In trying to configure or reconfigure Intel vPro Technology, if you are receiving a number of “SOAP”, “AMT Connection”, “getFullCoreVersion”, or “tcp_connect()” related errors in the logs as shown below, this article provides insights to understand and resolve the situation.
After you have reviewed the guidance provided via the Altiris OOBM user guide, Joel Smith’s articles on troubleshooting (see http://www.symantec.com/connect/articles/troubleshooting-out-band-management-and-real-time-system-manager-vpro-technology-versions-part-4) and the other resources provided therein – the above errors may persist. Even the latest BIOS and firmware updates for the platform may not solve the issue. In general, the errors may be more prevalent with Intel Active Management (AMT) 4.x and higher firmware.
The article provides a summary interpretation of the errors, common reasons these errors may be generated, insights on tools to help troubleshoot, and suggestions on how to fix.
What is the cause of the error?
These errors indicate a TCP\IP communications failure between the Altiris OOB Site Service and the target Intel AMT device. An incorrect FQDN-to-IP resolution of the TCP\IP address as known by the management engine is the most common reason. The error could occur before or after Intel AMT was configured.
Note: Communications to the local operating system may be working correctly. In a DHCP environment, the Intel AMT firmware will use the same IP address. In a static environment, Intel AMT firmware may be assigned to a different static IP address than the host operating system. Mixed setups where the local host operating system IP is assigned via DHCP and the Intel AMT firmware is assigned via static IP are not recommended.
How do I confirm a TCP\IP connection error?
Two approaches can be used to help confirm a TCP\IP connection error.
First, a simple test for Intel AMT clients awaiting configuration. From the Altiris server attempt to open a telnet session to the target client on port 16993. If you are using Microsoft Windows 2008 Server or Windows 7 client, you will need to add “Telnet Client” to your features list. The IP address of the target client should be used.
The following example telnet request and response indicates the target client is not listening on the stated IP address:
telnet 192.168.0.102 16993
Connection to 192.168.0.102… Could not open connection to the host, or on port 16993. Connect failed
The second test is to determine what wired IP address is assigned to the Management Engine (ME) of the target Intel AMT client. Using the Systemdiscovery tool available at http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/, on a target client experiencing the TCP\IP communication errors run the following sequence:
Net stop lms
SCSDiscovery.exe systemdiscovery
Net start lms
When the SystemDiscovery command completes, an XML file will be located in the same directory as the ACU_Config.exe utility. The results are also written to the Windows registry. (See the SystemDiscovery User Guide PDF for more information.) Among the collected data is a field labeled “WiredIPv4”.
The example below shows the WiredIPv4 address to be 0.0.0.0 whereas the OSIP (Operating System IP address) is 192.168.0.102.
The expected results should show the same IP address between the WiredIPv4 (i.e. the management engine wired network interface) and the OSIP values.
Note: For more information on collecting and viewing this custom data across your enterprise, see http://www.symantec.com/connect/articles/environment-assessment-report-intel-vpro-technology-part-2. Adjust the sample query to show the WiredIPv4 and OSIP values in the report.
If your output shows different yet valid IP addresses for your environment, retry the simple telnet test using the IP address listed as WiredIPv4. If successful, this indicates the IP address resolution is incorrect within the environment or that a simple “IPconfig /renew” command on the client will refresh and synchronize the IP addresses.
If your output is similar to the results shown above, this indicates the management engine network interface never received an IP address. Without an IP address, configuration and subsequent communication sessions will not occur.
Before proceeding - ensure the latest system BIOS and Intel AMT firmware are applied to the client. If unsure what exact BIOS or Intel AMT firmware versions are in your environment, see part 1 of the environment assessment (http://www.symantec.com/connect/articles/environment-assessment-report-intel-vpro-technology-part-1). If you need a tool for multiple updates and prefer to create a single software package, see http://communities.intel.com/docs/DOC-4078
Why is Intel AMT firmware IP address 0.0.0.0?
If the management firmware has a blank IP address and the WiredLinkStatus is Up (see example above), this may indicate an incorrect environment detection policy has been set. The Environment detection firmware policy determines whether the out-of-band management network interface is open or not. The feature is set based on Home Domains in the configuration profile and detected domains to which the device is connected.
Note: For more information on Environment Detection within Intel, go to http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/ and search for "Environment Detection". The "Detail Description" and "Utilizing the Host VPN" topics provide good insights. Environment Detection is required for Remote Access (out-of-band management to internet-based clients) and for Wireless Profile synchronization between host\firmware.
In the example below, a domain value of “bogus.local” was set in the configuration profile although the true connection-specific DNS suffix is “vprodemo.com”.
Note: The connection-specific DNS suffix is the DHCP option 15 setting of the environment. In some environments, it may not align to the BIND or Active Directory DNS root domain value. If unsure what DHCP option 15 settings apply across your environment, see the example custom inventory and report as shown at http://www.symantec.com/connect/articles/environment-assessment-report-intel-vpro-technology-part-2. In the example, the OSPrimaryDNSSuffix is the DHCP option 15 setting received on the network interface of the client.
A common mistake is to assume the Active Directory root domain is the home domain setting used with Intel SCS. This may lead to an incorrect configuration where "ad.company.local" was used in the configuration profile whereas the true connection-specific DNS suffix was "company.com".
The Domain setting within the profile is set into the firmware during the configuration process along with enabling environment detection. This firmware option was first introduced in Intel AMT 3.x (circa 2008). Once environment detection is enabled, the firmware will check the firmware settings against the connected network settings. If they match, the system is considered inside the enterprise, the out-of-band management network interface is assigned an IP address, and so forth. If they do not match, the out-of-band management network interface is closed and subsequent out-of-band communications are blocked.
How do I check if Environment Detection is the underlying issue?
On a suspected client, download the Intel® AMT Diagnostics Tool available at http://communities.intel.com/docs/DOC-5582. For simplicity, run the “DiagToolGUI.exe” and select “Intel® vPro™ Technology Platform”. Click on “Start Scans”.
Once completed, click on “Proceed to Tests”. You do not need to run the full list of tests. Simple click on “See Results”. The results are in an NFO file which can be directly accessed or viewed within the Intel® AMT Diagnostics Tool.
Within the results, expand “Scans” followed by “AMT”. Select “Get Remote Access Connection Status” similar to the example below:
The above example shows this particular client has Environment Detection enabled and the system believes it is outside the enterprise. In this state, the Intel AMT firmware will not receive an IP address.
How do I fix an incorrect Environment Detection setting?
If the Domains setting in the configuration profile was incorrectly configured thus causing an expected Environment Detection setting, currently the only method to correct is a full Intel AMT firmware reset. This is also called “Full Unconfiguration”. Some OEM platforms provide a BIOS option to reset Intel AMT at next reboot. This approach often requires a confirmation by the local user. If a BIOS reset of Intel AMT option is not available for your particular device, use the Ctrl-P boot option locally on the device to enter the MEBx (Management Engine BIOS eXtension) screens and select the appropriate options to fully unconfigure Intel AMT.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.