Policy Manager Connected: NO on LAN Enforcer
As stated in the title, we have a LAN Enforcer showing as following:
Enforcer# show status
Enforcer Status: ONLINE
Policy Manager Connected: NO
Policy Manager: 10.151.127.22 HTTP 8014
Packets Received: 77719
Packets Transmitted: 68600
Packet Receive Failed: 0
Packet Transfer Failed: 0
Enforcer Health: EXCELLENT
Enforcer Uptime: 0 days 17:30:00
Policy ID: 18/10/2012 16:26:47
Enforcer# show configure
Please wait for a moment...
Network Interface Setting:
eth0 Link encap:Ethernet HWaddr 00:E0:ED:1E:5C:38
inet addr:10.151.127.24 Bcast:10.151.127.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:78667 errors:0 dropped:0 overruns:0 frame:0
TX packets:69249 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14898989 (14.2 MiB) TX bytes:10874583 (10.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:726 (726.0 b) TX bytes:726 (726.0 b)
Route Table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.151.127.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 10.151.127.254 0.0.0.0 UG 0 0 0 eth0
DNS Setting:
nameserver 10.150.1.2
nameserver 10.150.2.2
Policy Manager Settings:
IP/Name: 10.151.127.22
Port: 8014
Protocol: HTTP
Hash of Preshared Secret: B5066AAB000A2B5370E88C9D05B37990
Preferred Group: NAC-BLAH-B
NTP: disabled
Enforcer#
On the SEPM, inside the scm-server-0.log we see many NullPointerException like this
2012-10-18 22:46:44.793 THREAD 25 SEVERE: Unknown Exception in: com.sygate.scm.server.task.EnforcerCompilerTask
java.lang.NullPointerException
at com.sygate.scm.server.task.EnforcerCompilerTask.compileCommonProfile(EnforcerCompilerTask.java:953)
at com.sygate.scm.server.task.EnforcerCompilerTask.compileProfile(EnforcerCompilerTask.java:310)
at com.sygate.scm.server.task.EnforcerCompilerTask.run(EnforcerCompilerTask.java:251)
at java.util.TimerThread.mainLoop(Timer.java:512)
at java.util.TimerThread.run(Timer.java:462)
What's wrong between them?
Comments 3 Comments • Jump to latest comment
Has the Enforcer ever been able to connect to the SEPM?
I would pull a packet capture and see what the http return code is.
On the Enforcer CLI enter "capture start". The filter level is set by default to only capture Enforcer<>SEPM communications
Let it run for a few minutes, to be sure that it captures a check-in attempt. Take note of the filename.
Then start a TFTP server on the network that the Enforcer can communicate with, and enter the following command "capture upload tftp xxx.xxx.xxx.xxx filename [filename]". On some older versions of the Enforcer, you need to put a / in front of the [filename]. Don't enter the full path, just the filename.
Open up the capture file in Wireshark, and filter by the SEPM's IP address.
200 = OK communication
400 = Bad shared secret
If you don't see any response from the SEPM, you most likely have a networking issue (firewall, etc). Try pinging the SEPM from the Enforcer.
That Java error may be a red herring.
Also, did you install the Network Access Control add-on from the SNAC CD? The Enforcer will not be able to check in until you do the SNAC install.
If a post helps you, please give it a thumbs up or mark it as the solution to your issue.
The Enforcer isn't able to connect anymore to the SEPM after changing IP address on the Enforcer itself and on the SEPM.
At the moment I haven't a TFTP server on the network, so I'm not able to download a packet capture. However, setting the debug level to ENGINEER, the live user debug is showing:
Oct/22/2012 09:36:45.126 [SyVeLink.cpp][ 1383]: Try to download profile serial number on 10.151.127.22!
Oct/22/2012 09:36:45.126 [SyVeLink.cpp][ 1408]: Download profile index with URL http://10.151.127.22:8014/secars/secars.dll?action...
Oct/22/2012 09:36:45.126 [SyVeLink.cpp][ 2847]: plain URL: l=125&action=200&hostid=C400BB9B0A337F16016FBFAB9EF99DA5&primaryenforcerid=C400BB9B0A337F16016FBFAB9EF99DA5&as=113973&mode=1&hbt=30
Oct/22/2012 09:36:30.119 [ Http.cpp][ 171]: curl_easy_getinfo HTTP content-length : 538
Oct/22/2012 09:36:30.119 [SyVeLink.cpp][ 4029]: GetProfileIndexCallback returns code 500, 538 bytes.
Oct/22/2012 09:36:30.120 [SyVeLink.cpp][ 4034]: HttpHeader: HTTP/1.1 500 INTERNAL SERVER ERROR
Oct/22/2012 09:36:30.120 [SyVeLink.cpp][ 4034]: HttpHeader: Date: Mon, 22 Oct 2012 08:38:22 GMT
Oct/22/2012 09:36:30.120 [SyVeLink.cpp][ 4034]: HttpHeader: Server: Apache
Oct/22/2012 09:36:30.120 [SyVeLink.cpp][ 4034]: HttpHeader: Content-Length: 538
Oct/22/2012 09:36:30.121 [SyVeLink.cpp][ 4034]: HttpHeader: Connection: close
Oct/22/2012 09:36:30.121 [SyVeLink.cpp][ 4034]: HttpHeader: Content-Type: text/html; charset=iso-8859-1
Oct/22/2012 09:36:30.121 [SyVeLink.cpp][ 4034]: HttpHeader:
Oct/22/2012 09:36:30.122 [SyVeLink.cpp][ 1460]: Get index file returns 500
Oct/22/2012 09:36:30.122 [SyVeLink.cpp][ 4852]: Try get profile/register returns 500, nRetryTimes=0, WaitTime=15000
Oct/22/2012 09:36:34.960 [SyVeLink.cpp][ 4682]: SEPM Server Status:
Enforcer and SEPM are on the same IP subnet and VLAN, and there aren't network firewalls between them.
The NAC add-on is already installed onto the SEPM.
Hi;
Restart the enforcer and after that you can see it connected.
If not you must look the logs in enforcer as well.
Regards;
Cemile Denerel
Note: Please mark as solution if its help you.
Would you like to reply?
Login or Register to post your comment.