IT Management Suite

 View Only

  • 1.  Agent Status - CEM enabled but inactive

    Posted Jan 06, 2015 04:15 AM

    Hi There,

    I recently created my first CEM setup as follow:

    I have ITMS 7.5 SP1 HF4 on Win 2008 R2 SP1

    SMP Internet Gateway on v 7.5.3153.0

    I have created my CEM server in the DMZ (public facing) and configured the SMP Internet Gateway Manager connecting to my Test server on the domain outside the DMZ on port 4726. Status: Enabled. Service State: Running

    My client is successfully communicating via HTTPS when it is on the LAN, when i change over to Internet Connection only, the client status is disconnected with status: CEM enabled but inactive.

    My NS on the domain outside of the DMZ is my site server and i have manually assigned my Internet site to the site server and my clients to the site.

    I have checked my Default App Pool and the settings are set to Integrated.

     

    Anyone else had this issue and resolved this?

     

    Kind Regards,

    Eugene



  • 2.  RE: Agent Status - CEM enabled but inactive

    Broadcom Employee
    Posted Jan 06, 2015 04:43 AM

    Hi!

    What says SMA client log, when you're switching it from LAN to Internet? Log out put will show correct way to look forward of root cause.

    • C:\ProgramData\Symantec\Symantec Agent\Logs\

    Also check log output on CEM Gateway server and SMP Server via "Altiris Log Viewer".

    Thanks,

    IP.



  • 3.  RE: Agent Status - CEM enabled but inactive

    Posted Jan 06, 2015 07:55 AM

    Hi IP,

    Please see below extract from Client Logs:

    event date='01/06/2015 14:47:11.1640000 +02:00' severity='4' hostName='E6540D_NAC' source='NetworkMonitor' module='AeXNetMon.dll' process='AeXNSAgent.exe' pid='1168' thread='4372' tickCount='16503002' >
      <![CDATA[Server down [0x10000000]: https://NSservername:443:{B81D1ABF-D418-4561-B9A5-BB71CEA8AE84}]]>
    </event>
    <event date='01/06/2015 14:47:13.7400000 +02:00' severity='1' hostName='E6540D_NAC' source='NetworkOperation' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='1168' thread='9728' tickCount='16505576' >
      <![CDATA[Operation 'Connect' failed. 
    Protocol: http 
    Host: IternetGatwayservername 
    Port: 443 
    Path: / 
    Http status: 0 
    Secure: Yes 
    Id: {82EBF9A9-D193-4456-9187-75F8DF3D53F8} 
    Error type: Connection error 
    Error result: 0x80072751 
    Error code: 0 
    Error note: Unable to connect via secure gateway 
    Error message: A socket operation was attempted to an unreachable host]]>
    </event>
    <event date='01/06/2015 14:47:13.7400000 +02:00' severity='2' hostName='E6540D_NAC' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='1168' thread='9728' tickCount='16505576' >
      <![CDATA[Failed to call web interface by url [https://NSservername:443/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?resourceGuid=9007647a-9fa9-41e0-a92b-b1f59c73543a&shares=1], error [0x80072751, A socket operation was attempted to an unreachable host.].]]>
    </event>

    I also noticed that the Ineternet Gateway Server has an SMA on pointing to another production Server, could this be an issue?

    Dont see much in the log viewer on the Internet Gateway server.

     

    Kind Regards,

    Eugene

     

     



  • 4.  RE: Agent Status - CEM enabled but inactive

    Broadcom Employee
    Posted Jan 06, 2015 03:22 PM

    Hi Eugene,

    Please restart Symantec Management Agent on client side ⇒ .zip these logs and send to me via private message.

    This part of log output, shows that it is unable to register with Task Server, but I'd like to see what was in other part of log.

    Does Altiris log viewer show any useful information on SMP Server side?

    You're using self-signed, chain or SAN certificate on SMP Server side, for SMP/Symantec Agent CEM web site?

    Eugene: I also noticed that the Ineternet Gateway Server has an SMA on pointing to another production Server, could this be an issue?

    IP: No, this should not affect, because this server with CEM gateway is managed by another SMP Server, although it is added to work with your SMP server. (Of course if that SMP server doesn't deliver and perform something to brake work of CEM gateway).

    Thanks,

    IP.



  • 5.  RE: Agent Status - CEM enabled but inactive

    Posted Jan 07, 2015 01:14 AM

    Thanks for the Feedback IP, i will be sending the private message shortly...

     



  • 6.  RE: Agent Status - CEM enabled but inactive
    Best Answer

    Broadcom Employee
    Posted Jan 07, 2015 07:27 AM

    EugeneDisc,

    1) According to SMA log, I didn't find any message about successfull or unsuccessfull connection via gateway.

    For example successfull connection from client to CEM Gateway:

    TunnelConnectionSMA.jpg

    2) According to SMP Server side logs, I haven't seen any problem messages, related to CEM connection.

    3) I've used CMS 7.5 SP1 HF4, using self-signed certificates for SMP Web Site and for Symantec Agent Web Site: Where on SMP I have "Site" with all available subnets assigned and didn't manually assign "Default Internet Site" to my "Site" = CEM Client successfully communicates with SMP Server via CEM gateway.

    4) Please make sure that there is no network connection problems between SMA client PC, CEM Gateway Server and SMP Server machines. All resolves each other by IPv4/Hostname/FQDN.

    • You can check similar problem, when there were network resolving problems for CEM

    https://www-secure.symantec.com/connect/forums/challenges-75-cem-internet-gateway

    Thanks,

    IP.



  • 7.  RE: Agent Status - CEM enabled but inactive

    Posted Jan 09, 2015 05:22 AM

    Issue was DNS and not resolving the IP.

    In our test case, we added IP's and Hostname to host file and connection occuured immediately.

    Thanks for all the assistance.