11 Replies Latest reply on May 4, 2017 6:15 AM by Stephen Burke

    Different IP when brokering new CSA cert

    davidg5700 Specialist

      As part of my provisioning template, I have an action to broker the CSA cert.  All is successful and the .crt, .csr and .key files show up in the client's cbaroot\broker folder. 

       

      I took a freshly configured laptop home with me and tried running an inventory scan which failed.  I brought up the brokerconfig utility and tested it which failed.  When I checked the CSA information in the brokerconfig utility, I noticed that the IP address was not correct for the publicly facing IP of the CSA.  I corrected the address and was successful when testing the CSA connectivity through brokerconfig.

       

      On the core server, Configure - Manage Cloud  Services Appliances tab shows the correct IP address for the CSA.  The client connectivity settings show the FQDN of the CSA.  Any ideas as to why this is happening and how I can correct this on the clients?

       

      LANDESK 9.6 SP2  CSA v4.3 with latest patches

        • 1. Re: Different IP when brokering new CSA cert
          JoeDrwiega SupportEmployee

          What is in your broker.conf.xml or your proxy.state.xml? Also see if this doc helps: Unattended configuration of client for the Cloud Services Appliance

          • 2. Re: Different IP when brokering new CSA cert
            davidg5700 Specialist

            Broker.conf.xml:

            <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

            <broker><proxyCredentials>Og==</proxyCredentials><proxy/><csa_lastfailedtimestamp/><csa_lastfailed/><host>csa.domain.com</host><ipaddress>bad.ip.add.r</ipaddress><csa_usagepolicy>0</csa_usagepolicy><order>0</order>

             

            Proxy.state.xml

            <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

            <state>

              <LastGoodAddr>core.internal.ip.addr</LastGoodAddr>

              <LastBadAddr>0.0.0.0</LastBadAddr>

              <TimeStamp>1442603181</TimeStamp>

            </state>

             

            I am executing a brokerconfig.exe -r command as an execute file action in the system config pass of the template. 

             

            I have looked at the .lng file method, but it was easier to do the brokerconfig method.

            • 3. Re: Different IP when brokering new CSA cert
              JoeDrwiega SupportEmployee

              Does your broker.conf.xml have you CSA correct info in it? doesn't look like it <ipaddress>bad.ip.add.r</ipaddress> can you delete this file as well as the others and run brokerconfig.exe /r again. Also when you ping your CSA does it resolve in DNS? Also check in the Configure - Manage Cloud  Services Appliances is your CSA set as your default?

              • 5. Re: Different IP when brokering new CSA cert
                Frank Wils ITSMMVPGroup

                Check C:\Program Files\LANDesk\Shared Files\Keys

                 

                Look which .0 file is referenced is referenced in the protect.ini

                Open that .0 file in the same dir in Notepad

                What is listed in there as Broker IP?

                 

                Frank

                • 6. Re: Different IP when brokering new CSA cert
                  davidg5700 Specialist

                  Joe,

                  Sorry, I had forgot to mention in my response that I removed the actual IP and replaced it with "bad.ip.add.r".  I only have one entry in Configure - Manage Cloud Services Appliance and it is the correct IP.  DNS is correct for the CSA because I am able to get to the admin page entering the name.  From the document you linked, it seems that the IP in broker.conf.xml is used when running BrokerConfig.exe.  If I change the address in the GUI and hit the update button, it will correct the IP in broker.conf.xml.

                   

                  Frank,

                  I was unable to find either the directory or the protect.ini file, but the hash.0 file in C:\Program Files(x86)\LANDes\Shared Files\cbaroot\certs shows the correct IP on the Broker IP line.

                   

                  The document also lists the order in wich the client uses the files to establish a connection and the last one it looks to is the hash.0 file, which is the only one with the correct IP.  It also says that the broker.conf.xml is not created by default, but does seem to be created by default in my environment.

                   

                  The clients are getting the wrong broker.conf.xml, but everything seems to point to the correct IP on the core.  I could replace this file on the clients, but that wouldn't correct what is causing the clients to get the wrong broker.conf.xml in the first place.  What is the best way to fix this?

                   

                  Thanks for your help.

                   

                  Edit:  I just removed the agent from a laptop and reinstalled it without running BrokerConfig.exe afterwards.  The broker.conf.xml was created with the incorrect IP address.

                  • 7. Re: Different IP when brokering new CSA cert
                    JoeDrwiega SupportEmployee

                    The answer is yes, if you change the address in the GUI and hit the update button, it will correct the IP in broker.conf.xml. I would run it and verify it does so. How to: Manually Request a Broker Certificate with BrokerConfig.exe

                    If this works you might need to create a policy package to update all your clients with this file.

                     

                    Can you check to see if your OS image may have the bad xml or info in it because I have had that issue happen once before.

                     

                    I would restart your LANDesk gateway service and then rebuild all your agents configurations then uninstall and re-install the agent.

                     

                    Also an old school way some used to enforce the CSA IP was in the Image Path of this regkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ISSUSER so just make sure the IP isn't in there as well.

                    • 8. Re: Different IP when brokering new CSA cert
                      nrasmussen SupportEmployee

                      You may need to look at the ClientConnectivityBehavior xml files on the core to ensure they are properly configured.

                       

                      The clientconnectivitybehavior files will be in ldlogon\agentbehaviors\{name} it’s talked about in this doc : https://community.landesk.com/support/docs/DOC-31826

                      • 9. Re: Different IP when brokering new CSA cert
                        davidg5700 Specialist

                        I had originally looked at the Client Connectivity Behavior setting in the Agent Settings tool and the CSA was referred to by the FQDN, but no reference to the IP address. 

                         

                        At your suggestion, I looked at the corresponding xml file and that contained the wrong IP address.  I fixed the xml file, but that will only take care of newly brokered machines. 

                         

                        I made a slight insignificant update (uppercased the domain name of the core server) in the default Client Connectivity setting to change the version number.  I am hoping that this is one of the settings that doesn't require a new agent push and that agents will pick this up when they check in.

                        • 10. Re: Different IP when brokering new CSA cert
                          nrasmussen SupportEmployee

                          If you have a machine in the broken state you can try pushing an agent settings update to it.  This should correct the xml at the client side.  So you shouldn't have to re-install the whole agent.

                           

                          Thanks,

                          Nick R

                          • 11. Re: Different IP when brokering new CSA cert
                            Stephen Burke Apprentice

                            From https://community.landesk.com/support/docs/DOC-31826

                            3) Open, verify and save the all the Connectivity settings used by the remote managed devices. This will update the related XML file in the %LDMS_HOME%\ldlogon\AgentBehaviors (C:\Program Files\LANDesk\ManagementSuite\ldlogon\AgentBehaviors) with the new appliance's IP.

                             

                            Note: Update the default ClientConnectivityBehavior.xml. Failure to update this, will result in the Brokerconf.xml repeatedly reverting to the old CSA IP.

                            There may be several ClientConnectivityBehavior.xml files. Either edit all of them to show the new CSA IP address or verify that you have modified the one that is actually being used as default via LDMS Console > Agent Configuration > Properties > Client connectivity > Configure.

                            This appears to be broken. If I open and save connectivity settings, the XML file (even though the date changes) does not get updated with the correct IP address. In fact, if I manually change the IP in the XML and then "save" the connectivity settings from the console it puts the bad IP address back into the XML. I have tried with multiple connectivity settings (different CSA IPs) on multiple cores (9.6 & 2016.3). They all revert to whatever IP address was original in the XML.

                             

                            Can anyone else verify this behavior?