11 Replies Latest reply on Aug 31, 2017 3:38 AM by phoffmann

    Failed to synchronize policy on machine

    paste88 Rookie

      Hello all,

      since a few days all of my software distribution tasks don't run anymore.
      When I run a scheduled task (policy-supported push) after a few seconds the status switches to 'Policy has been made available.' (return code 1001).
      'Push'-only taks immediatly fail with the result 'Cannot Find Agent' (return code 1110).

       

      The following lines are from the 'PolicyTaskHandler.exe.log' from the core:
      08/29/2017 14:53:26 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : Discover: Discovering machine: [N0224] using it's known ip address [10.10.52.25]...
      08/29/2017 14:53:28 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : Discover: Successfully discovered machine: [N0224]
      08/29/2017 14:53:28 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : TargetMachineContainer.MachineTargetOS: Operating System is: [Microsoft Windows 7 Professional Edition, 64-bit] for machine: [N0224]
      08/29/2017 14:53:28 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : TargetMachineContainer.MachineTargetOS: Operating System is: [Microsoft Windows 7 Professional Edition, 64-bit] for machine: [N0224]
      08/29/2017 14:53:28 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : SyncPolicyTask: Synchronizing policy with the command: [C:\Program Files (x86)\LANDesk\LDClient\PolicySync.exe -taskid=914], to machine: [N0224]
      08/29/2017 14:53:29 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : SyncPolicyTask: Failed to synchronize policy on machine: [N0224], RAXfer return code: [-2147023671], RAXfer exitcode: [0]
      08/29/2017 14:53:30 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : HandlePre96Machines: Launching the legacy GlobalScheduler to handle pre 9.6 machines...
      08/29/2017 14:53:30 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : HandlePre96Machines: Waiting for the legacy GlobalScheduler to finish processing...
      08/29/2017 14:53:45 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : SetFinalTaskStatus: This is a policy-supported push task, final task status is [PULL_AVAILABLE]
      08/29/2017 14:53:45 INFO  15488:1     RollingLog : [Task: Temp Directory - 8/25/2017 8:31:53 AM, TaskID: 914, ProcID: 15488] : PolicyTaskHandler finished processing task, setting task status to [PULL_AVAILABLE]...

       

      And there are some suspicious lines in the 'serviceHost.log' on the client:
      Tue, 29 Aug 2017 14:53:29 1128: Service Host Started, Host N0224.mydomain.de:9594, Peer 10.10.10.5, IP Address 10.10.52.25
      Tue, 29 Aug 2017 14:53:29 1128: Public key path C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs
      Tue, 29 Aug 2017 14:53:29 1128: Cached certificate EXPIRED   cached(131484799977283932) now(131484848091530239)
      Tue, 29 Aug 2017 14:53:30 1128: Caching newly created certificate
      Tue, 29 Aug 2017 14:53:30 1128: SSL Handshake failed -1
      Tue, 29 Aug 2017 14:53:30 1128: Service host has finished
      Tue, 29 Aug 2017 14:54:13 1312: EOF encountered parsing HTTP headers, client closed connection.
      Tue, 29 Aug 2017 14:54:13 1312: Service host has finished

       

      Can anyone help me?
      We're using LDMS 2016.

       

      Best regards from Germany,
      Jens

        • 1. Re: Failed to synchronize policy on machine
          paste88 Rookie

          I just figured out, that when I manually execute the 'PolicySync.exe' the task runs successfully.

          • 2. Re: Failed to synchronize policy on machine
            masterpetz ITSMMVPGroup

            Hi Jens,

             

            can do the push again and check the raxfer.log on the core. You can find it under "C:\ProgramData\LANDesk\Log\raxfer.log". Maybe you find more valuable infos there.

            Are other actionss from core to the client possible like Inventory Scan or Vulnerability Scan through the console?

             

            Best regards back from Germany

            Christian

            • 3. Re: Failed to synchronize policy on machine
              paste88 Rookie

              Hi Christian,

               

              there are no corrent entries in the raxfer.log (the last entry is over a month ago).

               

              Inventory Scan or Patch an compliance scan also Fails, when executed from the console:

              2017-08-30 08_17_10-Status of requested actions.png

               

              Again, when I execute the scan on the Client, it works...

              Remote Control is also workin fine (but only HTML remote control).

              • 4. Re: Failed to synchronize policy on machine
                masterpetz ITSMMVPGroup

                Hi Jens,

                 

                then I would say something is wrong with your certificate. Can you check on the core, if your devices (NO224) has an approved certificate? To check this, open "Konfigurieren - Clientzugriff" and check, if your devices are under "Nicht genehmigt". If so, mark them and choose "Ausgewählte genehmigen" and try again.

                 

                Kind regards

                Christian

                • 5. Re: Failed to synchronize policy on machine
                  paste88 Rookie

                  I already checked that. The client is 'Approved'.

                   

                  I have deleted the client from list and retrieved a new certificate.

                  Unfortunately still the same problems.

                  • 6. Re: Failed to synchronize policy on machine
                    masterpetz ITSMMVPGroup

                    Can you check if the core certificate file ( .0) on the client under "C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs" and core under "C:\Program Files\LANDesk\ManagementSuite\ldlogon" are the same and present on the client?

                     

                    Regards

                    Christian

                    • 7. Re: Failed to synchronize policy on machine
                      paste88 Rookie

                      Yes, the certificate is present and is the same.

                      • 8. Re: Failed to synchronize policy on machine
                        masterpetz ITSMMVPGroup

                        Hi Jens

                         

                        did you try to reinstall the agent on one of your affected machines and then test again?

                        In your initial post you wrote "since a few days" which indicates everything works fine before. Did you change anything? Microsoft updates, Ivanti Updates on the core? Does it affect all devices or only some devices?

                         

                        Kind regards

                        Christian

                        • 9. Re: Failed to synchronize policy on machine
                          paste88 Rookie

                          Hi Christian,

                           

                          Yes, I reinstalled the Agent. In fact, I reinstalled the whole machine :-)

                          At the Moment all machines that I have tested are affected.

                           

                          I uninstalled the latest Microsoft Updates on the core Server and the client.

                          This problem drives me crazy...

                           

                          Best regards

                          Jens

                          • 10. Re: Failed to synchronize policy on machine
                            masterpetz ITSMMVPGroup

                            Hi Jens,

                             

                            I can believe this drives you crazy...:-)

                            Can you open the "Diagnose" through the right click menu of a affected device and choose "Echtzeiterkennung". What did you get in the result window?

                            By the way, I would suggest to open a ticket with Ivanti support too, maybe they can help you a bit faster...

                             

                            Kind regards

                            Christian

                            • 11. Re: Failed to synchronize policy on machine
                              phoffmann SupportEmployee

                              One thing I'd always suggest keeping an eye on - when the client says that policy sync fails (granted, not seen an issue with SSL handshakes before), check what the Core side has to say. Specifically, the "ApmService.dll.log" (usually in -- "C:\Program Files\LANDesk\ManagementSuite\log\") for that client request. It *CAN* be a useful reference / provide more info.

                               

                              For instance, with this error - Error: "Signature Verification Failed" from PolicySync.exe - it was actually the Core-side log that led me to figuring out what was wrong (see my comments at the end of the article, as I stumbled into a slight variation of this issue).

                               

                              Also - turning on debug logging can be helpful (start with the client, then add the Core if needed). As per here -- How to enable Xtrace Diagnostic Logging -- check my comment (at the end of the article) for a copy & pasteable .reg-file for the client.

                               

                              NOTE - client & Core components have their logging set up in different parts of the registry (Core is 64-bit, client is still 32-bit because of certain reasons). That's mentioned in the XTrace article, but just pointing it out as it's something easily overlooked .

                               

                              Also - what version of 2016 are you on? Are you talking 2016.0 or 2016.3? What about Service Updates? Would help knowing roughly how up-to (or out-of) date you are. Also - did anything else change recently in your org?

                               

                              For example, I've had a customer "panic" a few years ago because "magically" all Win-consoles refused to work all of a sudden one day. We spent the entire day trying to figure out where that was coming from ... next day, they figure it out overnight. Some dumb consultant twit had changed a company-wide GPO in another GEO (without change-control, communications and so on) which had broken the LDMS consoles. Needless to say, they weren't very happy with that consulatant -- but the point of the story is that when things "just break" suddenly like that, it tends to be either some new M$ patch (as of late, anyway), a new Microsoft edition for Win-10, and/or "someone" playing with large environmental things, like GPO's.

                               

                              Hope this helps / gives you a few pointers to check up on.