Policy Manager can't contact client, seems to ...

Alfa

Hi!
Windows 7 Pro SP1, F-Secure Client Security 12.30. Seems to that Windows has lost contact with PM according to PM, but ... client does get all updates etc., no error is showing. Only thing confirming PM info is that from client side is not changing timestamp nor counter in Policy information section on Settings. From PM side is last contact info as from 23.12 last year, but on client side it does show 15.02 when last upgrade (to 12.30) was performed. (I don't have option to see PM info, I was told about this.) Nothing seems to be wrong also in Windows events.
Any ideas how to ... dig deeper to find out reason?
More thanks, Alar.

Vad

Hello Alar,

 

The client downloads updates from PM using http protocol and port 80 by default.

Policies are received using https protocol and port 443 by default.

ProgramData\F-Secure\Logs\fspmsupport\nrb.log may shed the light, what could be wrong in your case.

If you will not be able to resolve the problem yourself, please, contact support.

 

Best regards,

Vad

Alfa

Hi and thanks!
In nrb.log log I see again and again ...
2017-02-27 09:01:51.902     UTC+02:00 1600:2814 #1  Preparing to download task 0: from 'https://<ip>/fsms/fsmsh.dll' to '""'
2017-02-27 09:02:12.931     UTC+02:00 1600:2814 #2  Exception occurred. Type: Win32Exception, Reason: , Function: fs::net::detail::BaseWinHttpRequest::submit, File: "D:\\SDK\\fs\\fsnet\\1.1\\src\\WinHttpRequest.cpp", Line: 112, Error Code : 12002
Does this mean something to You?
More thanks, Alar.

Vad

12002 is WinHTTP error code:

ERROR_WINHTTP_TIMEOUT

    12002

    The request has timed out.

This means server did not respond in specified time. This is not client problem. Either server is not working properly or it's not reachable from the client.

Please, check the communication settings.

 

Best regards,

Vad

aimutch

We've been experiencing this same problem with some of our clients. If you go into the log file on the client, you'll likely see an error message about it failing to connect to the server. 

 

Things we've tried that haven't helped:

 

 - Completely uninstalling and reinstalling the client

 - Removing the client from the PM with the hope that they would reconnect - they didn't. 

 - Changing policy settings on the PM related to polling frequency.

 

This has affected both Windows 7 and 10 Enterprise clients. In our case, it actually started with 12.20 but upgrading to 12.30 on the clients didn't fix the problem.  F-Secure has pointed at a network communication problem but we have 20 clients on the same subnet with the same network configuration and only 5- 7 clients in this group of 20 are affected. 

 

As you noted, the clients continue to get AV definition updates. But the clients don't connect to the Policy Manager server. One recommendation we haven't tried yet is to change the ports that F-Secure uses for communication. But it's not clear to me how we push that policy change to clients that aren't talking to the server. 

Vad

Hello aimutch,

 

Do you have anything special in nrb.log on affected clients?

Please, note that there is a public hotfix for CS 12.20 related to communication with PMS. CS 12.30 doesn't have this problem.

Also, here: https://community.f-secure.com/t5/Business/Warnings-in-Policy-Manager-after/m-p/91712#M6432

you can find a recommendation, how to check the possibility of communication with PMS from the client side.

 

Best regards,

Vad

Alfa

Hi and thanks!
I looked a bit back ... yes, You're correct, on this particular computer same was during 12.20, actually, yes, it started around this 12.20 setup. I can't be 99% sure, but after initial 12.20 it was ok, but this connection was definitely lost after fnrb hotfix.
I checked and forwarded some info to our PM admin (my hands too short to have overlook), so, there is things we must check out.
More thanks, Alar.

aimutch

I hadn't been asked to check the NRB.log but here's what I'm seeing there over and over again:

 

2  Exception occurred. Type: Win32Exception, Reason: , Function: fs::net::detail::BaseWinHttpRequest::submit, File: "D:\\SDK\\fs\\fsnet\\1.1\\src\\WinHttpRequest.cpp", Line: 112, Error Code : 12030

 

This started 12/23/2016 and is still showing up in the log file today.

 

This corresponds to this error we see in LogFile.log

 

2017-03-01 08:41:54-05:00 WATE-ADULT2 SYSTEM F-Secure Management Agent 1.3.6.1.4.1.2213.11.1.14
F-Secure Management Agent was not able to connect to the server and is now operating in Offline Mode. (error number 12030: The connection with the server was terminated abnormally )

 

 

Vad

Hello aimutch,

 

Please, check, if update described in Microsoft Security Bulletin MS14-066 ( https://technet.microsoft.com/en-us/library/security/ms14-066.aspx ) is installed on your client machines. If not, try to install.

 

Best regards,

Vad

aimutch

That update doesn't apply to Windows 10. I can check on my Windows 7 clients having this problem but normally, we keep our systems fully patched. 

Alfa

Hi!
Well, yes, let's say - not sufficient https-access was reason here. As soon we sorted this out communication went in order again.
More thanks, Alar.
Btw. in nrb.log I saw ...
In NRB.log I see ...
1600:2814 #1  Preparing to download task 0: from 'https://<ip>/fsms/fsmsh.dll' to '""'
1600:2814 #2  Exception occurred. Type: Win32Exception, Reason: , Function: fs::net::detail::BaseWinHttpRequest::submit, File: "D:\\SDK\\fs\\fsnet\\1.1\\src\\WinHttpRequest.cpp", Line: 112, Error Code : 12002

A_Grinkevitch

Hi,

Exception occurred. Type: Win32Exception, Reason: , Function: fs::net::detail::BaseWinHttpRequest::submit, File: "D:\\SDK\\fs\\fsnet\\1.1\\src\\WinHttpRequest.cpp", Line: 112, Error Code : 12002

Error code 12002 usually happens if IP address of Policy Manager has changed (if I get it right, means IP address, but not DNS name), address is unreachable, or Firewall blocks connection to it. For instance, you take your notebook home, where specified IP is unreachable or corresponds to another computer, request to specified IP times out and above exception is logged.

A_Grinkevitch

Hi,

Exception occurred. Type: Win32Exception, Reason: , Function: fs::net::detail::BaseWinHttpRequest::submit, File: "D:\\SDK\\fs\\fsnet\\1.1\\src\\WinHttpRequest.cpp", Line: 112, Error Code : 12030

First of all, please try to open PM URL in the browser at the problematic computer. Please use URL that is specified as Management server address at Central management page of Client Security Settings. If browser rejects to open the welcome page, it probably means something at your host rejects TLS 1.0, 1.1 or 1.2 client connections. If there is a proxy between client computer and PM - it also can be a reason.

 

Please also collect fsdiag at the problematic computer and put here content of following files inside fsdiag.tar.gz\network directory: reg_fipsalgorithmpolicy.log, reg_schannel.log and tlsinfo.log.

 

But the best what I can propose - please contact support and provide full fsdiag from the problematic computer.