CEM clients that were deployed using a master image that was created from a machine that already had Cloud Enabled Management mode enabled will fail to connect to the Internet Gateway Server [1] 9/3/2015 10:48:12 AM (AeXNSAgent.exe) TunnelSslDataTransformerImpl
Failed to create new client credential. (0x8009030D)

(AeXNSAgent.exe) MsCryptoSslDataTransformerImpl
InitializeSecurityContext error while client handshake: The message received was unexpected or badly formatted (0x80090326)

(AeXNSAgent.exe) NetworkOperation
Operation 'Connect' failed. 
Protocol: http 
Host: CEM.company.com 
Port: 443 
Path: / 
Http status: 0 
Secure: Yes 
Id: {50FC019A-8FED-45BB-BB20-12434374BDAB} 
Error type: Connection error 
Error result: 0x80072751 
Error code: 0 
Error note: Unable to connect via secure gateway 
Error message: A socket operation was attempted to an unreachable host

 (AeXNSAgent.exe) Client Task Agent
Failed to call web interface by url [https://SMP.domain.com/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?resourceGuid=00c43d13-5fcb-4e75-8917-d0306d845918], error [0x80072751, A socket operation was attempted to an unreachable host.].

8.x

The Deployment Solution image that was used to create the CEM clients was captured from a machine that already had the Management Agent installed with Cloud Enabled Management mode on. Because Cloud Enabled Management was already enabled the machine had downloaded the client certificates that were generated for the name of the machine on which the image was prepared. Once the image was deployed to the new machines they would now have the same client certificates with the name of the machine that was imaged originally stuck in the certificate store. These old certificates would cause all newly imaged clients to fail when connecting to the Internet Gateway Server.

Confirm the cause of the issue:
1. From the Run box in Windows type 'mmc' and enter
2. In the mmc console that opens navigate to File --> Add/Remove Snap-in...
3. Select 'Certificates' on the left pane and then click the 'Add >' button
4. In the window that pops up select 'Service Account' and hit the 'Next' button
5. Then make sure 'Local computer' is selected and hit the 'Next' button
6. Scroll down the list that is presented and select 'Symantec Management Agent' and hit the 'Finish' button
7. Then hit the 'OK' button
8. Expand 'Certificates - Service (Symantec Management Agent) on Local Computer' in the left pane
9. Select 'AeXNSClient\Personal --> Certificates' in the left pane
10. The right pane should now show the client certificates used to connect over CEM. (If these certificates show the name of the machine which the image was created on and do not match the current machine name then this confirms that this is the cause of the issue)

Resolve the issue:
1. Make sure that the machine which the base image is captured on does not have CEM mode enabled and does not have the client certs already in place
2. Enable CEM mode only after the image is deployed on the client machines