CEM clients that were deployed using a master image that was created from a machine that already had Cloud Enabled Management mode enabled will fail to connect to the Internet Gateway Server
search cancel

CEM clients that were deployed using a master image that was created from a machine that already had Cloud Enabled Management mode enabled will fail to connect to the Internet Gateway Server

book

Article ID: 162314

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

CEM clients that were deployed using a master image that was created from a machine that already had Cloud Enabled Management mode enabled will fail to connect to the Internet Gateway Server [1] 9/3/2015 10:48:12 AM (AeXNSAgent.exe) TunnelSslDataTransformerImpl
Failed to create new client credential. (0x8009030D)

(AeXNSAgent.exe) MsCryptoSslDataTransformerImpl
InitializeSecurityContext error while client handshake: The message received was unexpected or badly formatted (0x80090326)

(AeXNSAgent.exe) NetworkOperation
Operation 'Connect' failed. 
Protocol: http 
Host: CEM.example.com 
Port: 443 
Path: / 
Http status: 0 
Secure: Yes 
Id: {50FC019A-8FED-45BB-BB20-12434374BDAB} 
Error type: Connection error 
Error result: 0x80072751 
Error code: 0 
Error note: Unable to connect via secure gateway 
Error message: A socket operation was attempted to an unreachable host

 (AeXNSAgent.exe) Client Task Agent
Failed to call web interface by url [https://SMP.example.com/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?resourceGuid=00c43d13-5fcb-4e75-8917-d0306d845918], error [0x80072751, A socket operation was attempted to an unreachable host.].

Environment

8.x

Cause

The Deployment Solution image that was used to create the CEM clients was captured from a machine that already had the Management Agent installed with Cloud Enabled Management mode on. Because Cloud Enabled Management was already enabled the machine had downloaded the client certificates that were generated for the name of the machine on which the image was prepared. Once the image was deployed to the new machines they would now have the same client certificates with the name of the machine that was imaged originally stuck in the certificate store. These old certificates would cause all newly imaged clients to fail when connecting to the Internet Gateway Server.

Resolution

Confirm the cause of the issue:
1. From the Run box in Windows type 'mmc' and enter
2. In the mmc console that opens navigate to File --> Add/Remove Snap-in...
3. Select 'Certificates' on the left pane and then click the 'Add >' button
4. In the window that pops up select 'Service Account' and hit the 'Next' button
5. Then make sure 'Local computer' is selected and hit the 'Next' button
6. Scroll down the list that is presented and select 'Symantec Management Agent' and hit the 'Finish' button
7. Then hit the 'OK' button
8. Expand 'Certificates - Service (Symantec Management Agent) on Local Computer' in the left pane
9. Select 'AeXNSClient\Personal --> Certificates' in the left pane
10. The right pane should now show the client certificates used to connect over CEM. (If these certificates show the name of the machine which the image was created on and do not match the current machine name then this confirms that this is the cause of the issue)

Resolve the issue:
1. Run 'Prepare for Image Capture' task with Sysprep on the client machine before capturing an image. This task is designed to remove machine specific identifiers to prevent deployment issues
OR
1. Make sure that the machine which the base image is captured on does not have CEM mode enabled and does not have the client certs already in place
2. Enable CEM mode only after the image is deployed on the client machines