Troubleshooting brokerconfig.exe "Send Request" and "Test" failures from client connecting through CSA

Version 15

    Verified Product Versions

    Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x

    Purpose

    The purpose of this document is to help Ivanti Endpoint Manager administrators troubleshoot why off network devices are having trouble connecting to the core via the Cloud Services Appliance. This document focuses on what can be checked on the client by listing common errors seen when trying to run \LANDesk\LDClient\BrokerConfig.exe.

     

    It should be noted that the "Send Request" and "Test" buttons below will display most of the output that will be used for troubleshooting. For descriptions of exactly what each of those buttons do, see the screenshot below:

     

    The second log that will be used in this document and sub documents is the C:\Program Files (x86)\LANDesk\Shared Files\proxyhost.log found client side. Whenever the client tries to reach to the CSA, it will write to this log.

     

     

    Successful return

    This is a successful return of what is shown in the best case scenario.

     

    Send Request:

    Successful "Send Request" proxyhost.log:

     

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:FIPS mode = 1

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:About to determine if we go direct: bRequestIsForCore = 1, g_core = JIMCORE20183.jbowden.local, host = JIMCORE20183.jbowden.local:80, headerHost = JIMCORE20183.jbowden.local

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:Certificate/Key files unavailable or invalid C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker\broker.crt C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker\broker.key internal.proxyhost.badcert

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:Made direct (non-proxy) connection to glados.landesk.com

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:Connect to CSA successfully with host = glados.landesk.com and IP = 172.16.253.35

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:Call UpdateCSAROIFile() with numberofDirectConnectSuccess = 0 numberofDirectConnectFailure = 0  csaName = glados.landesk.com bCsaSuccess = 1

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:127.0.0.1:50247 Connection close 0 0 0 0

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:127.0.0.1:50247 - - [05/Dec/2018:16:39:01 -0700] "POST http://JIMCORE20183.jbowden.local/landesk/managementsuite/core/core.anonymous/ClientCertificateRequest.asmx HTTP/1.1" 200 1487 2310

    2018-12-05 23:39:01(2736-4580) proxyhost.exe:127.0.0.1:50247 EOS on request

     

    Test:

    Successful "Test" proxyhost.log:

     

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:FIPS mode = 1

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:Diagnostics started path C:\WINDOWS\temp\ldmg50238.diag

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:About to determine if we go direct: bRequestIsForCore = 1, g_core = JIMCORE20183.jbowden.local, host = JIMCORE20183.jbowden.local:80, headerHost = JIMCORE20183.jbowden.local

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:Made direct (non-proxy) connection to glados.landesk.com

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:Connect to CSA successfully with host = glados.landesk.com and IP = 172.16.253.35

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:Call UpdateCSAROIFile() with numberofDirectConnectSuccess = 0 numberofDirectConnectFailure = 0  csaName = glados.landesk.com bCsaSuccess = 1

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:127.0.0.1:50238 Connection close 0 0 0 0

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:127.0.0.1:50238 - - [05/Dec/2018:16:35:02 -0700] "POST http://JIMCORE20183.jbowden.local/landesk/managementsuite/core/core.anonymous/ClientCertificateRequest.asmx HTTP/1.1" 200 666 846

    2018-12-05 23:35:02(5712-5788) proxyhost.exe:127.0.0.1:50238 EOS on request

     

     

    Partial Success

    “Test” success, but Retrieve Certificate fails

    Solution:

    There are 3 separate common causes for this:

    • Copy the cert from the core server from C:\Program Files\LANDesk\Shared Files\Keys to the client's C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs
    • If there are many copies or too many old certificates that are no longer being used, they may be corrupting what is already in the certs folder. Remove any old certificates that are no longer being used.
    • Make sure local system has access to the C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs folder

     

     

    Failed Returns

    Solution:

    Corename is wrong in LDWM registry entry on the client

    • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\LANDesk\LDWM and replace the current "CoreServer" value with a different core server value. Try FQDN, or just the host name of the core server and see if the broker test connection succeeds. This means there is a DNS routing problem where the endpoint device is getting to the CSA, but the CSA is having difficulty routing to the core server. Whatever value succeeds, have that become the default client connectivity setting in the agent settings on the core. A thorough review of DNS configuration in the environment will be required to correct this on a domain level.

     

    Another example of a similar error:

    Solution:

    • Client Access has not approved client certificate on the core
      • Core server Management Suite console > Configure > Client Access > Check for blocked or unapproved devices
    • Port 443/80 are blocked on the core server
    • If the "Landesk Management Gateway" Service hasn’t been restarted on the core in a while, it may help.

     

     

     

    Connection through management gateway failed 3 IO error

    Solution:

    This means that the cert being used has a bad "BrokerIP" in the core certificate located on the device in C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs. Verify the IP address is the correct external IP of the CSA.

     

     

    Another example of a similar error:

    Solution:

    Replace the IP address in the "CSA information" tab of brokerconfig.exe with the proper CSA external IP address.

     

     

     

    Another example of a similar error:

    Solution:

    • The CSA is powered off (In this case, a "Failed to retrieve certificate." message will appear when "Request Certificate" is pressed
    • Client access on the core server has blocked the client certificate (Successfully retrieved certificate will return)
      • Core server Management Suite console > Configure > Client Access > Check for blocked or unapproved devices

     

     

    Connection through management gateway failed 6 Name resolution error

    Solution:

     

     

     

    Blank output (Failure)

    Solution:

    Agent deployed with incorrect CSA entered into the agent configuration client connectivity settings

      • Management Suite console > Agent Configuration > Client connectivity settings > Core information > "Core Address" may need to use the IP, host, or FQDN of the core server depending on the environment's DNS configuration. If one value isn't working, try a different one.
      • Management Suite console > Agent Configuration > Client connectivity settings > Cloud Services Appliance > Add the appropriate to the "Selected items" column. If the CSA is not listed, then a CSA was not entered into Console > Configure > Manage Cloud Services Appliance.

     

    A correct configuration should look like the following: