14 Replies Latest reply on Apr 26, 2018 3:27 AM by mawinter

    Agent in subnet can not "connect"

    mawinter Rookie

      Hello everyone,

       

      i have installed a test installation of Ivanti Endpoint manager. The Setup and everything worked fine.

      I created a task to deploy the agent, and it worked. In the same subnet the devices are shown as connected.

      Though, devices in a different subnet are shown as not connected. The Connection is available, because the pushed agent installation succeeded and i can Ping the device and take remote control (from the Ivanti Console), and so on.

      It even recognized the Change of my IP Adress. But it is always shown as not connected. (see the screenshot below)

       

      Edit: Firewall and Antivirus are completely disabled on bot devices. (Core Server and Notebook in different Subnet)

       

      I searched, but haven't found anything in the Forum or in google.

       

      I hope anyone can help me with this issue.

       

      Thanks

      Max

        • 1. Re: Agent in subnet can not "connect"
          phoffmann SupportEmployee

          This should help you -- How to troubleshoot Agent Discovery .

           

          Chances are it's DNS or so that's causing us grief in trying to discover those agents.

           

          The article explains in quite some detail how the stuff works (and it may boil down to Wiresharking things to see where you're getting scuppered).

           

          That would be my first stop for that sort of thing .

          • 2. Re: Agent in subnet can not "connect"
            masterpetz ITSMMVPGroup

            Hi,

             

            I‘ve seen this at different customers and in most of the cases, it was a problem with Proxies. Did you have a proxy in your environment and if so, is the proxy configured on your core in IE?

             

            Kind regards

            Christian

            • 3. Re: Agent in subnet can not "connect"
              mawinter Rookie

              Thanks for answering.

              No we have no Proxy in our Environment. Should have mentioned this in my main Post.

               

              Cheers

              Max

              • 4. Re: Agent in subnet can not "connect"
                mawinter Rookie

                DNS seems to be OK and Wireshark logged Communication with my Clients in the Subnet.

                I read through the document, you have mentioned and i saw, that there is no "policytaskhandler.exe" running. (on core Server and Client in subnet)

                Of course there is also the policytaskhandler.exe.log missing.

                 

                Can my problem result of that issue?

                Or is the installation of the Core Server corrupted?

                 

                Cheers

                Max

                • 5. Re: Agent in subnet can not "connect"
                  phoffmann SupportEmployee

                  The policy task handler stuff can be ignored for now. Let's make sure "basic comms" work first -- so play with the "PDS2DIS" command (from the Core's command-line) and wireshark that comms-trail. (Note, you may want to run Wireshark on both ends ... I've seen situations where network packets were sent off to the right place but never arrived there ... prompting me to poke the networking folks to look into it more properly).

                   

                  If the poke does reach the right client, "something" should come back, as long as CBA8 is running.

                   

                  The other "most basic" test is opening a browser and entering "http://{IP-of-client}:9595" where you should see something like this:

                  Which is a good, visual indicator that "CBA8 is running" that's nice and simple -- AND it will add entries to the SERVICEHOST.LOG (CBA8's log file) under "C:\ProgramData\LANDesk\Log\", to "prove" you signs of life / recipt of that poke. Something like the following:

                  ""

                  Fri, 13 Apr 2018 10:58:05 9936: Service Host Started, Host GBR-{DEVICENAME.FQDN.DQSN}:9595, Peer ::1, IP Address ::1

                  Fri, 13 Apr 2018 10:58:05 9936: Public key path C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs

                  Fri, 13 Apr 2018 10:58:05 9936: Anonymous connection established

                  Fri, 13 Apr 2018 10:58:05 9936: Unable to resolve request location /favicon.ico

                  Fri, 13 Apr 2018 10:58:05 9936: Failed to find requested file.

                  Fri, 13 Apr 2018 10:58:05 9936: Error processing request: 404 Not Found, File Not Found

                  ""

                   

                  As a reference.

                   

                  Essentially check for / ensure "basic" comms work, and work your way up 1 step at a time. The article greatly helps with that, since it explains what works how .

                   

                  Get clarity on that ... and we'll worry about the rest afterwards.

                  • 6. Re: Agent in subnet can not "connect"
                    mawinter Rookie

                    So the first thing i didn't check for now, but i will.

                    But the check for ip:9595 failed. Also on both machines.

                     

                     

                    And in the Servicehost.log is:

                    <Picture removed by admin due to hostnames / FQDN / Corporate IP's>

                     

                    I think there is something wrong with the Common Base Agent, or the Certificate.

                    What do you think?

                    • 7. Re: Agent in subnet can not "connect"
                      phoffmann SupportEmployee

                      So - I've removed your screenshot of the SERVICEHOST.LOG because it included a full hostname / FQDN and IP (you want to anonymise those things - this is a publically searchable forum & that kind of info can be abused) .

                       

                      The message about "C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\index.tmpl signature not valid" is certainly not confidence inspiring, nor the fact that you can't reach the mini-www-page.

                       

                      You may want to try this:

                      • Uninstall the agent (+reboot) on the remote device
                      • Re-install the agent (+reboot) on the remote device
                      • Re-try the test(s).

                       

                      ... since you're using the same agent config as for your "working clients" (I'm assuming) this shouldn't be a cert problem ... those would manifest differently in the SERVICEHOST.LOG anyway (essentially "hey, Core is trying to & failing to authenticate with Cert 12345678.0 ... but I'm not letting it" type stuff). Let's start with low hanging fruit of troubleshooting.

                      • 8. Re: Agent in subnet can not "connect"
                        mawinter Rookie

                        Thank you,

                        today seems not to be my day... I even censored it but uploaded the wrong image

                         

                        I tried reinstall, but not with that much reboots.

                        I will try it, and answer again.

                        • 9. Re: Agent in subnet can not "connect"
                          Apprentice

                          Have you tried this simple test? Take a device on the "problem" network and put it on the "good" network and vice-versa. See if the problem follows the device or the network.

                          • 10. Re: Agent in subnet can not "connect"
                            mawinter Rookie

                            Sadly there is still no difference after reinstallation and rebooting.

                            The log file still looks the same.

                            • 11. Re: Agent in subnet can not "connect"
                              phoffmann SupportEmployee

                              So - the fact that CBA8 is there ... that's good.

                               

                              Do you see log-entries when it gets poked by the Core? In the first instance, we want to make sure that at least this far things work.

                               

                              What sort of weird cert shenanigans continue, that's a separate step.

                               

                              The suggestion from above about moving the "troublesome" device to another (functioning) network segment would be quite good. I'm getting suspicious that there's "something" on the network layer that's causing issues ... (for instance, for Software Dist & Patching, "Web Caching Appliances" are a very commmon source of grief).

                               

                              Given that that this is a really simple PING <=> PONG response (you can even attempts this via the PDS2DIS command linked in the troubleshooting article, but that won't create any log entries), this doesn't smell of "broken CBA" but something else throwing a spanner in the works ...

                              1 of 1 people found this helpful
                              • 12. Re: Agent in subnet can not "connect"
                                mawinter Rookie

                                I'm sorry for the late reply on your answer, but i got ill last week and had to catch up on work.

                                However, i had a phone call with an Technical pre sales Consultant from Ivanti and he managed to solve the problem.

                                The Problem had nothing to do with the Subnets, that was just pure coincidence.

                                Error Message:

                                Error comitting on table VIDEO:   DATA PROVIDER OR OTHER SERVICE RETURNED AN E_FAIL STATUS.

                                Increased column size might be necessary, Thread ID: 3296.

                                So we increased the colum size from 255 to 1024 and now all the agents are available.

                                 

                                Nevertheless, im very grateful for your help.

                                 

                                Best wishes

                                Max

                                • 13. Re: Agent in subnet can not "connect"
                                  phoffmann SupportEmployee

                                  That's fine - as long as you got ahead & got back to being well .

                                   

                                  An increase of 1024 seems a little over the top, but ah well.

                                   

                                  I would - in your place - still contact support, and let them know of this issue with the DB table needing to be extended (and giving them a scan-file from the device that had this issue) -- so that this can be fed back to dev & the default size of that table/column can be increased. Not necessarily to 1024 (as that'd be quite a lot of wasted space once you scale that up) but to a larger value at any rate.

                                   

                                  It all comes from a delicate need to balance not blowing up the DB-size and "letting things come in" .

                                  • 14. Re: Agent in subnet can not "connect"
                                    mawinter Rookie

                                    Yes it is a bit over the top, but not a problem right now. It is just a test installation, and once we install it as a productive system, we will probably change it to 512 or something.

                                    The Support in should get the Information from the Presales Consultant, at least he said that.

                                    Howwever, It is quite unusual that the path of the graphic driver is longer than 255 chars, but it recognized the nVidia and the Intel driver and wrote both in one line, so it is a little less than 400 chars.

                                    So i think the problem should not occur to often.