SOLVED Client Status 'question mark' and disconnected/offline

[Gaurish]

Dear Prajwal,

We are having issues with the Secondary site server clients, where all clients show the status as question mark or offline. CCM client push and installation happens successfully.
This only happens after the secondary site is added and the boundaries are created for that site, and the clients start seeing to the secondary site MP (assigned site code is of primary).
For client connection we use HTTP.

However, the clients which are at the primary server location report the status fine, and also if the secondary site is not present then the clients report proper status.

In the Secondary Site BgbServer.log, I see the following errors:

Failed to authenticate with client [::ffff:10.55.52.119]:65118.
Can't find corresponding certificate used in client registration for client (Type: SCCM ID: GUIDDB58FB0-B5DE-4942-A02B-49E3C8F7E57D)
Can't do post authentication without client certificate stored in registration.

Any hints or suggestions will be very helpful.

Thanks,
Gaurish

 

[Omega31]

Hello Gaurish,

I am having the same issue post KB0419926 update but am unsure if related as worked for a few days after the update.

Primary site is ok and only Secondary site is affected.

I can also see Secondary site clients "CCM Notification Agent" is now Disabled

Have you had any success resolving this issue ?

Thanks,
Jason

 

[Prajwal Desai]

A question mark appears when the client agent is installed but no data is available. Do you get an option to manually approve the client when you right them ?. I would suggest you check the boundaries once again and also under hierarchy settings, what is the client approval method set to ?.

 

[Omega31]

Hi Prajwal,

Pre KB0419926 hotfix everything was ok, (also applied recent updated which include the .NET 4.7 update) Boundaries are configured correctly.

I have attempted to install another Secondary Site and and change MP to new Site but I got the same error.
Communication is configured over HTTP. no PKI is configured.
All Components and SIte Status are in an ok status.

Client logs

]LOG]!><time="23:36:33.951+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="event.cpp:840">
<![LOG[Successfully queued event on HTTP/HTTPS failure for server 'SCCM-SECONDARY01.DOMAIN.com'.]LOG]!><time="23:36:33.967+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="ccmhttperror.cpp:357">
<![LOG[Failed to post continue request with error code 87d0027e.]LOG]!><time="23:36:33.967+300" date="07-30-2017" component="BgbAgent" context="" type="3" thread="4800" file="bgbhttpclient.cpp:286">
<![LOG[Failed to signin bgb client with error = 87d0027e.]LOG]!><time="23:36:33.967+300" date="07-30-2017" component="BgbAgent" context="" type="3" thread="4800" file="bgbcontroller.cpp:635">
<![LOG[Sleep 11 seconds to restart client...]LOG]!><time="23:36:33.967+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbcontroller.cpp:469">
<![LOG[Critical Battery: [FALSE]]LOG]!><time="23:36:44.977+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbcommon.cpp:60">
<![LOG[Connection Standy: [FALSE]]LOG]!><time="23:36:44.977+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbcommon.cpp:61">
<![LOG[Network allowed to use: [TRUE]]LOG]!><time="23:36:44.977+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbcommon.cpp:62">
<![LOG[Access point is SCCM-SECONDARY01.DOMAIN.com. (SSLEnabled = 0)]LOG]!><time="23:36:44.977+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbcontroller.cpp:276">
<![LOG[CRL Checking is Enabled.]LOG]!><time="23:36:44.977+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbcontroller.cpp:284">
<![LOG[Both TCP and http are enabled, let's try TCP connection first.]LOG]!><time="23:36:44.992+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbcontroller.cpp:792">
<![LOG[Connecting to server with IP: 10.16.0.51 Port: 10123
]LOG]!><time="23:36:44.992+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:699">
<![LOG[Handshake was successful
]LOG]!><time="23:36:45.008+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:495">
<![LOG[Pass verification on server certificate.]LOG]!><time="23:36:45.008+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:823">
<![LOG[Update the timeout to 900 second(s)]LOG]!><time="23:36:45.008+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:916">
<![LOG[Connection is reset
]LOG]!><time="23:36:45.023+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:998">
<![LOG[Failed to receive buffer from server with err=0x80090304.]LOG]!><time="23:36:45.023+300" date="07-30-2017" component="BgbAgent" context="" type="3" thread="4800" file="bgbtcpclient.cpp:924">
<![LOG[Failed to signin bgb client with error = 80090304.]LOG]!><time="23:36:45.023+300" date="07-30-2017" component="BgbAgent" context="" type="3" thread="4800" file="bgbcontroller.cpp:635">
<![LOG[Connecting to server with IP: 10.16.0.51 Port: 10123
]LOG]!><time="23:37:45.034+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:699">
<![LOG[Handshake was successful
]LOG]!><time="23:37:45.049+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:495">
<![LOG[Pass verification on server certificate.]LOG]!><time="23:37:45.065+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:823">
<![LOG[Connection is reset
]LOG]!><time="23:37:45.080+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbtcpclient.cpp:998">
<![LOG[Failed to receive buffer from server with err=0x80090304.]LOG]!><time="23:37:45.080+300" date="07-30-2017" component="BgbAgent" context="" type="3" thread="4800" file="bgbtcpclient.cpp:924">
<![LOG[Failed to signin bgb client with error = 80090304.]LOG]!><time="23:37:45.080+300" date="07-30-2017" component="BgbAgent" context="" type="3" thread="4800" file="bgbcontroller.cpp:635">
<![LOG[Fallback to HTTP connection.]LOG]!><time="23:37:45.080+300" date="07-30-2017" component="BgbAgent" context="" type="1" thread="4800" file="bgbcontroller.cpp:828">
<![LOG[Raising event:

bgbserver log

Can't find corresponding certificate used in client registration for client (Type: SCCM ID: GUID:22D5B205-DB47-4B79-9965-DDC64165EC00)~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:39:59.003-600><thread=8404 (0x20D4)>
Can't verify signature in message without client certificate for client SCCM GUID:22D5B205-DB47-4B79-9965-DDC64165EC00~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:39:59.003-600><thread=8404 (0x20D4)>
Invalid hook to be decoded. Authentication~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:39:59.003-600><thread=8404 (0x20D4)>
Failed to decode message body with message header (<Message><SourceType>SCCM</SourceType><SourceID>GUID:22D5B205-DB47-4B79-9965-DDC64165EC00</SourceID><Hooks><Hook Name="Authentication"><Property Name="PayloadSignature" Value="KYrT31r0W6Whm6UVOKOUnI/E9cofrGhAFUtznTFD4pHrnxkBZ5YP8kakFAY3DNjd&#xA;lYg2M/nAoFncXWQYQZmlk7YlvayfEuKKE6WHQxsFq64MQdSoQDMLtjjHNkMu+jTd&#xA;DohIRuSAKBdY6wDgU/oQyGNlwcdPgDpfR88eB06Csj/ktNiwihbuesJa1i54hX0n&#xA;gz+wFgsWEn5bTMyL2Sh8XquIUU0Z9NjuQvaSRMXH2LLUZ2k+07XTW07GHgQ5YWh+&#xA;2XtfotMkImwdAaHdLrbR2JwFLQTtdJdZly9W7dKWqU5olkJCf2IvNGvVY/ps1Wzx&#xA;jC14EETdBxPYT/bKGs40Rg=="/></Hook></Hooks></Message>)~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:39:59.003-600><thread=8404 (0x20D4)>
Failed to process SignIn message from client 10.16.32.20:52782.~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:39:59.003-600><thread=8404 (0x20D4)>
Can't find corresponding certificate used in client registration for client (Type: SCCM ID: GUID:7B12B973-CD51-49AB-8BEF-F9B9798C9E9F)~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:01.839-600><thread=8404 (0x20D4)>
Can't do post authentication without client certificate stored in registration.~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:01.839-600><thread=8404 (0x20D4)>
Failed to authenticate with client [::ffff:10.16.0.160]:59328.~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:01.839-600><thread=8404 (0x20D4)>
Can't find corresponding certificate used in client registration for client (Type: SCCM ID: GUID:C9AE992A-DCB5-4EA4-BDAC-617EA38A1D9D)~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:06.657-600><thread=8404 (0x20D4)>
Can't do post authentication without client certificate stored in registration.~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:06.657-600><thread=8404 (0x20D4)>
Failed to authenticate with client [::ffff:10.16.2.14]:50041.~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:06.657-600><thread=8404 (0x20D4)>
Can't find corresponding certificate used in client registration for client (Type: SCCM ID: GUID:E9BFDE9D-CADB-4247-9EB4-BAEFC826ED59)~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:08.035-600><thread=8404 (0x20D4)>
Can't do post authentication without client certificate stored in registration.~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:08.035-600><thread=8404 (0x20D4)>
Failed to authenticate with client [::ffff:10.16.32.13]:52877.~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:08.035-600><thread=8404 (0x20D4)>
Can't find corresponding certificate used in client registration for client (Type: SCCM ID: GUID:76416BD2-3E4A-4D0A-B082-FDF9684D3F5E)~~ $$<SMS_NOTIFICATION_SERVER><08-01-2017 05:40:12.243-600><thread=8404 (0x20D4)>

Moving Clients to the Primary Server Boundary works and they all come back online, This has been put in place as a temporary solution.

Looks like SCCM is using a certificate to communicate with the clients, I am unsure which certificate the bgb is using and why it would work on primary and not Secondary servers. Certificate replication failure perhaps post update.

I have tried to remove certificate on the client and restart the agent to regenerate it but it still failed.

Any assistance is appreciated,

 

[Prajwal Desai]

Can you also attach CcmNotificationAgent.log ?.

As per Microsoft - By default, client notification communication uses TCP port 10123. This port can be configured from site properties. You might have to configure the firewall on the management point, clients, and any intervening firewalls to allow communication over this new port.

Can you check if this port is open on F/W ?.

 

[Omega31]

Firewall Rules all ok and was working well before the update. I have reviewed them again and also disabled firewalls / windows firewalls between Client -> Secondary and Primary.

See below log requested.
As can be seen we are getting an error when failing to HTTP on Secondary but as soon as Clients are movies to Primary all is good.

Browsing to http://<SCCMServer>/sms_mp/.sms_aut?mplist on all sites is working.

Sleep 69 seconds to restart client... BgbAgent 01/08/2017 16:42:34 8156 (0x1FDC)
Critical Battery: [FALSE] BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Connection Standy: [FALSE] BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Network allowed to use: [TRUE] BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Access point is SCCM-SECONDARY02.DOMAIN.com. (SSLEnabled = 0) BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
CRL Checking is Enabled. BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Both TCP and http are enabled, let's try TCP connection first. BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Connecting to server with IP: 10.16.0.56 Port: 10123
BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Handshake was successful
BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Pass verification on server certificate. BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Update the timeout to 900 second(s) BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Connection is reset
BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Failed to receive buffer from server with err=0x80090304. BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Failed to signin bgb client with error = 80090304. BgbAgent 01/08/2017 16:43:43 8156 (0x1FDC)
Connecting to server with IP: 10.16.0.56 Port: 10123
BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Handshake was successful
BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Pass verification on server certificate. BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Connection is reset
BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Failed to receive buffer from server with err=0x80090304. BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Failed to signin bgb client with error = 80090304. BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Fallback to HTTP connection. BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:1F1F652D-1A25-4628-A6D2-0C1FEB6A2B6C";
DateTime = "20170801214443.262000+000";
HostName = "SCCM-SECONDARY02.DOMAIN.com";
HRESULT = "0x00000000";
ProcessID = 9196;
StatusCode = 0;
ThreadID = 8156;
};
BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
[CCMHTTP] ERROR: URL=http://SCCM-SECONDARY02.DOMAIN.com/bgb/handler.ashx?RequestType=Continue, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:1F1F652D-1A25-4628-A6D2-0C1FEB6A2B6C";
DateTime = "20170801214443.293000+000";
HostName = "SCCM-SECONDARY02.DOMAIN.com";
HRESULT = "0x87d0027e";
ProcessID = 9196;
StatusCode = 990;
ThreadID = 8156;
};
BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Successfully queued event on HTTP/HTTPS failure for server 'SCCM-SECONDARY02.DOMAIN.com'. BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Failed to post continue request with error code 87d0027e. BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Failed to signin bgb client with error = 87d0027e. BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Sleep 491 seconds to restart client... BgbAgent 01/08/2017 16:44:43 8156 (0x1FDC)
Bgb client agent is stopping BgbAgent 01/08/2017 16:45:16 9240 (0x2418)
Waiting for the main bgb thread to exit. BgbAgent 01/08/2017 16:45:16 9240 (0x2418)
=========================================================== BgbAgent 01/08/2017 16:45:16 9240 (0x2418)
=========================================================== BgbAgent 01/08/2017 16:45:31 1616 (0x0650)
Bgb client agent is starting... BgbAgent 01/08/2017 16:45:31 1616 (0x0650)
BgbController main thread is started with settings: {bgb enable = 1}, {tcp enabled = 1}, {tcp port = 10123} and {http enabled = 1}. BgbAgent 01/08/2017 16:45:31 1616 (0x0650)
Startup random sleep for 47 seconds. BgbAgent 01/08/2017 16:45:31 10264 (0x2818)
Critical Battery: [FALSE] BgbAgent 01/08/2017 16:46:18 10264 (0x2818)
Connection Standy: [FALSE] BgbAgent 01/08/2017 16:46:18 10264 (0x2818)
Network allowed to use: [TRUE] BgbAgent 01/08/2017 16:46:18 10264 (0x2818)
Access point is SCCM-PRIMARY02.DOMAIN.com. (SSLEnabled = 0) BgbAgent 01/08/2017 16:46:18 10264 (0x2818)
CRL Checking is Enabled. BgbAgent 01/08/2017 16:46:18 10264 (0x2818)
Both TCP and http are enabled, let's try TCP connection first. BgbAgent 01/08/2017 16:46:18 10264 (0x2818)
Connecting to server with IP: 10.8.0.36 Port: 10123
BgbAgent 01/08/2017 16:46:18 10264 (0x2818)
Handshake was successful
BgbAgent 01/08/2017 16:46:19 10264 (0x2818)
Pass verification on server certificate. BgbAgent 01/08/2017 16:46:19 10264 (0x2818)
Update the timeout to 900 second(s) BgbAgent 01/08/2017 16:46:19 10264 (0x2818)
Receive signin confirmation message from server, client is signed in. BgbAgent 01/08/2017 16:46:19 10264 (0x2818)

 

[Omega31]

Hi Prajwal,

Managed to resolve the issue:
Updated Certificate expiry day on Secondary Site
Reinstalled .Net 4.7
Removed / Reconfigured all firewall rules.
Reinstalled MP
Found an issue accessing Client share installation folder but simply accessing the folder directly on the server fixed the issue.

Confirmed all Client are communicating and CCM Notification Agent is back online.
Note: If client was Installed "CCM Notification Agent" may require service restart or device a reboot in some cases.

 

[Gaurish]

Hi Omega31 and Prajwal,

Sorry for the late response and thanks a lot for the information.

I have exactly the same issue like Omega31; I see the same errors in the logs.
Clients are set to auto-approve and Firewall is not blocking anything.
Probably have to try the certificate fix as mentioned above to see if it fixes the issue.
For now though, I had to remove the secondary site and just use it as a DP instead due to this issue.

Thanks,
Gaurish

 

[Omega31]

Hi Gaurish,

In my case Prajawal direction greatly assisted me identifying the root cause. (Thank you)
Even though all firewalls where configured correctly I believe I had an issue communicating back to the Primary server.

As I am not sure of your exact configuration firewalls between sites etc, are you able to test by temporarily disabling firewall on the Primary Site and restarting iis?

Can you access the MP on both Primary and Secondary ?
http://servername/sms_mp/.sms_aut?mplist and http://servername/sms_mp/.sms_aut?mpcert

Try Reinstalling a test client and see if you get any errors in ccm.log
Review CcmNotificationAgent.log for start errors the client may have.