5 Replies Latest reply on Jul 20, 2009 2:25 AM by phoffmann

    Policy status issues after applying landesk servicepack 3

    Rookie

      Dear Reader,

       

      I have some issues with the status reporting of policys. If I deploy a package by using an push delivery method the packages installs correctly and the schedualled task returns me the correct status. If I delpoy a package by using policy(or policy-push) the targets installs the package correctly but it doesn't return the status "Successful". The status of the targeted devices in the policy task stays "Waiting" or "failed" depending if I used policy or policy-push. Currently we are using Landesk 8.8 witch we recently upgraded to service pack 3. Also the landesk agents are upgraded with servicepack 3.

       

      I've searched the forum and analysed some logs. The policy.sync and the policy.invoker logs seems to look fine. I think the problem is found in the alert.log on my client. Unfortuanally I cant find any info regarding these errors.

       

      Alert.log

       

      2009-07-10 07:50:58(500-504) alert.exe:Processing alert internal.cba8.system.startup instance
      2009-07-10 07:51:00(500-504) alert.exe:Error 3 starting session with host 127.0.0.1:9592
      2009-07-10 07:55:26(2528-2296) alert.exe:No alert id specified
      2009-07-10 07:55:26(2552-2548) alert.exe:Processing alert internal.10_1_8_86.swd_sdclient.status instance
      2009-07-10 07:55:27(2552-2548) alert.exe:Unexpected HTTP response code (406) from server http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml--alert discarded
      2009-07-10 07:55:27(2552-2548) alert.exe:Transmission to "http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml" will not succeed
      2009-07-10 07:57:20(2100-2160) alert.exe:No alert id specified
      2009-07-10 07:57:20(1412-2340) alert.exe:Processing alert internal.10_1_8_86.swd_sdclient.status instance
      2009-07-10 07:57:22(1412-2340) alert.exe:Unexpected HTTP response code (406) from server http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml--alert discarded
      2009-07-10 07:57:22(1412-2340) alert.exe:Transmission to "http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml" will not succeed
      2009-07-10 09:28:44(612-616) alert.exe:Processing alert internal.cba8.system.startup instance
      2009-07-10 09:28:46(612-616) alert.exe:Error 3 starting session with host 127.0.0.1:9592
      2009-07-10 09:33:50(3500-2696) alert.exe:No alert id specified
      2009-07-10 09:33:51(3624-3536) alert.exe:Processing alert internal.10_1_8_86.swd_sdclient.status instance
      2009-07-10 09:33:51(3624-3536) alert.exe:Unexpected HTTP response code (406) from server http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml--alert discarded
      2009-07-10 09:33:51(3624-3536) alert.exe:Transmission to "http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml" will not succeed
      2009-07-10 09:35:21(2540-3616) alert.exe:No alert id specified
      2009-07-10 09:35:21(2544-2548) alert.exe:Processing alert internal.10_1_8_86.swd_sdclient.status instance
      2009-07-10 09:35:22(2544-2548) alert.exe:Unexpected HTTP response code (406) from server http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml--alert discarded
      2009-07-10 09:35:22(2544-2548) alert.exe:Transmission to "http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml" will not succeed

      /alert.log

       

      Somehow it cant deploy the sdw.xml to the core server?

       

      I've tried the sugestions from this article: http://community.landesk.com/support/docs/DOC-2919 and I noticed that the application management service was stopped at the core server. I started this service agian, but I could not use the other sugesstions in the article ( there is no \ldmain\sdtatus dir in our current landesk version ) Also the apmservice.ini didn't contained the Keepevents=True, I added this to our apmservice.ini.

       

      I also tried to apply the patches from this article: http://community.landesk.com/support/docs/DOC-6213 but It seems that the download link is dead..

       

      Do you guys have some pointers for me?

       

      Thanks in advance!

        • 1. Re: Policy status issues after applying landesk servicepack 3
          phoffmann SupportEmployee

          The problem is going to be coming related to those HTTP 406 error codes you're seeing.

           

          I'd suggest opening a case with LD support, we'll likely need a deeper look at your Core. It sounds as if some NTFS permissions (or IIS) are broken.

           

          I'm more than a little surprised that you don't have an "sdstatus" directory on your Core's LDMAIN ...? That's certainly a problem ... has anyone been toying with your Core (this is a rather important reception directory, where - as the name hints - we send status updates for software distribution tasks).

           

          - Paul Hoffmann

          LANDesk EMEA Technical Lead

          • 2. Re: Policy status issues after applying landesk servicepack 3
            Rookie

            Dear Paul,

             

            Thanks for your quick reply. I'm sure that I haven't deleted the ldmain directory from the C:\program Files\Landesk\Managementsuite folder. I have created a new LDMAIN\sdstatus\stored folder structure in the management suite folder. Does this folder needs to be shared or are certain permissions required?

             

            Here is some history that might clarify the problem

             

            • I never used policy based application deployment before the servicepack 3 upgrade. Unfortunately I don't know if this problem was also excisting prior to the upgrade;
            • We had some problems where vulscan results weren't able to deploy to the core server. This was resolved by giving the Internet guest account sufficient permissions on the vulscanresults folder;
            • After the Service pack 3 upgrade another problem emerged wish isn't solved yet. When I open the managementsuite console and click on "Security and Patch manager" the appropriate screen doesn't open. I tried to resolve this by activating the core server again, and renaming the existing patchsources.xml to something else and starting the console again. Unfortunately this only worked for 1 day.
            • As mentioned before the status updates of tasks with an push delivery method are correct but I'm guessing this works different then status updates of policy based tasks?

             

            Next week I'm on a holiday. I hope that you have some suggestions I can try. I will also open a case at the LD support when I'm back from my holiday.

             

            Thanks in advance!

            • 3. Re: Policy status issues after applying landesk servicepack 3
              phoffmann SupportEmployee

              Default permissions for SDSTATUS are (this is one of various reasons why I always recommend having a clean test-core around, so one can compare) are:

               

              - ADMINISTRATORS-group (Core local group) -- Full Control

              - ASP.NET Machine Account (Core's) -- Full Control

              - IIS Guest Account (Core's) -- Full Control (NOTE - this goes by the username of IUSR_CORENAME)

              - LANDesk Manamgent Suite-group (Core local group) -- Full Control

              - Launch IIS Process Account (Core's) -- Read & Execute ++ List Folder Contents ++ Read (NOTE - this goes by the username of IWAM_CORENAME)

              - NETWORK SERVICE (Core Local) -- Full Control

              - SYSTEM (Core Local) -- Full Control.

               

              I usually get worried about stuff like this "disappearing" (I don't think you did it - I worry about whatever did do it), since it's often effectively untraceable. Anything from a "maintenance script gone bad" to random bad luck ... tough to trace. But it raises the issue that other things might be broken too / have been deleted.

               

              If you have a (clean) test Core, you can run MD5SUMMER -- http://www.md5summer.org/ -- to run an MD5 hash on the entire "C:\Program Files\LANDesk\" directory and compare the test-core versus the production core.

               

              Stuff like INI-files and log files won't match of course, but it will certainly give you a good comparison as to what files/directories could be problematic ... very strange that this is all happening ...

               

              Maybe time to re-format this Core (not sure how old it is, but it sounds somewhat as if the OS is "going funny" and I tend to try and put them out of their misery at that point). It's not an exact scientific examination at this point, just that the symptoms you describe tend to go pretty much into the category that I hold as "Windows is borked somehow" pot.

               

              P.S.: Have a nice holiday

               

              - Paul Hoffmann

              LANDesk EMEA Technical Lead

              1 of 1 people found this helpful
              • 4. Re: Policy status issues after applying landesk servicepack 3
                Rookie

                Dear Paul,

                 

                Again thanks for your quick reply! I have created the following folders and assigned the appropriate rights

                 

                • C:\Program Files\LANDesk\ManagementSuite\ldmain\sdstatus\stored
                • C:\Program Files\LANDesk\ManagementSuite\ldmain\sdstatus\badstatus

                 

                I followed all the instructions mentioned in this guide http://community.landesk.com/support/docs/DOC-2919

                 

                I then assigned the computers to the policy-task. As before the computer executes the installation but no status is send. I noticed by looking at the sdclient.log nothing is logged here! The last logs are from 20 may, while I executed the test today. Does this mean that sdclient doesn't sent any status? Push delivery-based tasks do report successfully.

                 

                The alert.log logged the following:

                 

                2009-07-20 07:28:25(252-256) alert.exe:Processing alert internal.cba8.system.startup instance

                2009-07-20 07:28:26(252-256) alert.exe:Error 3 starting session with host 127.0.0.1:9592

                2009-07-20 07:33:50(3880-3884) alert.exe:No alert id specified

                2009-07-20 07:33:50(3900-3904) alert.exe:Processing alert internal.10_1_8_86.swd_sdclient.status instance

                2009-07-20 07:33:51(3900-3904) alert.exe:Unexpected HTTP response code (406) from server http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml--alert discarded

                2009-07-20 07:33:51(3900-3904) alert.exe:Transmission to "http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml" will not succeed

                2009-07-20 07:34:51(1732-2176) alert.exe:No alert id specified

                2009-07-20 07:34:51(2192-2188) alert.exe:Processing alert internal.10_1_8_86.swd_sdclient.status instance

                2009-07-20 07:34:51(2192-2188) alert.exe:Unexpected HTTP response code (406) from server http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml--alert discarded

                2009-07-20 07:34:51(2192-2188) alert.exe:Transmission to "http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml" will not succeed

                I think there is something wrong with the sdclient reporting..
                The test virtual machines have the sp3 agent installed. I re-installled the agent to be sure this works. Again, push based scheduled tasks report their status perfectly. Do you guys have some pointers for troubleshooting this problem? Besides the stored and badstatus directory I created, do I also need to create virtual directory's in IIS?
                Thanks in advance!
                • 5. Re: Policy status issues after applying landesk servicepack 3
                  phoffmann SupportEmployee

                  Yes, you do. You will generally want to look at your IIS configuration.

                   

                  An actually important line in your log is this:

                   

                  2009-07-20 07:33:51(3900-3904) alert.exe:Unexpected HTTP response code (406) from server http://LANDesk.Gateway@10.1.8.86/incomingdata/postcgi.exe?prefix=sdstatus\&suffix=.swd.xml--alert discarded

                   

                  I've highlighted in red the part that's a bit concerning.

                   


                  You can check up HTTP error codes here -- http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html -- (bookmark the link).

                   

                  406 means "Not Acceptable", which indicates that the Core has run into problems.

                   

                  Now - you *CAN* do either of the following:

                   

                  ###################

                   

                  1 - Compare the Core's IIS setup versus the test-Core (where it works, right?) virtual directory by virtual directory (safest). The crux here is that you need to make sure that the authentication method is the correct one on each directory too (some need to be anonymous, some need to be NT-authentication).

                   

                  This should also be done with the Core's directory structure, particularly in regards to NTFS permissions.

                   

                  A tool like MD5SUMMER -- http://www.md5summer.org/ -- may help you here, as it'll list you directories + files that don't match (less interesting in this case) and more importantly (here at least) don't exist.

                   

                  ###################

                   

                  2 - Re-set the "broken" Core's IIS setup to the default LDMS install (we create a backup of our config at install). Though this would mean having to re-do any customisation (Application Pools / worker processes, etc.) that have been done post install.

                   

                  To do this you would need to do the following:

                  2.1 - Go into the IIS-mmc on the Core Server.

                  2.2 - Right-click on the "Internet Information Services (IIS) Manager" icon (the root of the tree) and select "ALL TASKS" -> "BACKUP/RESTORE CONFIGURATION"

                   

                  2.3 - You should see (pretty close to the top), a "LANdesk Management Suite" entry. That's the IIS backup we've created after LDMS was installed.

                   

                  ###################

                   

                  NOTE -- most of these are fairly big operations in regards to going into the guts of your system. I'd advise against doing anything of the above without having a good, functioning (and tested) full backup of your Core.

                   

                  Depending on just "how much" is wrong with your core (I'm more than a little surprised that those directories didn't exist), it might be potentially more prudent to blow it away and reformat it (transferring things like certs, databases, scripts + so on should be fine, since these are unlikely to have problems at this point), but that in its is also a bigger operation. This is something I don't suggest lightly - I just personally always start getting suspicious of the OS when weird stuff like this happens and directories start going missing...

                   

                  - Paul Hoffmann

                  LANDesk EMEA Technical Lead