A new SMP Server was setup. The client machines were migrated to this new SMP Server, keeping their pre-existing database. They migrated the SMP certificate (as well as the server and agent CA certificates). Most client machines seem to be fine. However, there are many client machines that are not reporting back (not getting new configuration or sending basic inventory) to the new SMP Server. This happens to client machines in CEM mode and even when VPN or local network access.
 
The following error message is present in the agent logs:
 
Operation 'Direct: Post' failed. 
Url: HTTPS://<smpserver>.example.net:443/altiris/NS/Agent/PostEvent.asp?encrypted=1&priority=0&source=00000000-0000-0000-0000-000000000000 
Connection path: 3 - Direct: [10.178.xx.xxx] -> <smpserver>.example..net [10.75.xx.xx:443] 
Connection id: 1428.8820 
Communication profile id: {XXXXXXXXXXX-XXXXXXXXXXXX} 
Throttling: 1 10 50 
Connecton stage: Server connect 
Error type: SMP Server error 
Error code: The agent is revoked (0x80077003) 
Error note: SMP server failed the request 
Server SSL connection info: 
   Server certificate: 
      Serial number: XXXXXXXXXXXXXXXXXXXXXXX 
      Thumbprint: XXXXXXXXXXXXXXXXXXXXXXX
   Client certificate: 
      Serial number: N/A 
      Thumbprint: N/A 
   Cryptographic protocol: TLS 1.2 
   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm:  
   Hash length: 0 
   Key exchange algorithm: ECDH 
   Key length: 384 
Client SSL attributes for server connection: 
   Client certificate: 
      Serial number: N/A 
      Thumbprint: N/A 
   Cryptographic protocol: TLS 1.0, 1.1, 1.2
-----------------------------------------------------------------------------------------------------
Date: 11/10/2023 1:32:25 PM, Tick Count: 251023930 (2.21:43:43.9300000), Size: 1.44 KB
Process: AeXNSAgent.exe (8820), Thread ID: 31128, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation
 
The concern is that the certificates should be there since they kept the same SMP server name and IP address. And the client machines were not manually revoked.

Note:
In one of those client machines the customer ran aexnschttps.exe and solved the problem. Before doing that, the client machine was connected to the internal network and still didn't get a new policy.
We checked that client machine if the client machine was revoked. We checked the "Agent Registration Status" report  (under Reports>All Reports>Notification Server Management>Registration) and the machine was not listed as revoked.

ITMS 8.7.x

Known issue. At the time of the re-registration, the Symantec Management Agent requests CEM certificates and that resolves a "revocation" flag from the SMP server.

Unfortunately "agent is revoked" error has never triggered agent re-registration automatically since it should not be possible to re-register in case the Symantec Management Agent is revoked. There was a bug on the SMP server that put these client machines into a revoked state when they should not.

Here we have the case when the Symantec Management Agent is revoked on the SMP server but re-registration helps after the Symantec Management Agent service is restarted, so the Symantec Management Agent is not revoked. Normally if the client is revoked, restarting the agent should not help at all, all calls the client machine makes to the SMP server must fail with the "client is revoked" error, this is a security prevention issue, Admin should manually enable the revoked clients in the SMP Console.

We needed to start the re-registration process if a revoked error was returned by the post-event call.

This issue has been reported to the Broadcom Development team. A code change has been added to our ITMS 8.7.2 release. We made Symantec Management Agent from 8.7.2 release to re-register automatically in this case, so no agent restart will be needed:

The Client side has been changed as below:

• The "agent is revoked" error triggers agent re-registration if that error is received during NSE or basic inventory posting.
• A basic inventory attempt will be retried in 60 minutes if that was the basic inventory that triggered the error.
• NSE positing will be retried in 60 minutes if that was an NSE positing that triggered the error.

Pointfix:

A pointfix for 8.7.1 is available. See KB 273903 "CUMULATIVE POST ITMS 8.7.1 POINT FIXES"

Workaround:

A simple Symantec Management Agent service restart or /resetguid should help, i.e. Symantec Management Agent should try re-registering on the SMP server.  We suppose client restart is the best approach for now since happens at least once a week because of Windows updates, so all machines should be registered eventually.