetWare Connections.
NWAdmin is running the latest DLLs. You can use the ListDLLs tool, which lists for a given Windows application the DLLs loaded in memory, as well as their locations. (See the "Troubleshooting Tools" section of this AppNote for more information about ListDLLs.)
When looking at the object details:
Under the General tab, "Units installed" and "Units available" are both greater than 0, and the "Evaluation start date" is not exceeded.
The Policy Information page shows that the licenses are valid, as shown in Figure 2.
Figure 2: License Certificate Policy Information page in NWAdmin.
A license is assigned to a server only if that license is not an MLA/ VLA/CLA license. If this is not the case, go to the Assignments tab and make the BorderManager server--not a user--an assignment of that object. (If you have made user assignments, the license can only be used by that user. When the BorderManager service tries to load, you get a "C0001005" error. It finds the license, but there are not sufficient units available.)
Check the Location of License Objects
The NDS location of license objects will have an impact on how BorderManager finds these licenses. If the licenses are server-based licenses, they should be located in the same container as the BorderManager server.
Note: It is possible to differentiate between standard server and MLA/CLA/VLA licenses by going to the license certificate and looking at the Details | Policy Information page (refer to Figure 2). If the license is assigned to a file server, it is server-based.
The BorderManager server must have a Read/Write replica of the partition in which it is located during the installation of the license. After that, the replica can be removed if required.
MLA licenses can be installed multiple times, but only once per container. If you are having trouble finding the licenses in a container with no BorderManager server, try installing them into the container with the BorderManager server.
You may install the runtime license that comes with BorderManager. However, if the BorderManager server already has a server-based license, do not install the runtime license. Having both types of licenses may cause problems.
If your BorderManager license objects are not going to be in the same container as the BorderManager server, make sure the NLS_LSP object for the BorderManager server is configured to search up to the root container in NWAdmin. Also take note of the following:
A replica of the partition in which the license objects are stored should exist on the BorderManager server.
If no replica exists, verify that a tree walk to resolve the license objects is successful by using the "SET DSTRACE = +RESNAMERN" command.
Check for Performance Problems
Verify that no performance or high utilization problems exist on the server. When MLA licenses are involved, it's very possible that one MLA license certificate may be consumed by multiple servers. This problem is typically seen at sites where multiple (ten or more) servers all consume units from the same certificate. When this occurs, NDS must process a large number of requests, which may lead to high utilization or performance problems.
To help performance, use the following SET parameter:
SET Store NetWare 5 Conn SCL MLA Usage in NDS = OFF
When this parameter is set to OFF, NLS will not update NDS with the information about certificate usage.
Check the BorderManager Error Log
Check the contents of the BorderManager server's error log to see whether it contains any system error messages related to licensing. This can be done by clicking the BorderManager server object in NWAdmin and viewing the contents of the Error Log page (see Figure 3).
Figure 3: Checking the BorderManager server's error log.
An example of a licensing-related error is the one being reported by the Policy Manager in Figure 3.
Verify that NLSLSP.NLM Is Loaded
To see whether NLSLSP.NLM is loaded, type "MODULES NLS*" at the server console and verify that the module is displayed. On NetWare 5.x servers, NLSFLAIM.NLM, NLSAPI.NLM, and NLSTRAP.NLM should also be loaded. The error log, described above, may also tell you that the NLSSLP module is not loaded.
Check the BorderManager Snap-Ins for NWAdmin
Verify that the NWAdmin snap-in DLLs in SYS:\PUBLIC\WIN32\* correspond to the snap-ins from the BM35SP1.EXE patch. Any discrepancy in the DLL versions will return "No licenses available" messages in NWAdmin. Use the ListDLLs tool to verify the versions of the DLLs loaded in memory. (See the "Troubleshooting Tools" section for more information about ListDLLs.)
Check for IP Packet Filtering
Verify that no IP packet filters are loaded and blocking NCP communication on the BorderManager server. This can be done by unloading the IPFLT module at the server console. (Do this only for troubleshooting purposes, as it can open up your system to potential attacks.)
If unloading IPFLT solves the problem, add a packet filter to allow traffic to port 524 from the private interface to the public address. Another option would be to use the new capability in the updated NCPIP (available in NW5SP5.EXE for NetWare and NW51SP1.EXE/E51SP1.EXE for NetWare 5.1) to deregister a public NCP IP address via a SET parameter. (See the documentation that comes with the Service Packs for more information.)
Check the Validity of Licensing Errors
Another thing to check is whether the licensing errors being returned are valid errors. For example, you might see "No connection licenses available" errors on your runtime version of NetWare 5 due to the fact that two licensed connections already exist to that server and someone is trying to establish a third licensed connection.
If this is the case, it is possible to turn off such broadcasted errors (and generic Policy Manager errors) as follows. Double-click on the NLS_LSP_ <Border- Manager_server_name< object in the tree. Select General | Configuration. From here, you will be able to enable or disable notifications. By clicking on Notify, you can specify whether to "Notify by Network Broadcast" or "Notify by E-mail Message." You can then specify an NDS user or specific e-mail address to receive the messages.
Check for NLS Errors
Using the NLSTRACE utility, check to see whether any NLS errors are being written to the NLSTRACE log file (SYS:\SYSTEM\NLSTRACE.OLD). To capture this log file in a NetWare 5.x environment, do the following:
Type "LOAD CONLOG.NLM" to start capturing data from the server console to the SYS:\ETC\CONSOLE.LOG file.
Type "SET NLSTRACE=2" to start logging NLS operations to the NLSTRACE log file.
After the problem occurs, type "SET NLSTRACE=0" to close the NLSTRACE log file.
Type "UNLOAD CONLOG.NLM" to close the SYS:\ETC\CONSOLE.LOG file.
If necessary, send a copy of the NLSTRACE.OLD file to the OS support team. (See TID #10013821 at http://support.novell.com for instructions on how to run this trace in the NetWare 4.11 environment.)
Check for Schema Errors
Using the DSTRACE command, make sure no errors are occurring at the schema level. This can be accomplished using the following series of commands:
SET DSTRACE=ON (starts the DS debug capture)
SET TTF=ON (enables the capturing of DS information to the DS debug file: SYS:\SYSTEM\DSTRACE.DBG)
SET DSTRACE=*R (resets the contents of the DS debug file)
SET DSTRACE=+schema (to see what's happening with the schema)
SET TTF=OFF (disables the capturing of DS information)
If necessary, send a copy of the DSTRACE.DBG file to the OS support team.
This section briefly describes some of the tools you can use to troubleshoot licensing issues.
DSTRACE. This is a SET command that you can run at the server console. It is used to verify that DS is successfully synchronized on the network, as well as making sure that the appropriate DS calls are being made to the licensing provider.
NLSTRACE. This is a SET command that you can run at the server console. It allows you to view internal debug information when communicating with the licensing service on the NetWare server. (See TID #10013821 at http://support.novell.com for more detailed information.)
SCHCMP. This utility generates a list of all DS objects in the NDS tree and their corresponding attributes. It also allows you to compare the schema extensions from two trees and see the differences between them. This may be useful to verify that no corruption of the NLS objects has taken place. To obtain this utility, download the SCHCMP2.EXE file from http://support.novell.com.
NWAdmin. This is Novell's NetWare Administrator utility, which you can use to view BorderManager license objects as well as the LSP Server object.
ListDLLs. This utility allows you to list all DLLs associated with a running Windows application. For licensing issues, it's a great way to verify that the correct versions of the NWAdmin DLLs are running, and that they are being loaded from the correct directories. You can download this utility from http://www.sysinternals.com/listdlls.htm. Equivalent graphical applications may also be downloaded from the same site.
Escalating a Call to Novell Technical Support
If all of the above steps have failed to solve your licensing issues, it is time to open a call with Novell Technical Support. Here is the information you'll be asked to provide to the OS support group:
Data version of the NLS object currently installed on the BorderManager server (see the "Check License Version Numbers" section of this AppNote for more information on how to obtain this information).
Output of CONFIG.NLM so that the technician can verify the version of the NLS modules running on the server.
Output of the NLSTRACE command.This information is stored in the sys:\system\nlstrace.old file, as described in the "Check for NLS Errors" section of this AppNote.
Output of the DSTRACE command using the options described in the "Check for Schema Errors" section of this AppNote. This information is stored in the sys:\system\dstrace.dbg file.
This AppNote has provided installation and troubleshooting tips for resolving problems related to BorderManager and licensing. Here are some other documents that may be helpful in resolving BorderManager licensing issues (TIDs are available online at http://support.novell.com):
"Understanding BorderManager Licensing," Novell AppNotes, Dec. 1999
"A Closer Look at Novell Licensing Services in NetWare 5," Novell AppNotes, Jan. 1999
"Understanding NetWare 5 Licensing" (TID #10013723)
"Troubleshooting Licensing Issues" (TID #10027731)
"Troubleshooting NetWare 5 Licensing Summary" (TID #2947186)
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.