After upgrading to NetBackup 10.5 or 10.5.0.1, FIPS enabled MSDP will cause backups to Access Appliance to fail.
Problem
NetBackup 10.5.x in MSDP FIPS mode is unable to create or accept TLS connections to/from a VDD storage server on Access Appliance without removing FIPS or enabling SecureComms.
Error Message
The NetBackup Activity monitor detailed job status may show messages similar to these examples:
==========
May 21, 2025, 10:17:30 PM - Info bptm (pid=3487599) start backup
May 21, 2025, 10:17:30 PM - Critical bptm (pid=3487599) Storage Server Error: (Storage server: PureDisk:msdp-vdd.access.com) _pdvfs_fcache_flushfile_norm_cleanup: Failed to write to spoold on storage server (invalid argument). Ensure storage server services are running and operational. V-454-8
May 21, 2025, 10:17:30 PM - Critical bptm (pid=3487599) sts_close_handle failed: 2060001 one or more invalid arguments
May 21, 2025, 10:17:30 PM - Critical bptm (pid=3487599) image close failed: error 2060001: one or more invalid arguments
May 21, 2025, 10:17:30 PM - Info bptm (pid=3487599) EXITING with status 84 <----------
==============
May 2, 2025 6:19:52 PM - Info mediaserver1.example.com (pid=1520867) Replicating images to target storage server accessmsdp, disk volume PureDiskVolume
May 2, 2025 6:19:52 PM - requesting resource @aaaab
May 2, 2025 6:19:52 PM - granted resource MediaID=@aaaab;DiskVolume=PureDiskVolume;DiskPool=dp_disk_mediaserver1;Path=PureDiskVolume;StorageServer=mediaserver1.example.com;MediaServer=nbaprd1.example.com
May 2, 2025 6:19:53 PM - Critical bpdm (pid=1520867) Storage Server Error: (Storage server: PureDisk:mediaserver1.emple.com) CALaunchAIRReplicate: Failed to complete launchAIRReplicate webservice (Could not setup replication: get Remote SPA ( accessmsdp ) webservice failed, could not determine whether target is PDDE or PDDO (ssl initialization failed) ) V-454-61
May 2, 2025 6:19:53 PM - Error bpdm (pid=1520867) <async> copy image failed: error 2060017: system call failed
May 2, 2025 6:19:53 PM - Error bpdm (pid=1520867) copy failed: error 174
May 2, 2025 6:19:53 PM - Error bpdm (pid=1520867) <async> cancel failed: error 2060001: one or more invalid arguments
=============
12:23:03.465 [240127] <16> nb205: [ERROR] PDVFS: pdvfs_cas_update_mb_time: MBGetTime request to 192.168.10.230 failed: ssl initialization failed (56)
12:23:03.465 [240127] <16> nb205: [ERROR] PDVFS: _pdvfs_cas_connect_to_metabase: pdvfs_cas_update_mb_time failed: ssl initialization failed
12:23:03.465 [240127] <16> nb205: [ERROR] PDVFS: pdvfs_cas_connect: pdvfs_cas_init failed: pdvfs_cas_update_mb_time failed: ssl initialization failed
12:23:03.465 [240127] <16> nb205: [ERROR] PDVFS: _pdvfs_mount: pdvfs_cas_connect failed: Input/output error (5)
12:23:03.465 [240127] <2> nb205: [DEBUG] PDSTS: pd_register: attempting pdregister command for spa:<192.168.10.230>
12:23:03.499 [240127] <16> nb205: [ERROR] PDVFS: pdvfs_register_create_ost_agent: _pdvfs_register_discover failed for spa_addr 192.168.10.230
If you need to review the spad and spoold logs and are not familiar with the location on Access, you can refer to the following article:
How to collect logs from a container MSDP/VDD instance on Access - KB article 100073769
June 11 08:14:42 ERR [140537941649152]: 25056: Agent at nbuprimary.example.com did not provide a certificate
June 11 08:14:42 INFO [140537941649152]: SetCAUsageSyncFlag: set cause sync flag
June 11 08:14:42 ERR [140537941649152]: 25056: Session start request from nbuprimary.example.com:55256 could not be honored (ssl initialization failed)
June 11 08:14:42 INFO [140537941649152]: (unknown) Task 7157 [thread 140537941649152] for nbuprimary.example.com:55256 failed with unknown error.
Cause
Access uses self-signed MSDP certificates that are being rejected by the Netbackup Media Server.
Solution
There are two ways to work around this behavior. Either method can be used.
1. Enable SecureComms on the Access storage server (Access 8.1 and later):
https://sort.veritas.com/doc_viewer/#/content?id=146127092-168300255-0%2Fv164615259-168300255
Setting up secure communication between Veritas Data Deduplication on Access Appliance and the NetBackup primary server
If the Access VDD instance is failing to communicate with the NetBackup Primary through the docker/podman container, it may be required to add a FQDN mapping to the primary server's IP address in the container's host file:
https://www.veritas.com/support/en_US/article.100054279
Slow deduplication when using VDD on Access Appliance in a Docker/Podman Container
2. Disable MSDP FIPS on the media server:
https://sort.veritas.com/doc_viewer/#/content?id=25074086-165972818-0%2Fv130212944-165972818
About MSDP FIPS compliance
https://sort.veritas.com/doc_viewer/#/content?id=21733320-165970098-0%2Fv152182208-165970098
Configure FIPS mode in your NetBackup domain
https://sort.veritas.com/doc_viewer/#/content?id=21733320-165970098-0%2Fv152612010-165970098
NB_FIPS_MODE option for NetBackup servers and clients
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.