Good morning. Been working through the night upgrading Bm3.6ee to 3,8sp4 on NW5.1sp6. So far have slain most of the dragons. One remains, and it is probably something straightforward.

I start my 5.1 server and it loads mostly fine. But when VPSLAVE tries to load, it fails with Loader cannot find public symbol errors that reference NKPKI... and NWx509.... Things I suspect to be PKI issues.

I can load PKIDIAG and login ok and run the diagnostic, and then the VPslave loads successfully and the vpn comes up. In fact, all I need to do is log into the PIDiag utility and then load vpslave from a console prompt and it loads. What small but vital aspect of the proper PKI/VPN setup am I overlooking?

Thanks. PKIdiag log for last couple of runs is attached.

rs

PKIDiag 2.70 -- (compiled Dec 09 2003 19:46:03).
(Check the end of the log for the last repair results)
Current Time: Sat Jun 24 07:49:00 2006
User logged-in as: rstorm.seattle.holmes_weddle_barcott.
Fixing mode
Rename and create mode
Rename and create when necessary

--> Server Name = 'SEA_WAN'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'SEA_WAN.Seattle.Holmes_Weddle_Barcott' points to SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'is backlinked to server 'SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
--->KMO SEA_WAN_BM - SEA_WAN.Seattle.Holmes_Weddle_Barcott is linked.
--->KMO VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - HWB_SE.Seattle.Holmes_Weddle_Barcott'..
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SEA_WAN_BM - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- OK.
Private Key -- Failed.

---> Testing KMO 'IP AG 172\.30\.3\.4 - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG hwb_se\.hwb-law\.com - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.

Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
KMO 'VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott' is linked.
PROBLEM: Cannot use private key for KMO 'SEA_WAN_BM - SEA_WAN.Seattle.Holmes_Weddle_Barcott'. It should be probably be unlinked and deleted.
Fix -- Successfully removed the link to KMO 'SEA_WAN_BM - SEA_WAN.Seattle.Holmes_Weddle_Barcott' You should probably delete it.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 2
--> The default IP address is: 172.30.3.18
PROBLEM: A SSL CertificateIP does not exist
Step 6 failed -626.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 2
Problems fixed: 1
Un-fixable problems found: 0


---------------------------------------------------------------------------
PKIDiag 2.70 -- (compiled Dec 09 2003 19:46:03).
(Check the end of the log for the last repair results)
Current Time: Sat Jun 24 08:02:01 2006
User logged-in as: rstorm.seattle.holmes_weddle_barcott.
Fixing mode
Rename and create mode
Rename and create when necessary

--> Server Name = 'SEA_WAN'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'SEA_WAN.Seattle.Holmes_Weddle_Barcott' points to SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'is backlinked to server 'SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
--->KMO VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - HWB_SE.Seattle.Holmes_Weddle_Barcott'..
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SEA_WAN_BM - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- OK.
Private Key -- Failed.

---> Testing KMO 'IP AG 172\.30\.3\.4 - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG hwb_se\.hwb-law\.com - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.

Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
KMO 'VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott' is linked.
INFO: kmo SEA_WAN_BM - SEA_WAN.Seattle.Holmes_Weddle_Barcott should probably be deleted.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 2
--> The default IP address is: 172.30.3.18
PROBLEM: A SSL CertificateIP does not exist
Step 6 failed -321.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 1
Problems fixed: 0
Un-fixable problems found: 0


---------------------------------------------------------------------------
PKIDiag 2.70 -- (compiled Dec 09 2003 19:46:03).
(Check the end of the log for the last repair results)
Current Time: Sat Jun 24 08:36:35 2006
User logged-in as: rstorm.seattle.holmes_weddle_barcott.
Diagnostics only mode

--> Server Name = 'SEA_WAN'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'SEA_WAN.Seattle.Holmes_Weddle_Barcott' points to SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'is backlinked to server 'SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
--->KMO VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - HWB_SE.Seattle.Holmes_Weddle_Barcott'..
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SEA_WAN_BM - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- OK.
Private Key -- Failed.

---> Testing KMO 'IP AG 172\.30\.3\.4 - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG hwb_se\.hwb-law\.com - HWB_SE.Seattle.Holmes_Weddle_Barcott'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.

Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - SEA_WAN.Seattle.Holmes_Weddle_Barcott'.
KMO 'VpnServCert - SEA_WAN.Seattle.Holmes_Weddle_Barcott' is linked.
INFO: kmo SEA_WAN_BM - SEA_WAN.Seattle.Holmes_Weddle_Barcott should probably be deleted.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 2
--> The default IP address is: 172.30.3.18
PROBLEM: A SSL CertificateIP does not exist
--> Run in Fixing mode to correct this problem(s).
--> Number of Server DNS names for the IP address 172.30.3.18 = 1
--> The server's default DNS name is:
SEA_WAN
PROBLEM: A SSL CertificateDNS does not exist
--> Run in Fixing mode to correct this problem(s).
Step 6 succeeded.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 2
Problems fixed: 0
Un-fixable problems found: 0