8 Replies Latest reply on Aug 30, 2016 4:31 AM by deactivateduser20

    Policys fail to be picked up within LDMS 2016 via the vCSA

    Rookie

      When trying to pull policies from the remote core server via the vCSA. Nothing happens. both by running policysync.exe and by refreshing the portal. No task xmls are being downloaded.

       

      Inventory and security scans can interract with the core via the vCSA without issue.

       

      The following error can be seen in the proxyhost.exe.log after a policy sync:

      2016-08-22 15:42:03(1736-2136) proxyhost.exe:Call UpdateCSAROIFile() with numberofDirectConnectSuccess = 0 numberofDirectConnectFailure = 1  csaName =  bCsaSuccess = 1

      2016-08-22 15:42:03(1736-2136) proxyhost.exe:127.0.0.1:49557 Unable to start session with bps-core:80 internal.proxyhost.directfailed sessionrc=3

      2016-08-22 15:42:03(1736-2136) proxyhost.exe:Made direct (non-proxy) connection to xx.xx.xx.xx

      2016-08-22 15:42:03(1736-2136) proxyhost.exe:Connect to CSA successfully with host = xx.xx.xx.xx and IP = xx.xx.xx.xx

      2016-08-22 15:42:03(1736-2136) proxyhost.exe:Call UpdateCSAROIFile() with numberofDirectConnectSuccess = 0 numberofDirectConnectFailure = 0  csaName = xx.xx.xx.xx bCsaSuccess = 1

      2016-08-22 15:42:03(1736-2136) proxyhost.exe:127.0.0.1:49557 Connection close 0 0 0 0

      2016-08-22 15:42:03(1736-2136) proxyhost.exe:127.0.0.1:49557 - - [22/Aug/2016:16:42:03 0000] "POST http://landesk/ApmService/PolicyRequest.asmx HTTP/1.1" 200 784 1792

      2016-08-22 15:42:03(1736-2136) proxyhost.exe:127.0.0.1:49557 Connection terminated reading request line for socket 4 error code -2

       

      There is no domain in the environment therefore the COM+ objects are still running as LANDESKComPllus and the scheduler account is running as local system.

       

      Other devices, including LDMS 9.5 client have errored with the above as well as working without issue.

       

      If I run policysync /taskid=xxx with the specific task ID then the policy is downloaded and executed wihtout issue.

       

      I've tried rebuilding the client side database but an unsure as to whether this is still used. If so, when using the validate switch, the client errors with this message:

        • 1. Re: Policys fail to be picked up within LDMS 2016 via the vCSA
          wcoffey SupportEmployee

          Hi jrstellar,

           

          In 9.6 and newer, client side databases don't exist. The policies are downloaded and contained under ProgramData\Landesk\Policies. Is this behavior consistent with on-network devices? Can you append the policysync.log and policysync.exe.log file for review (programdata\landesk\log).

           

          -Will

          • 2. Re: Policys fail to be picked up within LDMS 2016 via the vCSA
            Rookie

            I thought as much in terms of the client side database. Strange that it exists on these clients unless the agent hasn't upgraded correctly. Removing the client side database does seem to change things a little in terms of what is displayed in the portal, however required tasks still aren't running.The device currently has one old executed policy, one required policy and one optional policy scheduled against it. Logs are below:

             

            PolicySync.exe.log:

            08/23/2016 09:33:00 INFO  2576:1 RollingLog : Run PolicySync.exe
            08/23/2016 09:33:00 INFO  2576:4 RollingLog : LoadLocalPolicyInfo: load local machine
            08/23/2016 09:33:00 INFO  2576:4 RollingLog : LoadLocalPolicyInfo: load user
            08/23/2016 09:33:00 INFO  2576:3 RollingLog : Request: Request policies
            08/23/2016 09:33:03 INFO  2576:3 RollingLog : Request: GetWebResponse ok
            08/23/2016 09:33:03 INFO  2576:3 RollingLog : Request: Has 1 targeted policies
            08/23/2016 09:33:03 INFO  2576:1 RollingLog : RunPolicySync: ProcessRequestedPolicies
            08/23/2016 09:33:03 INFO  2576:1 RollingLog : LoadLocalPolicyInfo: load local machine
            08/23/2016 09:33:03 INFO  2576:1 RollingLog : LoadLocalPolicyInfo: load user
            08/23/2016 09:33:03 INFO  2576:1 RollingLog : HandleRunNow: has 0 run now policies
            08/23/2016 09:33:03 INFO  2576:1 RollingLog : Exit PolicySync.exe with code 0

             

            PolicySync.log:

            Tue, 23 Aug 2016 09:33:00 GetLdapInfo: ldapwhoami.exe failed - err=1355

            Tue, 23 Aug 2016 09:33:00 GetLdapInfo: use cached logon info

            Tue, 23 Aug 2016 09:33:00 GetCachedInfo: QueryMultiStringValue failed ldap group info for Computer Groups - err=2

             

            ProxyHost.log:

            2016-08-23 08:33:00(2636-2628) proxyhost.exe:FIPS mode = 1

            2016-08-23 08:33:02(2636-2628) proxyhost.exe:Call UpdateCSAROIFile() with numberofDirectConnectSuccess = 0 numberofDirectConnectFailure = 1  csaName =  bCsaSuccess = 1

            2016-08-23 08:33:02(2636-2628) proxyhost.exe:127.0.0.1:49200 Unable to start session with landeskcore:80 internal.proxyhost.directfailed sessionrc=3

            2016-08-23 08:33:02(2636-2628) proxyhost.exe:Made direct (non-proxy) connection to xx.xx.xx.xx

            2016-08-23 08:33:02(2636-2628) proxyhost.exe:Connect to CSA successfully with host = xx.xx.xx.xx and IP = xx.xx.xx.xx

            2016-08-23 08:33:02(2636-2628) proxyhost.exe:Call UpdateCSAROIFile() with numberofDirectConnectSuccess = 0 numberofDirectConnectFailure = 0  csaName = xx.xx.xx.xx bCsaSuccess = 1

            2016-08-23 08:33:03(2636-2628) proxyhost.exe:127.0.0.1:49200 Connection close 0 0 0 0

            2016-08-23 08:33:03(2636-2628) proxyhost.exe:127.0.0.1:49200 - - [23/Aug/2016:09:33:03 0000] "POST http://landeskcore/ApmService/PolicyRequest.asmx HTTP/1.1" 200 784 2032

            2016-08-23 08:33:03(2636-2628) proxyhost.exe:127.0.0.1:49200 Connection terminated reading request line for socket 4 error code -2

            • 3. Re: Policys fail to be picked up within LDMS 2016 via the vCSA
              wcoffey SupportEmployee

              deactivateduser20. There lies your problem. In the PolicySync.log file we are have an issue getting the computer info from the registry: Tue, 23 Aug 2016 09:33:00 GetCachedInfo: QueryMultiStringValue failed ldap group info for Computer Groups - err=2

               

              Apply SU3 This is addressed in that Service Update. Here's the ReadMe outlining the defect/change made to mitigate this problem. https://community.landesk.com/downloads/Readme/Pages/LD2016-SU_2016-0511.html

               

              256596 Option "Allow LDAP resolution via CSA" doesn't work on LDAP machine group.

              • 4. Re: Policys fail to be picked up within LDMS 2016 via the vCSA
                Rookie

                I would say you are bang on the money however the server and client do have SU4 applied. It does kick in and sporadically work however it doesn't seem to have any consistancy. I'm open to any suggestions at this point as the manual execution of the portal refresh and policysync.exe manually seems to have no effect. It's as though only the locally scheduled policysync works.

                 

                Some more info, All devices are either workgroup or on separate domains to the Core server that is in a workgroup.

                • 5. Re: Policys fail to be picked up within LDMS 2016 via the vCSA
                  wcoffey SupportEmployee

                  deactivateduser20 we all hate inconsistencies. So if we are not on domain, let's make sure the targeted devices aren't being targeted via LDAP query. I would also log into one of the problem devices as a local admin and see if the issue still exist. If you are able to capture the occurrence via  process monitor trace (unfiltered)  I can review it.

                  • 6. Re: Policys fail to be picked up within LDMS 2016 via the vCSA
                    Rookie

                    Afraid I'm logged in to the device as local admin already and I'm also targetting the device via direct device add to the task, not LDAP query or even LDMS query.

                    • 7. Re: Policys fail to be picked up within LDMS 2016 via the vCSA
                      Rookie

                      To add further, the client configuration that I am currentl testing with isn't enabled for ldap enumeration specifically to try to prevent this error / irrelevant lookup of the device.

                       

                       

                      • 8. Re: Policys fail to be picked up within LDMS 2016 via the vCSA
                        Rookie

                        So after further investigation I worked out that the policies being picked up wasn't as random as first seen. Infact I could pretty much guess when a policy was going ot be available and run a policy sync just in time for it to run.

                         

                        The root cause? The clock time being wrong on the database server. I managed to replicate the issue in my pilot environment perfectly and was able to both cause and rectify the issue.

                         

                        I've since put a request in to the hosted environment provider to have this resolved!