Internal: NSM/CSC Zero Touch fails with Connection state as "LM SENT AN INVALID ZT KEY"
02/12/2021 2 843
In this article we cover about the recent error that the customers are facing while adding unit via Zero Touch to Network Security Manager (NSM) 2.0 & Capture Security Center (CSC).
Error: NSM / CSC fails to acquire unit added via Zero Touch with Connection state as "LM SENT AN INVALID ZT KEY" under ZT, Analytics & Reporting Status tab.
Management Status either shows error either as "Acquisition Failed, EOF" or "Acquisition Failed, 4010:License: Received invalid ZeroTouch key from MSW/LicenseManager"
NSM shows error as below
CSC show error as below
Enabling Zero Touch for a unit will create a individual Zero Touch key for it. This was broken due to a recent design change. Zero Touch by default was disabled for units registered prior to introducing Zero Touch feature (end of 2017). PLEASE DO NOT STATE TO ANY CUSTOMER THAT ZERO TOUCH IS THE CAUSE OF THE ISSUE. IT IS NOT.
This issue is reported to engineering team in Jira MSW-10453 .
Steps to Follow:
- Collect the serial number & TSR of Firewalls along with NSM / CSC. ( IMPORTANT - Engineering has asked for every Impacted firewall's TSR to be added to the JIRA )
- Update Jira with it and request engineering to fix it in backend.
- Once this is fixed in backend, re-enable Zero Touch for the unit in MySonicWall.
There is an immediate workaround available to fix this issue. Please see below. Do not miss adding to JIRA to track the number of customers who are reporting this.
NOTE: Add your ticket number to the Jira if you come across this issue with unit serial numbers along with NSM/CSC serial number.
NOTE: Perform these steps if the customer is keen to fix the issue immediately. This requires reset of device licenses and registration again.
Step 1: Login to MySonicWall using you MySonicWall Credentials. Navigate to My Workspace | Tenant Products. Click on the product serial number. Under Product Details tab, disable Zero Touch by clicking on the tile.
Step 2: Login to Firewall which we added to CSC/NSM. Navigate to the Diag page. The Diag page can be reached by typing in the LAN IP of the SonicWall in the browser, with a /diag.html at the end.
CAUTION: Before moving to the next step please confirm you have the username and password for MySonicwall.com to register the device once again.
Step 3: On the Diag Page, click the "Reset Licenses and Security Services Info" button and then click "Close" at the top of the page.
Step 4: Trust reset the firewall serial from backend with Auth Code of it.
Step 5: Login to Firewall and register it using mysonicwall credentials.
Step 6: Login to MySonicWall and navigate to My Workspace | Tenant Products. Click on the product serial number. Under Product Details tab, enable Zero Touch by clicking on the tile.
This will fix the issue with Zero Touch key and you can see unit acquired with Zero Touch Connection state as "ESTABLISHED".
MSW-10453 : Invalid ZT key error for multiple FWs added to NSM and CSC.