Philadelphia Security User Group

I'm having a problem on all of my Windows XP client computers. On a freshly imaged computer, I use DS 6.9 to manually install the NS 7.1 Altiris Agent. The client works for a while - at least several hours. The PC receives a GUID, gets policy changes, receives managed software packages, sends Basic Inventory, etc. Everything works fine - and then all of a sudden, the clients stop talking to the server. In the client's event log, I begin to see numerous errors like the ones below.

Once I begin to receive the errors, the logfiles fill up very quickly. In a matter of minutes, all of the previous logfiles are overwritten. In order to observe the changeover from the working state to the unworking state, I had to up the logfile size. I also enabled verbose logging, hoping that would shed more light on what's going on. I'm at a loss at this point. I don't have this problem in my NS 6 environment, only with the NS 7.1 agent. There's no firewall enabled on either client or server. I've got a support case open with Symantec, but so far they haven't been of much help. Any ideas where to go from here? Thanks!

Attached are verbose logfiles showing the switch from an XP client in working condition to broken.

<event date='May 06 09:02:10' severity='2' hostName='LKDWTEST' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466671' >
  <![CDATA[CTaskServerNetCommsConnection::PostStatus(): CAtrsException exception, error = "No connection could be made because the target machine actively refused it.", OS error = 2147952461, at CTaskServerNetCommsConnection::Get
 re-throw at CTaskServerNetCommsConnection::GetServerListXml
 re-throw at CTaskServerNetCommsConnection::GetServerList
 re-throw at CTaskServerNetCommsConnection::GetServersAndRegister]]>
</event>
<event date='May 06 09:02:10' severity='1' hostName='LKDWTEST' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466671' >
  <![CDATA[Unable to post file to server, error 8007274d]]>
</event>
<event date='May 06 09:02:10' severity='4' hostName='LKDWTEST' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466671' >
  <![CDATA[CTaskServerNetCommsConnection::GetServersAndRegister(): Getting server list from https://itccmvalt01.millville.org. Forced by internal: false external: true]]>
</event>
<event date='May 06 09:02:10' severity='1' hostName='LKDWTEST' source='MsCryptoSslDataTransformerImpl' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466750' >
  <![CDATA[InitializeSecurityContext Error Error -2146893052 (2)]]>
</event>
<event date='May 06 09:02:10' severity='1' hostName='LKDWTEST' source='MsCryptoSslDataTransformerImpl' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466750' >
  <![CDATA[Failed to perform client handshake. (80090304)]]>
</event>
<event date='May 06 09:02:10' severity='2' hostName='LKDWTEST' source='AeXNetworkTransport' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466750' >
  <![CDATA[Get 'https://itccmvalt01.millville.org/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?resourceGuid=7742685d-6fab-40a3-b31f-b27a246b4403' failed: HTTP Request Failed: No connection could be made because the target machine actively refused it. (-2147014835)]]>
</event>
<event date='May 06 09:02:10' severity='2' hostName='LKDWTEST' source='CoNetworkTransport(143)' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466750' >
  <![CDATA[HTTP Request Failed: No connection could be made because the target machine actively refused it. (-2147014835)]]>
</event>
<event date='May 06 09:02:10' severity='2' hostName='LKDWTEST' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466750' >
  <![CDATA[CTaskServerNetCommsConnection::PostStatus(): CAtrsException exception, error = "No connection could be made because the target machine actively refused it.", OS error = 2147952461, at CTaskServerNetCommsConnection::Get
 re-throw at CTaskServerNetCommsConnection::GetServerListXml
 re-throw at CTaskServerNetCommsConnection::GetServerList
 re-throw at CTaskServerNetCommsConnection::GetServersAndRegister]]>
</event>
<event date='May 06 09:02:10' severity='1' hostName='LKDWTEST' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='1752' thread='3764' tickCount='107466750' >
  <![CDATA[Unable to post file to server, error 8007274d]]>
</event>

Attachment(s)

ClientLogs.zip   144 KB 1 version

on the task server, it appears from this line "HTTP Request Failed: No connection could be made because the target machine actively refused it" that is it rejecting the communication. It could be overloaded or some other reason, but the HTTP error logs could hopefully provided some information. Of course, making sure the services are all started and all ports are open (which should be fine, if the initial coms work), would be the first step.

That's the first place Symantec had me look as well, but that didn't help me much either. The last entry I have for my test client, 10.33.2.95, was from 5/4/11. After that, there are absolutely no entries regarding the client at all. Where are the client requests going?

2011-05-04 17:18:17 W3SVC1 ITCCMVALT01 10.33.6.127 POST /Altiris/NS/Agent/PostEvent.aspx - 443 - 10.33.2.95 HTTP/1.1 - - - itccmvalt01.millville.org 200 0 347 976 1046

Attachment(s)

IISlogs.zip   550 KB 1 version

and not the error logs (if there are any). Is it possible, since you are using port 443 (SSL), that the clients haven't received the certificate to communicate properly?

Would that be the logfile at %SYSTEMROOT%\System32\Logfiles\HTTPERR? Nothing in it regarding 10.33.2.95, either.

Regarding SSL, the clients were communicating properly, so they had the certificate at some point. But I wouldn't even know how to troubleshoot SSL issues with the Agent, and I'm unaware of anything that needs to be done on the client to make SSL work. 

Attachment(s)

httperr1.log__0.txt   83 KB 1 version

I see a ton of HTTP 400 isseus (cannot resolve the request) and a few IIS 503 errors (service unavailable).

The errors on your client lead me to believe something is not configured correctly in IIS on the server receiving the requests (don't know if you have a site server and an NS or just an NS).

Dustin,

i had this issue before and there are a couple things that you might need to check on the NS/SMP Server:

1. When using SSL you might need to check whether the the "SMP <hostname> Server CA" is inside the Intermediate CA folder. Open Run - MMC - File - Add Snap/In - Add - Certificates - Close.

2. Browse to Trusted Root Certificates and make sure abovementioned certificate is there. Copy it.

3. Browse to Intermediate CA folder and paste it there.

4. Do a IISRESET

5. Just to make sure, restart Altiris services on NS/SMP Server

6. Press Update Configuration on the problem client and Send Basic INventory.

Another scenario where this might happen is that IUSR account is still in the Guest Group.

BTW, Is the test client in the same domain as the NS?

Hope this helps.

jharings - Most of those errors are over a month old. None of the errors in the log correspond to the IP addresses where I'm observing my problem. I do have a site server, but it's in the same site as the NS server at the moment. Both site server and NS are running Package Service and Task Service. The NS is running the OOB Service as well.

avl - Thanks for your response. I followed your instructions, but no change. The client IS in the same domain as the NS.

What is curious to me is that my clients DO work for several hours after being freshly imaged. Why can they communicate for a while, and then all of a sudden stop? What is changing on either the client or the server?

Another thing - the rejected clients hammer away over and over, trying to reconnect to the server. I have more than 27MB of logfiles for the last 8 hours, using the default logging settings. These clients are getting rejected somewhere - why is there nothing in the IIS logs about these clients being rejected?

dustinw,

just out of curiosity:

1. how did you image the clients?

2. does the client already have a GUID when you imaged it?

3. try do a uninstall - reinstall of the client.

4. the clients hammering away could be because of the configuration where probably the client will check every hour for a new configuration plus the performing handshake errors are already 10 entries inside the logs ;)

We have a very stripped down hardware independent image that we deploy using Altiris DS 6.9, located on a different server. The image is just barebones Windows XP SP3 plus updates. Yes, the clients have already had GUIDS when imaged.

An uninstall/reinstall of the software doesn't help. After re-installing, the client never pics up the Computer ID and just gets rejected off the bat. Neither does it work if I delete the client from Altiris NS entirely and reinstall. Strangely though, if I re-image the PC, it will work for several hours until it stops.

the usual practice that i know with imaging is to image the NS Client not having a GUID because that is unique to each client. so you might want to change your image to have a client w/o GUID AND pointing to the NS

that maybe also explains why they are working after a fresh re-image and then got rejected by NS because the GUID is already in the database and numerous clients connect using the same GUID.

another question is: do you change the Windows SIDs for every PC that you have imaged?

I think we're talking about two seperate things here. There's no NS client on my image - there's nothing on it except for Windows XP and AClient for DS 6.9. The NS client gets installed after the disk image is laid down. There aren't multiple computers with the same GUID. If I understand you correctly, you are suggesting that I would have to actually delete a computer out of NS so that NS thinks it's a brand new PC each time I re-image, and then manually place it back into all the collections/filters it was in previously. That's not the way I understand the product to work, and if it were the case, I should be experiencing this same problem with my NS 6 clients pointing to the NS 6 server. That isn't happening.

Any insite to their feedback? The last thing I can ask for is some of your server logs for Altiris itself. This is very odd behavior to be sure.

DustinW,

Ah ok, my apologies i misunderstood it.

Yes, I have an open case with support and spent about 3 hours on the phone with them so far. If they have any insight into the behavior, they haven't shared it with me, only that they have another customer with the same problem. As soon as I get an answer, I'll share it here.

Still no answer from Symantec, however I'm now pretty sure this is an SSL-related issue, as was originally suggested. I uninstalled the client from my XP machine, then re-installed it, pointing to the http web address instead. I immediately regained communication with the server. Another thing I see is that in the server's Windows System event log, I have a TON of "Schannel" errors with the Event ID of 36888.

"The following fatal alert was generated: 10. The internal error state is 10. "

So... now that I know I have an SSL certificate problem... I guess I'll try retracing my steps here:

http://www.symantec.com/business/support/index?page=content&id=DOC1240

Anyone have any other insights for me? I have a Windows domain CA, and that's the certificate I thought I was using. That cert is trusted on all the workstations, as evidenced by the fact that I can browse to the NS Admin site with no certificate errors. Ah well, here I go! Wish me luck. :-)

I was unable to fix my SSL issue. As far as I can tell, there's nothing wrong with my certificate from my domain's enterprise root CA. My "solution" is to stop using SSL. At this point, I've got everything changed except my DS PXE and automation agents, and I'm in the process of getting that done now. YUCK. I have literally wasted weeks on this issue. I really wish Symantec would have done a little more to emphasize how much difficulty can be caused by using DS/NS over SSL. That one little check mark during installation has caused me so much grief it's unbelievable.

At any rate, at least I've developed a much more thorough understanding of the product due to the extensive troubleshooting process. :-\