Client Management Suite

 View Only
Expand all | Collapse all

Internet machine cannot connect to NS server

  • 1.  Internet machine cannot connect to NS server

    Posted Feb 17, 2014 05:22 AM
      |   view attached

    Hi All

    I'm using Client management suite 7.5. I configured Internet gateway. I installed internet gateway package for client on the internet

    The network staturs after install is Connected to NS via internet gateway. Cloud-enabled management mode is active

    But Agent status: Agent Initialization pending

    I check log and on NS console, i don't see this client.

    Have you got experience for these one?

    The step to config IG on server as below

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

     1 In the Symantec Management Console, on the Settings menu, click
    Notification Server > Cloud-enabled Management.
    2 In the left pane, expand Setup and then click Cloud-enabled Management
    Setup.
    3 On the Cloud-enabled Management Setup page, on the Internet Gateway
    Setup tab, click Download the Internet gateway installation package.
    4 If you are on the gateway computer, you can click Run to run the installer
    immediately.
    If you want to save the package as a file to run later or to run on a different
    computer, click Save, specify the appropriate folder, and then click OK.
    5 Navigate to the SMP Internet gateway installation package that you downloaded
    and double-click SMP_Internet_Gateway.
    6 In the Open File - Security Warning dialog box, click Run.
    7 In the Symantec Management Platform Internet Gateway Setup dialog box,
    click Next.
    8 Click I accept the licence agreement, and then click Next.
    Setting up Cloud-enabled Management
    9 Specify the path to the destination folder where you want to install the Internet
    gateway files, click Next, and then click Next.
    10 Make sure that Start configuration wizard is checked, and then click Finish.

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    Can all help me?

    Thanks and best regards

    Attachment(s)

    doc
    Agent.doc   144 KB 1 version


  • 2.  RE: Internet machine cannot connect to NS server
    Best Answer

    Broadcom Employee
    Posted Feb 17, 2014 01:41 PM

    Hi telecomvn,

    Seems like this article contains all required information about your problem with CEM using offline package ⇒ http://www.symantec.com/business/support/index?page=content&id=TECH213911

    Thanks,

    IP.



  • 3.  RE: Internet machine cannot connect to NS server

    Posted Feb 17, 2014 09:51 PM

    Hi Igor

    I had tried with this article before, but issue has still happened

    Thanks



  • 4.  RE: Internet machine cannot connect to NS server

    Broadcom Employee
    Posted Feb 18, 2014 07:33 AM

    You can try this:

    1st step: Open SMP Console ⇒ Go to "Report" ⇒ "Notification Server Management" ⇒ "Certificates" ⇒ "Certificates by Thumbprint" and via mouse right click menu on hostname of your client computer (where this problem occurs) revoke certificates.

    revoke1.jpg

    2nd step: Uninstall Symantec Management Agent on your client computer where this problem occurs.

    3rd step: Re-generate a new offline CEM SMA package ⇒ download it on your client computer ⇒ install this offline package.

    Thanks,

    IP.



  • 5.  RE: Internet machine cannot connect to NS server

    Broadcom Employee
    Posted Feb 18, 2014 09:11 AM

    Please do not perform revoke of certificates described above!

    First check your Symantec Management Agent push install settings, because these settings are applied in offline CEM package.
    SMA_Settings.jpg

    If settings are not OK, then modify them and re-create offline CEM package ⇒ install it on your client computer ⇒ check whether it solves a current problem.

    If this will doesn't help, then try steps for certificate revoke, described above.

    Thanks,
    IP.



  • 6.  RE: Internet machine cannot connect to NS server

    Posted Feb 19, 2014 03:00 AM

    Hi Igor
    My setting as below, it configured before

    I also checked "Certificates by Thumbprint", and tried to search it. The was not failed client on it.

    Any more setting

    Thanks

    setting.jpg



  • 7.  RE: Internet machine cannot connect to NS server

    Broadcom Employee
    Posted Feb 19, 2014 03:59 AM

    You can compare serial number and thumbprint of certificates which are stored on client side and shown in "Certificate by Thumbprint" report on SMP Console:

    SerialNumber_0.jpg

     

    You can try to:

    • Uncheck "Install Server certificate to the client machine" -> click OK.
    • Generate new offline CEM package and install it on your client computer where problem occurs.

    Thanks,

    IP.



  • 8.  RE: Internet machine cannot connect to NS server

    Posted Feb 19, 2014 11:18 AM

    Hi

    I tried and it still show this error

    Can u help

    Thanks

    <event date='02/19/2014 23:06:50.8860000 +07:00' severity='2' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
      <![CDATA[WARNING: Unexpected response from URL 'https://NSserver:443/Altiris/NS/Agent/GetClientCertificate.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]>
    </event>
    <event date='02/19/2014 23:06:50.8860000 +07:00' severity='1' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
      <![CDATA[Attempted CEM gateway certificate negotiation failed.]]>
    </event>
    <event date='02/19/2014 23:06:50.8860000 +07:00' severity='4' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
      <![CDATA[Temporary CEM nsagent certificate found.]]>
    </event>
    <event date='02/19/2014 23:06:50.8860000 +07:00' severity='4' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
      <![CDATA[Attempting CEM client certificate negotiation.]]>
    </event>
    <event date='02/19/2014 23:06:50.8860000 +07:00' severity='4' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15450593' >
      <![CDATA[Requesting nsagent certificate from the server.]]>
    </event>
    <event date='02/19/2014 23:06:53.5420000 +07:00' severity='4' hostName='client' source='NetworkMonitor' module='AeXNetMon.dll' process='AeXNSAgent.exe' pid='8144' thread='9256' tickCount='15453250' >
      <![CDATA[Server up [0x10030001]: https://NSserver:443:{B81D1ABF-D418-4561-B9A5-BB71CEA8AE84}]]>
    </event>
    <event date='02/19/2014 23:06:55.4170000 +07:00' severity='4' hostName='client' source='HttpConnection' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455125' >
      <![CDATA[Tunnel connection using IP: xxxxxxxxxxxx, Port: 443]]>
    </event>
    <event date='02/19/2014 23:06:55.4800000 +07:00' severity='2' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455187' >
      <![CDATA[WARNING: Unexpected response from URL 'https://NSserver:443/Altiris/NS/Agent/GetClientCertificate.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]>
    </event>
    <event date='02/19/2014 23:06:55.4800000 +07:00' severity='1' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455187' >
      <![CDATA[Attempted CEM nsagent certificate negotiation failed.]]>
    </event>
    <event date='02/19/2014 23:06:55.4800000 +07:00' severity='2' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455187' >
      <![CDATA[Configure Server Mode: CEM mode was not initialized succesfully, will retry]]>
    </event>
    <event date='02/19/2014 23:06:55.4800000 +07:00' severity='2' hostName='client' source='Agent' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='8144' thread='9056' tickCount='15455187' >
      <![CDATA[Failed to register agent. Registration status 'Not registered'. Next retry in 8 min.]]>
    </event>
    <event date='02/19/2014 23:07:32.7570000 +07:00' severity='4' hostName='client' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='8144' thread='940' tickCount='15492468' >
      <![CDATA[CT Agent is not initialized yet, load of policy will be postponed.]]>



  • 9.  RE: Internet machine cannot connect to NS server

    Broadcom Employee
    Posted Feb 19, 2014 04:03 PM

    Also here are another ways to generate certificates for CEM client ⇒ http://www.symantec.com/business/support/index?page=content&id=HOWTO93154

    and how to import this generated certificate on CEM client computer ⇒ http://www.symantec.com/business/support/index?page=content&id=HOWTO93157

     

    Questions:

    1. Have you tried steps in #3 comments below?
    2. Probably you remember what steps you've done to get this problem on your CEM client computer? Could describe such scenario?

    Thanks,

    IP.

     



  • 10.  RE: Internet machine cannot connect to NS server

    Posted Feb 19, 2014 11:12 PM

    Hi

    1. Have you tried steps in #3 comments below?

    I tried to search but i cannot found any record mached with client. I think before this client has never communicate and installed agent before so that we cannot found

    1. Probably you remember what steps you've done to get this problem on your CEM client computer? Could describe such scenario?

    I think i done as step. We get this error after we install offline package to internet machine

    Thanks



  • 11.  RE: Internet machine cannot connect to NS server

    Posted Feb 19, 2014 11:47 PM

    Hi Igor

    On the CEM white paper, i see this one. it's operation on offine machine.
    ==================================
    Run the agent installation package on the disconnected computer.
    The agent package is a self-extracting executable file and the installation runs
    silently .
    After the installation, the Symantec Management Agent automatically configures
    itself and does the following:
    ■ The agent renegotiates its certificate.
    The agent requests and receives a new certificate from Notification Server:
    The new certificate is specific to that client computer and replaces the
    temporary site certificate that was included in the agent installation package.
    ■ The agent is automatically assigned to the appropriate resource targets
    and organizational groups on the Symantec Management Platform.

    ====================================
    And on the log file. I see the negotiation failed. Do you think that is the root cause.

    You can see the new log for more details

    ===================

    <event date='02/17/2014 15:16:41.4860000 +07:00' severity='2' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398158' >
      <![CDATA[WARNING: Unexpected response from URL 'https://NSserver:443/Altiris/NS/Agent/GetClientCertificate.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]>
    </event>
    <event date='02/17/2014 15:16:41.4860000 +07:00' severity='1' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398158' >
      <![CDATA[Attempted CEM gateway certificate negotiation failed.]]>
    </event>
    <event date='02/17/2014 15:16:41.4860000 +07:00' severity='4' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398158' >
      <![CDATA[Temporary CEM nsagent certificate found.]]>
    </event>
    <event date='02/17/2014 15:16:41.5020000 +07:00' severity='4' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398174' >
      <![CDATA[Attempting CEM client certificate negotiation.]]>
    </event>
    <event date='02/17/2014 15:16:41.5020000 +07:00' severity='4' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1398174' >
      <![CDATA[Requesting nsagent certificate from the server.]]>
    </event>
    <event date='02/17/2014 15:16:44.0910000 +07:00' severity='4' hostName='CLIENTNAME' source='NetworkMonitor' module='AeXNetMon.dll' process='AeXNSAgent.exe' pid='1288' thread='5320' tickCount='1400764' >
      <![CDATA[Server up [0x10030001]: https://NSserver:443:{GUID-B9A5-BB71CEA8AE84}]]>
    </event>
    <event date='02/17/2014 15:16:48.2250000 +07:00' severity='4' hostName='CLIENTNAME' source='HttpConnection' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1404898' >
      <![CDATA[Tunnel connection using IP: xxx.xxx.xxx.xxx, Port: 443]]>
    </event>
    <event date='02/17/2014 15:16:48.2870000 +07:00' severity='2' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1404960' >
      <![CDATA[WARNING: Unexpected response from URL 'https://NSserver:443/Altiris/NS/Agent/GetClientCertificate.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]>
    </event>
    <event date='02/17/2014 15:16:48.3030000 +07:00' severity='1' hostName='CLIENTNAME' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='1288' thread='5812' tickCount='1404976' >
      <![CDATA[Attempted CEM nsagent certificate negotiation failed.]]>

     

    Thanks



  • 12.  RE: Internet machine cannot connect to NS server

    Posted Feb 20, 2014 05:23 AM

    The root cause is "Exception: The caller is unauthorized to request a new client certificat".

    It looks that agent has already received one certificate at some point of time, so it's denied to get a new one.

    Could you please do the following:

    1. Run cmd.exe as administrator

    2. Go to SMP agent folder "\Program files\Altiris\Altiris agent"

    3. Run aexnsagent.exe /resetguid

    4. Attach the log files here, please attach the complete LOG file, there could be many of them, so you can remove the log files before step #3. 

    /resetguid will try re-registering with the server once more.



  • 13.  RE: Internet machine cannot connect to NS server

    Posted Feb 21, 2014 02:28 PM

    Hi Igor

    May be if i missed one important note in CEM white paper below and not clear it

    "If you want to use the installation package to install agents on disconnected
    computer you must create a policy that includes those clients
    "

    Is that mean, the disconnected computer had had connected to internal network or had existed in Active directory for NS discovery process could discover and grant GUID.

    We cannot use the offline installation package for one machine which has never pluged in to internal network, right?

    So can we manually create GUID, computernam manually for offline machine?

    Maybe in my case, my machine has never plug into the internal network so that it cannot discover

    Thanks for your help

    Regards

     



  • 14.  RE: Internet machine cannot connect to NS server

    Posted Feb 21, 2014 04:24 PM

    Telecomvn, the machine does not have to be plugged into the internal network first. There is a CEM policy page in SMP console, the one where you specify the gateways in the top list and  the client machines in the bottom list. The documentation says about that policy.



  • 15.  RE: Internet machine cannot connect to NS server

    Posted Feb 22, 2014 05:17 AM

    Hi SergeZ

    Clear with your comment.

    So i checked log on NS server and found

     

    <event date="02/21/2014 23:52:32.3744874 +07:00" severity="2" hostName="Nsserver" source="EventRouter" module="w3wp.exe" process="w3wp" pid="2712" thread="13" tickCount="20287852"><![CDATA[Event not processed. IP: xx.xx.xx.xx; Error: Client certificate is not valid.]]></event>

    Do you have any idea?

    Does it relate to application pool on NS server

    We configured default application pool in intergrated mode

    Currently, i random checked and found some below

    - Default application pool applied on default website

    - Altiis site applied  Classic .NET AppPool (with mnamge piple line is classic)

    - NS subsite is applied Classic .NET AppPool'=

    -Agent is applied Symantec Agent AppPool

    Thanks



  • 16.  RE: Internet machine cannot connect to NS server

    Posted Feb 24, 2014 02:34 AM

    Hi Igor, SergeZ

    I tried to update hotfix to HF4

    The issue has still happened. Do you have any idea?

    Do we need to reinstall IG ?

    Thanks



  • 17.  RE: Internet machine cannot connect to NS server

    Posted Feb 24, 2014 09:38 AM

    HI Igor

    My problem had been resolve. I didn't understand this setting "1. On the Notification Server computer, in Internet Information Services (IIS) Manager, in the left pane, click Sites > NS_website > Altiris > NS >Agent."
    I selected default site instead of site after configuring Could enable management, so that client certificate is alway invalid.

    Once again, very big thanks Igor. You had support me alot and very detail to troubleshoot problem

    Thanks and Best Regards