Unable to connect to Internet Site Server while "Prefer CEM gateway connection if VPN connection is established" is in use
search cancel

Unable to connect to Internet Site Server while "Prefer CEM gateway connection if VPN connection is established" is in use

book

Article ID: 395060

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

You are having an issue with how the client machines are identifying your Internet Site Server when connected via VPN. You had configured the Symantec Management Agent (SMA or Altiris Agent) so that, in scenarios where the computer is connected to both the Internet and the VPN, it uses the Internet Gateway (altiriscloud.mainExampleDomain.com) instead of the SMP Server (SMPServer.mainExampleDomain.com).

The only solution you have found to force the correct Site Server (one of your Internet Site Servers) assignment was to block access to the SMP Server when connected via VPN, allowing it to only reach the server through altiriscloud.mainExampleDomain.com. This started working correctly, just as it does when the device is connected only to the Internet in CEM (Cloud-enabled Management) Mode.

Now that you've enabled the Site to resolve to the VPN and it's connected via Internet Gateway, why is it trying to assign an internal site?

Environment

ITMS 8.7.x

Cause

Network configuration. 

What was seen in the past has been that it is usually the configuration of the Site and its subnets (sometimes some forget to remove the VPN addresses/subnets of their other Sites) or how it is internally redirected with those IP Addresses. 

You are using the following Setting:

"Prefer CEM gateway connection if VPN connection is established"
 
You can find more details on how it works under:
 

Resolution

Make sure the proper redirections occur in your network while trying to reach the Internet Site Server.

For this scenario, the desired Internet Site Server had network configuration issues where some of the internal communication was blocked. The Internet Site Server was removed from the "Servers" tab on the Internet Gateway and you added a new one with less restricted access.

For example when you can't reach the Internet Site Server when the "Prefer CEM gateway connection if VPN connection is established" setting is selected

In this example, SS-cloud.mainExampleDomain.com is the desired Internet Site Server. SS-Internal.mainExampleDomain.com is your internal Site Server.

Make sure SS-cloud.mainExampleDomain.com is part of the displayed servers under the "Servers" tab on your Internet Gateway Manager UI and it can communicate under the specified port (by default port 4726).

Here is an example of how you could find such information and follow what the agent is trying to do:

  1. Initially, you should see a reference for SS-Internal.mainExampleDomain.com:
     
    Local IP for 'https://SS-Internal.mainExampleDomain.com:443' changed from '192.168.109.227' to '192.168.137.1'
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:20:55 PM, Tick Count: 795031187 (9.04:50:31.1870000), Size: 330 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: AeXNetMon.dll
    Priority: 4, Source: NetworkMonitor
     
    where it tells that when the client machine is switching from CEM Mode to a VPN connection, sees the new IP addresses for the Internal Site Server (SS-Internal.mainExampleDomain.com).

  2. Then, you should see the same but for the Internet Site Server (SS-cloud.mainExampleDomain.com):

    Remote IP for 'https://SS-cloud.mainExampleDomain.com:443' changed from '10.85.105.198' to '103.xxx.3.x4'
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:20:55 PM, Tick Count: 795031187 (9.04:50:31.1870000), Size: 328 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: AeXNetMon.dll
    Priority: 4, Source: NetworkMonitor

  3. In this example, there was an error entry in the agent logs about being unable to resolve the IP address and hostname for the Internal Site Server:
     
    Operation 'Direct: Connect' failed.
    Url: HTTPS://SS-Internal.mainExampleDomain.com:443/Altiris/ClientTaskServer/Register.aspx?resTypeGuid=%7B493435F7-3B17-4C4C-B07F-C23E7AB7781F%7D&sysType=Win64&version=8.7.2340&resourceGuid=4396a582-e62f-46d2-bc23-f992ecbeb2a0&crc=0008000700000924
    Connection path: 6 - Direct: [192.168.137.1] -> SS-Internal [103.xxx.3.x4:80]
    Connection id: 276.7036
    Communication profile id: {xxxxxxxxxxxxxx-44CEB270B8D0}
    Throttling: 0 0 0
    Connecton stage: Server connect
    Error type: Connection error
    Error code: A socket operation was attempted to an unreachable host (10065)
    Error note: Failed to connect sync socket 00000000000014F0 to 103.xxx.3.x4:80
     
    Task Server Connection: Failed to request 'https://SS-Internal.mainExampleDomain.com:443/Altiris/ClientTaskServer/Register.aspx?resTypeGuid={493435F7-3B17-4C4C-B07F-C23E7AB7781F}&sysType=Win64&version=8.7.2340&resourceGuid=4396a582-e62f-46d2-bc23-f992ecbeb2a0&crc=0008000700000924', error: A socket operation was attempted to an unreachable host (0x80072751)
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:20:55 PM, Tick Count: 795031203 (9.04:50:31.2030000), Size: 600 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: client task agent.dll
    Priority: 2, Source: Client Task Agent

  4. Then, you should see how the agent receives the references for the Site that it belongs when connected via VPN:
     
    Activating site settings policies set ac6ff889e7aaf5392b29901d0c43d7033b45e844e852e850a43dd8b450b2699e [172.17.85.0/24, 192.168.109.0/24, 192.168.137.0/24, 192.168.139.0/24]:
    1 site[s]:
    Site 'EXAMPLE - SITE INTERNET', ID '{4FF9D7BE-428C-4B01-BF4F-A9F6C8CDA657}', order 0, max transfers -1, max speed -1, deny 0x00000000:
    10.1.0.0/16.
    10.2.0.0/16.
    10.82.0.0/16.
    10.99.0.0/16.
    10.150.0.0/16.
    10.182.0.0/16.
    10.199.1.0/24.
    10.199.6.0/24.
    10.199.110.0/24.
    10.252.0.0/22.
    10.252.31.0/24.
    192.168.78.0/24.
    192.168.107.0/24.
    192.168.108.0/24.
    192.168.109.0/24.
    192.168.110.0/24.
    192.168.190.0/24.
    192.168.191.0/24.
    192.168.223.0/24.
    192.168.224.0/24.
    192.168.228.0/24.
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:21:06 PM, Tick Count: 795043031 (9.04:50:43.0310000), Size: 1005 B
    Process: AeXNSAgent.exe (7036), Thread ID: 9420, Module: AeXNSAgent.exe
    Priority: 4, Source: ConfigServer

  5. You may have noticed that the agent IP Addresses from steps 1 and 2: 
     
    Local IP for 'https://SS-Internal.mainExampleDomain.com' changed from '192.168.109.227' to '192.168.137.1'
    -----------------------------------------------------------------------------------------------------
    Remote IP for 'https://SS-Internal.mainExampleDomain.com:443' changed from '10.85.105.198' to '103.xxx.3.x4'
     
    are not part of the Subnets listed for 'EXAMPLE - SITE INTERNET' in step 4 above.

  6. In this example, the agent keeps trying to register to the Internal Site Server:

    Task Server Connection: Attempting to register on Task Server 'SS-Internal.mainExampleDomain.com' using 'https://SS-Internal.mainExampleDomain.com:443/Altiris/ClientTaskServer/Register.aspx'
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:21:07 PM, Tick Count: 795043093 (9.04:50:43.0930000), Size: 414 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: client task agent.dll
    Priority: 4, Source: Client Task Agent
     
    but it fails:

    [D8:OUT_GTW: 1028 -> C10, RECV: 5361E423] CONNECT request failed, error: HTTP status 500: An unexpected condition prevented the server from fulfilling the request (0x8FA101F4)
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:21:12 PM, Tick Count: 795048750 (9.04:50:48.7500000), 
    Size: 419 B
    Process: AeXNSAgent.exe (7036), Thread ID: 27596, Module: AeXNetComms.dll
    Priority: 1, Source: SMAIO.SSLProxy.Socket
     
    [254D8930890, WS: 1240] Failed to upgrade 'SS-Internal.mainExampleDomain.com:443;SS-Internal:443' connection, error: An unexpected network error occurred. (0x0000003B)
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:21:12 PM, Tick Count: 795048765 (9.04:50:48.7650000), Size: 384 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: AeXNetComms.dll
    Priority: 2, Source: SMAIO.WSTransport.COM

  7. As you keep looking, you may see messages like::
     
    Operation 'CEM: Connect' failed.
    Url: HTTPS://SS-Internal.mainExampleDomain.com:443/Altiris/ClientTaskServer/Register.aspx?resTypeGuid=%7B493435F7-3B17-4C4C-B07F-C23E7AB7781F%7D&sysType=Win64&version=8.7.2340&resourceGuid=4396a582-e62f-46d2-bc23-f992ecbeb2a0&crc=0008000700000924
    Connection path: 24? - Via gateway 1: [192.168.109.227 VPN] -> altiriscloud.mainExampleDomain.com [Unknown:443] -> SS-Internal:443
    Connection id:  
    Communication profile id: {xxxxxxxxxxxx-44CEB270B8D0}
    Throttling: 0 0 0
    Connecton stage: DNS resolve
    Error type: DNS error
    Error code: Host desconocido (11001)
    Error note: Failed to resolve FQDN and short name of 'altiriscloud' to an IP address
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:30:15 PM, Tick Count: 795591359 (9.04:59:51.3590000), Size: 919 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: AeXNetComms.dll
    Priority: 1, Source: NetworkOperation
     
    Task Server Connection: Failed to request 'https://SS-Internal.mainExampleDomain.com:443/Altiris/ClientTaskServer/Register.aspx?resTypeGuid={493435F7-3B17-4C4C-B07F-C23E7AB7781F}&sysType=Win64&version=8.7.2340&resourceGuid=4396a582-e62f-46d2-bc23-f992ecbeb2a0&crc=0008000700000924', error: Unknown Host (0x80072AF9)
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:30:15 PM, Tick Count: 795591375 (9.04:59:51.3750000), Size: 554 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: client task agent.dll
    Priority: 2, Source: Client Task Agent
     
    5. Then the agent detects an IP address change:
     
    Remote IP for 'https:SS-Internal.mainExampleDomain.com:443' changed from '103.xxx.3.x4' to '10.85.105.198'
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:33:03 PM, Tick Count: 795759968 (9.05:02:39.9680000), Size: 328 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: AeXNetMon.dll
    Priority: 4, Source: NetworkMonitor
     
    Operation 'Direct: Connect' failed.
    Url: HTTPS://SS-Internal.mainExampleDomain.com:443/Altiris/ClientTaskServer/Register.aspx?resTypeGuid=%7B493435F7-3B17-4C4C-B07F-C23E7AB7781F%7D&sysType=Win64&version=8.7.2340&resourceGuid=4396a582-e62f-46d2-bc23-f992ecbeb2a0&crc=0008000700000924
    Connection path: 8 - Direct: [192.168.109.227 VPN] -> SS-Internal [10.85.105.198:80]
    Connection id: 280.7036
    Communication profile id: {DFB1B163-DD3D-44BC-A01D-44CEB270B8D0}
    Throttling: 0 0 0
    Connecton stage: Server connect
    Error type: Connection error
    Error code: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond (10060)
    Error note: Failed to connect sync socket 000000000000158C to 10.85.105.198:80
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:33:03 PM, Tick Count: 795759984 (9.05:02:39.9840000), Size: 1.09 KB
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: AeXNetComms.dll
    Priority: 1, Source: NetworkOperation
     
    and since the client machine can't reach the IP address (10.85.105.198), then the registration fails:
     
    Task Server Connection: Failed to register on Task Server 'SS-Internal.mainExampleDomain.com' over 'https', error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond (0x8007274C)
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:33:03 PM, Tick Count: 795760015 (9.05:02:40.0150000), Size: 597 B
    Process: AeXNSAgent.exe (7036), Thread ID: 12776, Module: client task agent.dll
    Priority: 2, Source: Client Task Agent
     
    6. Then the agent tries to clean up its Task Servers list:

    Task Server Connection: Clearing server list
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:33:05 PM, Tick Count: 795761343 (9.05:02:41.3430000), Size: 290 B
    Process: AeXNSAgent.exe (7036), Thread ID: 30632, Module: client task agent.dll
    Priority: 4, Source: Client Task Agent
     
    and changes to the one that it actually can reach:

    Task Server Connection: Attempting to register on Task Server 'SS-Cloud.mainExampleDomain.com' using 'https://SS-cloud.mainExampleDomain.com.COM:443/Altiris/ClientTaskServer/Register.aspx'
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:33:05 PM, Tick Count: 795761656 (9.05:02:41.6560000), Size: 412 B
    Process: AeXNSAgent.exe (7036), Thread ID: 30632, Module: client task agent.dll
    Priority: 4, Source: Client Task Agent
     
    [254D8930890, WS: EC0] Connected to 'SS-Cloud.mainExampleDomain.com:443;SS-Cloud:443', waiting for connection upgrade
    -----------------------------------------------------------------------------------------------------
    Date: 4/10/2025 4:33:07 PM, Tick Count: 795763203 (9.05:02:43.2030000), Size: 380 B
    Process: AeXNSAgent.exe (7036), Thread ID: 30632, Module: AeXNetComms.dll
    Priority: 4, Source: SMAIO.WSTransport.COM

Additional Information

Powered by Wolken Software