Troubleshooting: Impossible to Remote Control because it is grayed out on the LDMS Console

Version 21

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x



    Section 1: What are we troubleshooting?


    When you select a device in the LDMS Console on Network View section, you right click it and the Remote Control is greyed out or not available. The agent configuration deployed on this machine includes the Remote Control though.

    Even after leaving the device selected more than 1mn, the device icon looks like Normal.png or Forbidden.png and you are wondering why?


    This article is going to help you to determine why and how to get the expected icon ExpectedRC.png in order to successfully remote control it.

     

     

    Section 2: Why is the Remote Control not possible even if the Remote Control Agent Status is loaded?


    Remote Control is not available because the Common Base Agent Status is Not Loaded (see below). And many reasons can lead to this situation as we will see below.

    AgentStatus.png


    Section 3: How to use this article to troubleshoot it?

     

    This is really easy and straightforward. In Section 3a, you need:

     

    1. To look first at the 3 green "RESULTS" columns and identify which case(s) you are currently on:
      1. From the Core Server or the Remote Console, type the following URL on your web browser: http://<CLIENT>:9595/allowed/ldping
      2. When pointing on the client from the LDMS Console, after 30-45s, look at the icon appearing next to the client concerned
      3. On the LDMS Console, right-clik on the client and choose Properties, then go on "Agents" tab, and look at the icon appearing next to "Common Base Agent Status"
    2. Once you have identified your situation, for each Case Ref Number, in Section 3b, you have an explanation with some solution(s)

     

    • Section 3a: Which parameters can prevent Remote Control being available and what's the response?

     

    In the table below, you will see on the left, the 7 main parameters which could prevent or not you from Remote Controlling the client. On the right, you can see the answers on 3 different marker tests. The combination of both will help you to quickly understand which may explain your own situation.

    TEST.pngTEST2.png


    • Section 3b: Case descriptions and Solutions:

     

      • Case 1: LANDesk Discovery process analysis WITHOUT the "Use DNS" checked - Remote Control OK - How does it look like in Wireshark?


                        The successful test is described in the Wireshark test below with its 4 steps (See picture on the left). You can also see the result of the "http://<CLIENTIP>:9595/allowed/ldping" done on the Core Server / Remote Console (See picture on the right). You can also do it on your own from an Internet Browser.

                        TEST1_LDPingTest.pngLDpingTest1_Results.png


      • Case 2: LANDesk Discovery process analysis WITH the "Use DNS" checked - Remote Control OK - How does it look like in Wireshark?

                      

                        For this test, this is the same one than described in Case 1, except the box "Use DNS" in Agent Status Option has been checked. The successful test shows that the LDPing test doesn't request to the IP address but the FQDN of the machine (See below).

                        TEST2_DNSWireshark.png

              NOTE: Be careful, the local DNS cache could hold an old entry that you can get rid of by applying in a CMD prompt "ipconfig /flushdns" from the Core Server or the Remote console. There could also be a DNS cache on the DNS Server or somewhere on the DNS infrastructure.


      • Case 3: LANDesk Discovery process analysis with ICMP (Ping) protocol BLOCKED on the Client - Remote Control OK

          For this test, the ICMP (Ping) protocol has been blocked on the Client otherwise this is similar to Case 1. When the ping is not possible onto the IP address of the client from the Core Server / Remote Console, it should lead to the following icon; Forbidden.png. But in that precise case, the Console ignores this information and continues to do the LDPing and port tests as decribed in the Case 1.

     

      • Case 4: LANDesk Discovery process analysis with LDPing.dll corrupted/renamed - Remote Control Not OK

                        For this test, Ping is possible hence we don't get the icon Forbidden.png. But the LDPing.dll on the client has been corrupted or renamed. The "http://<CLIENTIP>:9595/allowed/ldping" done from the Core Server / Remote Console gives the following result;

                        TEST4_IE Test_Printscreen Result.png

              SOLUTIONS:

          • Replace the local file ldping.dll (Located on each client in C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\allowed\ folder) from another client where it works
          • Deploy again the agent onto the client


      • Case 5: LANDesk Discovery process analysis with 2 UniqueID registry keys on the client differs from the Device ID inventory key on the LDMS Console - Remote Control Not OK

                         For this test, Ping is possible hence we don't get the icon Forbidden.png. But the Device ID on the root of the inventory for this machine is not the same than the 2 registry keys, UniqueID, registered on the client. And the "http://<CLIENTIP>:9595/allowed/ldping", done from the Core Server / Remote Console, answers fine but the GUID is missing (See below);


                        TEST5_HTTPAnswer.png


              SOLUTIONS:

          • Run an inventory for this machine and check the last inventory scan once done on the LDMS Console to see if that's the correct one
          • Delete the machine from the LDMS Console in Network View and Deploy again the agent onto the client


      • Case 6: LANDesk Discovery process analysis with ICMP (Ping) and port 9595 BLOCKED on the client - Remote Control Not OK


                        For this test, ICMP protocol (ping) has been blocked, hence the icon Forbidden.png,and port 9595 has been blocked as well onto the client. And the "http://<CLIENTIP>:9595/allowed/ldping" done from the Core Server / Remote Console gives the following result;

                        TEST6_Http test.png


              SOLUTIONS:

          • Open the 9595 ports "inbound/outbound" onto the client and/or Remote console / Core Server


      • Case 7: LANDesk Discovery process analysis with LDPing.dll corrupted/renamed and ICMP (ping) BLOCKED - Remote Control Not OK

                        For this test, ICMP protocol (ping) has been blocked, hence the icon Forbidden.png and the LDPing.dll on the client has been corrupted or renamed. The "http://<CLIENTIP>:9595/allowed/ldping" done from the Core Server / Remote Console gives the following result;

                        TEST7_HTTPResult.png


              SOLUTIONS:

          • Replace the local file ldping.dll (Located on each client in C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\allowed\ folder) from another client where it works

     

      • Case 8: LANDesk Discovery process analysis with port 9595 BLOCKED on the client - Remote Control Not OK

                        For this test, Ping is possible hence we don't get the icon Forbidden.png. But the port 9595 has been blocked. The "http://<CLIENTIP>:9595/allowed/ldping" done from the Core Server / Remote Console gives the following result;

                        TEST6_Http test.png

     

              SOLUTIONS:

          • Open the 9595 ports "inbound/outbound" onto the client and/or Remote console / Core Server


      • Case 9: LANDesk Discovery process analysis with a proxy server on the Client / Remote Console / Core Server - Remote Control Not OK

                        For this test, a proxy is a very generic term and can block a multiple of things. But it does block the traffic somehow.


              SOLUTIONS:

          • You need set up the proxy server in order to be sure to get the same result than for Case 1 for the "http://<CLIENTIP>:9595/allowed/ldping" test done from the Core Server / Remote Console without any manual intervention like a click on a button to validate something (Our system is not able to do that)


      • Case 10: LANDesk Discovery process analysis WITH the "Use DNS" checked and impossibility to resolve the FQDN of the client machine into IP address - Remote Control Not OK

                        For this test, the FQDN of the machine can't be resolved and any ping will be possible neither, hence the icon Forbidden.png, plus the "http://<CLIENTIP>:9595/allowed/ldping" test won't even happen. To know if the DNS doesn't answer, just run a CMD prompt from the Core Server / Remote Console; "nslookup <MachineFQDN>" and see if it does answer the right IP address.


              SOLUTIONS:

          • Check if the DNS Server is on and can serve, delete all the DNS cache
          • Don't use the "Use DNS" box in the Agent Status Option of your LDMS Console

     

      • Cases 11/12: LANDesk Discovery process analysis WITHOUT/WITH the "Use DNS" checked and the WRONG Device Name (LDMS Inventory) different from the real Hostname of the machine - Remote Control Not OK

                        For this test, the Device Name of the client in the inventory is wrong and doesn't correspond to the one's registered in the AD / DNS entries. Ping is possible and tested hence we don't get the icon Forbidden.png but the "http://<CLIENTIP>:9595/allowed/ldping" test won't even happen.

     

              SOLUTIONS:

          • Run the inventory from the client itself
          • Delete the machine from the LDMS Console in Network View and Deploy again the agent onto the client

     

      • Case 13: LANDesk Discovery process analysis WITH the "Use DNS" checked and the WRONG Device Name (LDMS Inventory) different from the real Hostname of the machine - Remote Control Not OK

                        For this test, the Hostname of the machine has been changed but doesn't correspond to the ones registered in the LDMS inventory, though IP address and Device ID / UniqueID registry keys are the same. Ping isn't possible hence we get the icon Forbidden.png but the "http://<CLIENTIP>:9595/allowed/ldping" test won't even happen.

     

              SOLUTIONS:

          • Run the inventory from the client itself
          • Delete the machine from the LDMS Console in Network View and Deploy again the agent onto the client


      • Case 14: LANDesk Discovery process analysis WITH the "Use DNS" checked and the WRONG Device Name (LDMS Inventory) different from the real Hostname of the machine - Remote Control Not OK

                       

                        For this test, Ping is possible hence we don't get the icon Forbidden.png. if you look at the log file on the relevant client "C:\ProgramData\LANDesk\Log\servicehost.log", you will find this error: "Anonymous user impersonation, failed to get the Logon CBA Anonymous user (error 569)"

                        The "http://<CLIENTIP>:9595/allowed/ldping" done from the Core Server / Remote Console gives the following result;

                        TEST6_Http test.png

     

              SOLUTIONS: