Video Screencast Help

Internet machine cannot connect to NS server

Created: 17 Feb 2014 • Updated: 24 Feb 2014 | 16 comments
This issue has been solved. See solution.

Hi All

I'm using Client management suite 7.5. I configured Internet gateway. I installed internet gateway package for client on the internet

The network staturs after install is Connected to NS via internet gateway. Cloud-enabled management mode is active

But Agent status: Agent Initialization pending

I check log and on NS console, i don't see this client.

Have you got experience for these one?

The step to config IG on server as below

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

 1 In the Symantec Management Console, on the Settings menu, click
Notification Server > Cloud-enabled Management.
2 In the left pane, expand Setup and then click Cloud-enabled Management
Setup.
3 On the Cloud-enabled Management Setup page, on the Internet Gateway
Setup tab, click Download the Internet gateway installation package.
4 If you are on the gateway computer, you can click Run to run the installer
immediately.
If you want to save the package as a file to run later or to run on a different
computer, click Save, specify the appropriate folder, and then click OK.
5 Navigate to the SMP Internet gateway installation package that you downloaded
and double-click SMP_Internet_Gateway.
6 In the Open File - Security Warning dialog box, click Run.
7 In the Symantec Management Platform Internet Gateway Setup dialog box,
click Next.
8 Click I accept the licence agreement, and then click Next.
Setting up Cloud-enabled Management
9 Specify the path to the destination folder where you want to install the Internet
gateway files, click Next, and then click Next.
10 Make sure that Start configuration wizard is checked, and then click Finish.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Can all help me?

Thanks and best regards

Operating Systems:

Comments 16 CommentsJump to latest comment

Igor Perevozchikov's picture

Hi telecomvn,

Seems like this article contains all required information about your problem with CEM using offline package ⇒ http://www.symantec.com/business/support/index?page=content&id=TECH213911

Thanks,

IP.

  1. Don't forget that, first you can find an answer for your question in Knowledge base
  2. If answer solves your question, then please mark as solution to close a thread
SOLUTION
telecomvn's picture

Hi Igor

I had tried with this article before, but issue has still happened

Thanks

Igor Perevozchikov's picture

You can try this:

1st step: Open SMP Console ⇒ Go to "Report" ⇒ "Notification Server Management" ⇒ "Certificates" ⇒ "Certificates by Thumbprint" and via mouse right click menu on hostname of your client computer (where this problem occurs) revoke certificates.

revoke1.jpg

2nd step: Uninstall Symantec Management Agent on your client computer where this problem occurs.

3rd step: Re-generate a new offline CEM SMA package ⇒ download it on your client computer ⇒ install this offline package.

Thanks,

IP.

  1. Don't forget that, first you can find an answer for your question in Knowledge base
  2. If answer solves your question, then please mark as solution to close a thread
Igor Perevozchikov's picture

Please do not perform revoke of certificates described above!

First check your Symantec Management Agent push install settings, because these settings are applied in offline CEM package.
SMA_Settings.jpg

If settings are not OK, then modify them and re-create offline CEM package ⇒ install it on your client computer ⇒ check whether it solves a current problem.

If this will doesn't help, then try steps for certificate revoke, described above.

Thanks,
IP.

  1. Don't forget that, first you can find an answer for your question in Knowledge base
  2. If answer solves your question, then please mark as solution to close a thread
telecomvn's picture

Hi Igor
My setting as below, it configured before

I also checked "Certificates by Thumbprint", and tried to search it. The was not failed client on it.

Any more setting

Thanks

setting.jpg

Igor Perevozchikov's picture

You can compare serial number and thumbprint of certificates which are stored on client side and shown in "Certificate by Thumbprint" report on SMP Console:

SerialNumber_0.jpg

You can try to:

  • Uncheck "Install Server certificate to the client machine" -> click OK.
  • Generate new offline CEM package and install it on your client computer where problem occurs.

Thanks,

IP.

  1. Don't forget that, first you can find an answer for your question in Knowledge base
  2. If answer solves your question, then please mark as solution to close a thread
telecomvn's picture

Hi

I tried and it still show this error

Can u help

Thanks

<event date='02/19/2014 23:06:50.8860000 +07:00' severity='2' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
  <![CDATA[WARNING: Unexpected response from URL 'https://NSserver:443/Altiris/NS/Agent/GetClientCertificate.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]>
</event>
<event date='02/19/2014 23:06:50.8860000 +07:00' severity='1' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
  <![CDATA[Attempted CEM gateway certificate negotiation failed.]]>
</event>
<event date='02/19/2014 23:06:50.8860000 +07:00' severity='4' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
  <![CDATA[Temporary CEM nsagent certificate found.]]>
</event>
<event date='02/19/2014 23:06:50.8860000 +07:00' severity='4' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
  <![CDATA[Attempting CEM client certificate negotiation.]]>
</event>
<event date='02/19/2014 23:06:50.8860000 +07:00' severity='4' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
  <![CDATA[Requesting nsagent certificate from the server.]]>
</event>
<event date='02/19/2014 23:06:53.5420000 +07:00' severity='4' hostName='client' source='NetworkMonitor' module='AeXNetMon.dll' process='AeXNSAgent.exe' pid='8144' thread='9256' tickCount='15453250' >
  <![CDATA[Server up [0x10030001]: https://NSserver:443:{B81D1ABF-D418-4561-B9A5-BB71CEA8AE84}]]>
</event>
<event date='02/19/2014 23:06:55.4170000 +07:00' severity='4' hostName='client' source='HttpConnection' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455125' >
  <![CDATA[Tunnel connection using IP: xxxxxxxxxxxx, Port: 443]]>
</event>
<event date='02/19/2014 23:06:55.4800000 +07:00' severity='2' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455187' >
  <![CDATA[WARNING: Unexpected response from URL 'https://NSserver:443/Altiris/NS/Agent/GetClientCertificate.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]>
</event>
<event date='02/19/2014 23:06:55.4800000 +07:00' severity='1' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455187' >
  <![CDATA[Attempted CEM nsagent certificate negotiation failed.]]>
</event>
<event date='02/19/2014 23:06:55.4800000 +07:00' severity='2' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455187' >
  <![CDATA[Configure Server Mode: CEM mode was not initialized succesfully, will retry]]>
</event>
<event date='02/19/2014 23:06:55.4800000 +07:00' severity='2' hostName='client' source='Agent' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455187' >
  <![CDATA[Failed to register agent. Registration status 'Not registered'. Next retry in 8 min.]]>
</event>
<event date='02/19/2014 23:07:32.7570000 +07:00' severity='4' hostName='client' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='8144' thread='940' tickCount='15492468' >
  <![CDATA[CT Agent is not initialized yet, load of policy will be postponed.]]>

Igor Perevozchikov's picture

Also here are another ways to generate certificates for CEM client ⇒ http://www.symantec.com/business/support/index?page=content&id=HOWTO93154

and how to import this generated certificate on CEM client computer ⇒ http://www.symantec.com/business/support/index?page=content&id=HOWTO93157

Questions:

  1. Have you tried steps in #3 comments below?
  2. Probably you remember what steps you've done to get this problem on your CEM client computer? Could describe such scenario?

Thanks,

IP.

  1. Don't forget that, first you can find an answer for your question in Knowledge base
  2. If answer solves your question, then please mark as solution to close a thread
telecomvn's picture

Hi

  1. Have you tried steps in #3 comments below?

I tried to search but i cannot found any record mached with client. I think before this client has never communicate and installed agent before so that we cannot found

  1. Probably you remember what steps you've done to get this problem on your CEM client computer? Could describe such scenario?

I think i done as step. We get this error after we install offline package to internet machine

Thanks

telecomvn's picture

Hi Igor

On the CEM white paper, i see this one. it's operation on offine machine.
==================================
Run the agent installation package on the disconnected computer.
The agent package is a self-extracting executable file and the installation runs
silently .
After the installation, the Symantec Management Agent automatically configures
itself and does the following:
■ The agent renegotiates its certificate.
The agent requests and receives a new certificate from Notification Server:
The new certificate is specific to that client computer and replaces the
temporary site certificate that was included in the agent installation package.
■ The agent is automatically assigned to the appropriate resource targets
and organizational groups on the Symantec Management Platform.

====================================
And on the log file. I see the negotiation failed. Do you think that is the root cause.

You can see the new log for more details

===================

<event date='02/17/2014 15:16:41.4860000 +07:00' severity='2' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398158' >
  <![CDATA[WARNING: Unexpected response from URL 'https://NSserver:443/Altiris/NS/Agent/GetClientCertificate.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]>
</event>
<event date='02/17/2014 15:16:41.4860000 +07:00' severity='1' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398158' >
  <![CDATA[Attempted CEM gateway certificate negotiation failed.]]>
</event>
<event date='02/17/2014 15:16:41.4860000 +07:00' severity='4' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398158' >
  <![CDATA[Temporary CEM nsagent certificate found.]]>
</event>
<event date='02/17/2014 15:16:41.5020000 +07:00' severity='4' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398174' >
  <![CDATA[Attempting CEM client certificate negotiation.]]>
</event>
<event date='02/17/2014 15:16:41.5020000 +07:00' severity='4' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398174' >
  <![CDATA[Requesting nsagent certificate from the server.]]>
</event>
<event date='02/17/2014 15:16:44.0910000 +07:00' severity='4' hostName='CLIENTNAME' source='NetworkMonitor' module='AeXNetMon.dll' process='AeXNSAgent.exe' pid='1288' thread='5320' tickCount='1400764' >
  <![CDATA[Server up [0x10030001]: https://NSserver:443:{GUID-B9A5-BB71CEA8AE84}]]>
</event>
<event date='02/17/2014 15:16:48.2250000 +07:00' severity='4' hostName='CLIENTNAME' source='HttpConnection' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1404898' >
  <![CDATA[Tunnel connection using IP: xxx.xxx.xxx.xxx, Port: 443]]>
</event>
<event date='02/17/2014 15:16:48.2870000 +07:00' severity='2' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1404960' >
  <![CDATA[WARNING: Unexpected response from URL 'https://NSserver:443/Altiris/NS/Agent/GetClientCertificate.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]>
</event>
<event date='02/17/2014 15:16:48.3030000 +07:00' severity='1' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1404976' >
  <![CDATA[Attempted CEM nsagent certificate negotiation failed.]]>

Thanks

sergei Z's picture

The root cause is "Exception: The caller is unauthorized to request a new client certificat".

It looks that agent has already received one certificate at some point of time, so it's denied to get a new one.

Could you please do the following:

1. Run cmd.exe as administrator

2. Go to SMP agent folder "\Program files\Altiris\Altiris agent"

3. Run aexnsagent.exe /resetguid

4. Attach the log files here, please attach the complete LOG file, there could be many of them, so you can remove the log files before step #3. 

/resetguid will try re-registering with the server once more.

sergei zjaikin, senior principal software engineer, symantec

telecomvn's picture

Hi Igor

May be if i missed one important note in CEM white paper below and not clear it

"If you want to use the installation package to install agents on disconnected
computer you must create a policy that includes those clients
"

Is that mean, the disconnected computer had had connected to internal network or had existed in Active directory for NS discovery process could discover and grant GUID.

We cannot use the offline installation package for one machine which has never pluged in to internal network, right?

So can we manually create GUID, computernam manually for offline machine?

Maybe in my case, my machine has never plug into the internal network so that it cannot discover

Thanks for your help

Regards

sergei Z's picture

Telecomvn, the machine does not have to be plugged into the internal network first. There is a CEM policy page in SMP console, the one where you specify the gateways in the top list and  the client machines in the bottom list. The documentation says about that policy.

sergei zjaikin, senior principal software engineer, symantec

telecomvn's picture

Hi SergeZ

Clear with your comment.

So i checked log on NS server and found

<event date="02/21/2014 23:52:32.3744874 +07:00" severity="2" hostName="Nsserver" source="EventRouter" module="w3wp.exe" process="w3wp" pid="2712" thread="13" tickCount="20287852"><![CDATA[Event not processed. IP: xx.xx.xx.xx; Error: Client certificate is not valid.]]></event>

Do you have any idea?

Does it relate to application pool on NS server

We configured default application pool in intergrated mode

Currently, i random checked and found some below

- Default application pool applied on default website

- Altiis site applied  Classic .NET AppPool (with mnamge piple line is classic)

- NS subsite is applied Classic .NET AppPool'=

-Agent is applied Symantec Agent AppPool

Thanks

telecomvn's picture

Hi Igor, SergeZ

I tried to update hotfix to HF4

The issue has still happened. Do you have any idea?

Do we need to reinstall IG ?

Thanks

telecomvn's picture

HI Igor

My problem had been resolve. I didn't understand this setting "1. On the Notification Server computer, in Internet Information Services (IIS) Manager, in the left pane, click Sites > NS_website > Altiris > NS >Agent."
I selected default site instead of site after configuring Could enable management, so that client certificate is alway invalid.

Once again, very big thanks Igor. You had support me alot and very detail to troubleshoot problem

Thanks and Best Regards