How to troubleshoot Core Server patch content download issues

Version 33

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    How to troubleshoot Core Server patch content download issues


    This document details common patch content download issues and the troubleshooting steps involved in troubleshooting and resolving the issue.

     

    Log Locations

     

    Patch content download activity

     

    • \Program Files\LANDESK\ManagementSuite\log\console.exe.log
    • \Program Files\LANDESK\ManagementSuite\log\vaminer.log
    • \Program Files\LANDESK\ManagementSuite\log\vaminer.details.log

     

    Antivirus content (pattern files) downloads

     

    • \Program Files\LANDESK\ManagementSuite\log\getbases.exe.log
    • \Program Files\LANDESK\ManagementSuite\log\updatevirusdefinitions.exe.log

     

    Cannot connect to Ivanti Patch Content servers and/or vendor patch download locations

     

    Proxy Configuration recommendations

     

    Check the proxy configuration and credentials within the Proxy tab of the Download Updates section of the Patch and Compliance tool.

    • Is it set to use a proxy server?
    • Does your environment require a proxy server?
    • Is the proxy server address correct? (Can the core server reach the IP, server name or FQDN?)
    • Is the port correct for what the proxy server is configured to use?
    • Is this an HTTP based proxy?
    • Does it require login credentials?

     

    If it does require login credentials which format does it require?

     

    Typically the first thing that should be checked is the Proxy Configuration.  If possible it is best to configure the Proxy Server to allow the Core to bypass it entirely. 

    The Proxy Information must be filled out in the Proxy tab within the Download Updates tool if a Proxy is to be used.

    In addition, it may be necessary to configure the Proxy information within Internet Explorer:   (Internet Options --> Connections tab --> Lan Settings --> Proxy Server)

     

    Again, connectivity issues to the Ivanti Patch Servers are almost ALWAYS the issue.  Proxies, Internet Caching appliances, etc are quite often to blame.

     

     

    Patch Content Servers - DNS Resolution

     

    There are three different patch content servers, DNS on the core server must be able to resolve these hostnames.

     

    • US West Coast (patch.LANDESK.com)
    • US East Coast (patchec.LANDESK.com)
    • EMEA (patchemea.LANDESK.com)

     

    DNS on the core server must be able to resolve these hostnames.  Ideally *.landesk.com and *.shavlik.com should be reachable in both directions.

     

    • *.landesk.com
    • *.shavlik.com
    • Various vendor patch URL's as detailed in this article.

     

    Windows Certification Authority URL's

     

    These URL's should be reachable by the core as well to make sure the certificates are kept up to date:

     

    • *.digicert.com,
    • *.geotrust.com
    • *.verisign.com
    • *.symcb.com,

     

    Ivanti Antivirus URL's used

     

    If using Ivanti Antivirus, the following URL's will be used for pattern file downloads:

     

    [1-9] and [01-19] denote separate entries such as http://downloads1.kaspersky-labs.com and http://dnl-01.geo.kaspersky.com.

    Open Ports

     

    The following ports need to be allowed to the core server:

    • Port 80 (for access to patch download URL's)
    • Port 21 (for access to patch downloads from FTP sources)
    • Port 443 (for secure HTTPS access to the patch content servers)

     

     

    - DOMAIN\username

        - username

    - [email protected]

     

    Some proxy servers require authentication protocols not supported by Ivanti (such as NTLMv2, etc)

     

     

    Vulnerability content category not showing up in the Download Updates window

     

    The following steps should be followed:

     

    1. From the Start menu on the core server go to All Programs --> Ivanti --> and run "Core Server Activation"
    2. Within the "Activate Ivanti Core Server" utility click on "Licenses"
    3. Compare the licenses listed with your licensing agreement.  Are any expired?  Do you have all of the licenses you expect to have?
    4. Reactivate the core server by clicking on "Activate"

     

    If anything is missing, incorrect (such as product version is wrong), or shows as expired you should reactivate your core server.

     

    From within the Core Server Activation Tool, make sure the Contact Name and Password are correct and click "Activate".

     

    If you have reactivated and the information still does not appear correct, contact Ivanti Support to investigate further.  If either is expired, contact your Sales Representative or the Licensing Queue at Ivanti Support for further assistance.  This can be done through the Self Service Portal or via Telephone.

     

    A screenshot of the Licensing screen from the Core Activation Utility would be advised to give to Ivanti Support.

     

    A particular vendor's updates fail to download - Likely Proxy configuration required

     

    If a particular vendor's updates fail to download (for example Adobe, Java, etc), this is most likely due to a proxy or other internet appliance configuration.

     

    The proxy or Internet appliance must be configured to allow the core server access to various vendor download sites, both on HTTP and FTP.

     

    For a complete list of the URL's used by Ivanti patch content, consult this article.

     

    How to exclude scanning of patches from a certain vendor

     

    For patches that are already in the Scan folder that are from the vendor you wish to exclude:

     

    1. In the "Find" section put in the name of the vendor you wish to exclude and then under "In column" select "Vendor"
    2. Select all of the vendor patches that show as a result of the search, and then drag them into the "Do Not Scan" folder.

     

    To automatically assign the unwanted vendor patches to the "Do not scan" folder as they are downloaded:

     

    1. Click the "Download updates" tool. (Yellow diamond with black down arrow).
    2. Under "Definition Grouping" click the "Definition group settings" button. 
      The definition grouping option is not available in SP2 or earlier, it is a feature added with the Patch Manager component patch
    3. Click "New" to define a new filter.
    4. Select "Vulnerability" under "Definition Type" and "Any" under "Severity"
    5. Under "Comparison" select "Vendor" and "equals" and put in the vendor name you wish to exclude.

     

    Patch storage folder resetting back to defaults


    See article
    Patch Download Settings - custom settings reverted back to original options

     

    How to change the default patch download location

     

    See the article How to change the default Patch Location for Security and Patch Manager?

     

    How long will it take for Ivanti to release new vulnerability definitions?

     

    Security patch updates are generally available within a 48-hour window.

     

    Error "Hash for patch does not match with host. Discarding." when downloading content

     

    See article Error when downloading content "Hash for patch does not match with host. Discarding."

     

    Error: "Waiting for file lock" when downloading patch content

     

    When this error occurs, there is likely another update process that is still taking place, possibly from a scheduled task, or a previous download process has hung.

     

    Another possible cause is another user logged into the core server using Remote Desktop in a separate session.

     

    Typically closing and reopening the Management Suite console will resolve this error.

     

    If a Remote Desktop session is not being used or is being used in an Admin Session, and the Core Server has been rebooted and the error still does not go away, it is possible that there is a lock entry in the database that needs to be cleared.

     

    Within SQL Management Studio, connect to the Management Suite database, open the Query Tool, and do the following:

    select * from PatchSettings where Name like '%LOCK.UpdVulnLock%'

    If entries, as pictured below, are returned, those rows should be deleted:

     

    Capture.PNG

     

    In order to delete the rows, run the following query:

    delete from patchsettings where Name like '%LOCK.UpdVulnLock%'

     

     

    Error: "Object does not match the specified SHA-256" hash

     

    When trying to download updates for definitions through Patch and Compliance Manager all patches and of the following errors is given:

     

    "Object does not match the specified SHA-256 hash" or "Signature is not valid, failed to download platform information"

     

    To resolve this, uncheck the box "Verify definition signatures/hashes before downloading" on the Content tab of the Download Updates window.

     

    Error: "You have not specified a site from which to download updates" when downloading updates in Patch Manager

     

    See article Error: "You have not specified a site from which to download updates" when downloading updates in Patch Manager