Service Manager powered by HEAT
Troubleshooting HEAT Discovery
•About Troubleshooting HEAT Discovery
•HEAT Discovery Troubleshooting Basics
•Common HEAT Discovery Issues and Steps for Resolving Them
About Troubleshooting HEAT Discovery
This section contains basic troubleshooting procedures for ISM Discovery. After you install ISM Discovery, we recommend that you use the following steps to ensure that all relevant services are properly installed and working correctly. See HEAT Discovery Troubleshooting Basics.
Troubleshooting ISM Discovery requires access to the .frslog files that are available from the Logs workspace, and to the integration logs available from the Integration Logs workspace. See Working with Logs for more information. By default, the logs are set to the error log level; however, you can change logging levels to capture more details. See Viewing the Logging Configuration for information on available options and how to change or set logging levels.
We recommend resetting the logs back to the error log level after troubleshooting is completed. Otherwise, the system will continue to generate large logs that contain a high level of detail.
The following table describes the available logs, their location and the type of information they contain in order to troubleshoot an issue.
| Log Type | Log Name | For Issues |
|---|---|---|
| Client or Gateway | JobQueue_GetClientTasksQueue.log | GetClientTask |
| JobQueue_OutboxProcessorTasksQueue.log | ClientTransport (send Audits to Server) | |
| JobQueue_DiscoCtrlTasksQueue.log | Discovery Task Queue | |
| UpdateCheckThread_*.log | Binary Update | |
| SaaSClientInstallation_*.log | Client Installation | |
| JobQueue_AuditTriggerQueue | Audit or Remote Scan | |
| JobQueue_ConfigChangeQueue | Inventory/Gateway Settings update | |
| Gateway | JobQueue_NetScanTasksQueue.log | Netscan task processing |
| JobQueue_VmhaTasksQueue.log | VMHA Audit | |
| SaaSGatewayInstallation_*.log | Gateway Installation log | |
| NetScanner.log | Netscan log | |
| JobQueue_ADScanQueue | Active Directory scan log | |
| Server Logs | AssetProcessor.frslog | Asset processor |
| AgentTaskWS.frslog | Agent Task | |
| ClientTransportProcessorWs.frslog | Client Processor | |
| TaskProcessor.frslog | Task Processor | |
| DiscoProcessor.frslog | Discovery Message Processor | |
| MessageQueueService.frslog | Message Queue Service |
HEAT Discovery Troubleshooting Basics
1.From the main server, check that all services are running correctly by doing the following:
| a. | Click a service such as AgentTaskWs. |
| b. | In the Content window, right-click on the ASMX file. |
| c. | Right-click and select Browse.... |
| d. | Check if the agent task is responding. If it is, it opens a new window that lists the supported operations. |
| e. | Follow the same steps with the ClientTransportProcessor service. |
2.For App services, check that Net.tcp is up and running.
| a. | From a command window (as administrator) run a telnet client on the server name using the specified net.tcp port configuration. |
| b. | Enter a specific domain name or IP address such as C:\Windows\System32\telnet Domain_Name_IP_Address 7100. |
If net.tcp is correctly configured, the system displays a Telnet command window with no data.
3.Check the log file on the client or gateway machine for errors. The log file path is usually ~\FRS\Logs\JobQueues. Any errors appear in the GetClientTask job. An example of a file name is JobQueue_GetClientTasksQueue_00000037014.
4.Check the Netscan tasks queue log file for errors. An example of a file name is JobQueue_NetScanTasksQueue_00000 000058.
5.Check the AssetProcessor.log file (the server log) located under ~\Logs for any errors.
Common HEAT Discovery Issues and Steps for Resolving Them
•Configuration Item and Gateway are Not Created After Installation
•Errors Encountered When Installing a Gateway Data Center
Log Failed Message
When the server fails to process a message, it is discarded. The Log Failed Message setting allows you change the default and to capture failed messages. Your Ivanti Service Manager login must have administrator privileges to use this feature. Turn this setting on if the server logs indicate that a message cannot be processed. Ivanti uses the generated log files to troubleshoot the problem.
You perform this procedure in the Ivanti Service Manager configuration database. See the Configuration Database Guide for Ivanti Service Manager for information about using the configuration database.
1.Log into the Ivanti Service Manager configuration database.
2.Open the Tenants workspace.
3.Open a tenant.
4.Check Log failed IM message.
5.Click Save.
6.Log out of the Ivanti Service Manager configuration database.
7.Log into the Service Desk Console.
8.Open the Integration Log workspace.
9.Group by log type and select LogType: Error to see the list of messages. The same error message for a single machine is not saved multiple times.
10.Click a message to open and view it, or to download the attached file. Ivanti may use these files to assist in resolving the issue.
11.You can also access the messages from the integration log, by doing the following:
| a. | Click Configure Application to go the Configuration Console. |
| b. | Click Monitor > Application Logs > Integration Log. |
Login Failed Error
The following error message is for earlier implementations that still use the Ivanti Service Manager Inventory Manager role.
The system displays an error message in the DiscoProcessor.frslog file. An example is:
Cannot open database "IMReadOnly" requested by the login. The login failed.
This occurs when there is a login failure connecting to the inventory manager master database (in this example: IMReadOnly). If so, check that the correct credentials appear in the web.config files located in the following locations: C:\Program Files\HEATSoftware\HEAT\IMServer\IMServices\ DiscoProcessor\web.config and C:\Program Files\HEATSoftware\HEAT\IMServer\IMServices\IMReadOnlyDataService
\web.config.
Edit the files as follows:
1.Open each of the web.config files using a text editor such as Notepad.
2.Search for and find the following string:
<add key="IMReadOnlyConnectionString" value="Data Source=Database_Server; Initial Catalog=IMReadOnly; User ID=Database_User; Password=Database_Password; Max Pool Size=120;Pooling=True;"/>
3.Both files must contain the same user ID and password combination. Edit the values of the User ID and Password fields so that they are the same in both files.
4.Verify that you can connect to the Microsoft SQL Server and log in to the IMReadOnly database with the specified credentials.
5.Since the permissions have changed, clear the cache and restart the Microsoft IIS service on the ISM Discovery server.
Gateway Errors
•Configuration Item and Gateway are Not Created After Installation
•Installation Failed on Windows Gateway or Client Agent
•Errors Encountered When Installing a Gateway Data Center
About Gateway Errors
If a gateway task does not complete successfully, do the following:
1.Click Scan Active Directory or Deploy Settings to create an agent task record that can be seen under the Agent Tasks tab.
2.Double-click the task to display information about why the task failed. An example of a failed task is if the RPC server was not available or if access was denied due to a password issue.
3.Correct any issues as needed.
Configuration Item and Gateway are Not Created After Installation
This can indicate that the processor failed to send a message to the message sender or that the agent failed to query tasks from the task processor.
The following error message is an example of a message that can be found in the AgentTaskWS.frslog and the ClientTransportProcessorWs.frslog files:
The message could not be dispatched because the service at the endpoint address 'net.tcp://sql-1:5000/MessageSender/EventSender.svc' is unavailable for the protocol of the address
Cause: The net.tcp.web service is not working.
Solution: Remove and reinstall the WCF service, by following these steps:
1.Open the Server Manager and start the Remove Roles and Features wizard.
2.From the Features tab, expand .NET FrameWork 4.5 Features.
3.Uncheck WCF Services.
4.Click Remove.
After the feature is removed, add it back using the Add Roles and Features wizard and following the prompts.
Installation Failed on Windows Gateway or Client Agent
1.Uninstall the gateway or client agent from the machine.
2.Delete all files from the ~\Common Files\FRS\Logs folder.
3.Open the registry. Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Installer\UserData\S-1-5-18\Products.
4.Search for SaaS Gateway, and delete the key
5.Rerun the gateway installer.
Check the \log folder pointed to by the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FrontRange Solutions\SAAS\IM\NetSupport\NetInstall\LogFileSettings and ...\Common Files\FRS\Logs.
The log folder contains any errors related to the installation. Search the log file for errors.
Errors Encountered When Installing a Gateway Data Center
If you receive an empty error dialog box, check if there is already an instance of the client agent installed on that machine.
If you receive "Error=1332" when installing the gateway data center onto a virtual machine that is not part of the domain using "." as domain and a local account, the mapping between account names and security IDs was not done.
Sending Information Using the Local Gateway Proxy Server
Use the following procedure to send information using the local gateway proxy server (such as the gateway data center):
1.Install the gateway data center edition.
2.Ensure that the gateway proxy is redirecting to the ISM Discovery server by testing the following URL in a browser: http://Gateway_name:8097/AgentTaskWs/AgentTaskWS.asmx.
3.If using SSL, see Getting Started with HEAT Discovery and Auditing for instructions on how to configure the proxy server.
4.From the Inventory Settings workspace, update the Gateway Proxy setting for all active inventory settings using the following procedure:
| a. | Open an inventory setting from the list. |
| b. | Find and select the Gateway Proxy tab. |
| c. | Click New Gateway Proxy and enter the gateway proxy URL: http://Gateway_name:8097 or https://Gateway_FQDN. |
| d. | Click Deploy Settings to deploy the proxy setting. |
5. Repeat for all other inventory settings that are actively in use.
6. From the Configuration Console, click Extend > HEAT Discovery to view a list of installers.
7.Locate the installer, and check Associate with an OU upon Installation if it is available. Typically Linux/UNIX client agent installers do not offer this option.
8.Download the installer and follow the instructions from the Readme.txt file. The file contains all of the customized information needed for deployment including the authentication code, base URL, and so on.
For Linux and UNIX machines, download and install the client agent to each machine. When a configuration item is created for the device, update the organizational unit in the Details tab for the configuration item to associate it with the target inventory settings.
The Gateway Data Center Relay/Proxy Feature Does Not Work
ISM Discovery agents may be sending messages to the gateway that are not being relayed to the Ivanti Service Manager tenant for processing. This scenario is possible if you use the gateway data center edition to forward agent communication.
To test if this is the case, use Microsoft Internet Explorer to navigate to the URL on the gateway data center. For example, navigate to http://Gateway_name:8097/AgentTaskWs/AgentTaskWS.asmx.
Browsing should automatically redirect and display a SOAP interface. If this is not the case, and you receive an HTTP error of 500.x, use the following procedure to install additional settings.
The procedure explains how to make the changes to Microsoft Server 2012 R2 by using the Roles and Features wizard. Search the Microsoft Technet site for instructions on how to make these changes for the server version installed at your site.
You must be logged on to the server as an administrator to install roles, role services, and features.
If you are logged on to the local computer with an account that does not have administrator rights on your target server, right-click the target server in the Servers tile, click Manage As to provide an account that has administrator rights.
1.Open the Server Manager and on the Manage menu, click Add Roles and Features.
2.On the Before you begin page, verify that your destination server and network environment are prepared for the role and feature you want to install. Click Next.
3.On the Features page, find .NET Framework 4.5 Features > WCF Services and check HTTP Activation.
4.On the Features page, find Application Development and check ASP .NET 4.5.
5.On the Role Services page, find Management Tools > IIS 6 Management Compatibility (ensure that you check both Management Tools and IIS 6 Management Compatibility) then check IIS 6 Metabase Compatibility.
6.Click Next to list and confirm the installations.
7.Click Install to install your selections.
Client Machine Errors
If the client is no longer sending data, check the following:
1.Ensure that the machine on which the MDI client is running is turned on and functional.
2.From the CI workspace, check whether the agent status of the machine is in suspended mode.
3.If it is, select the machine and click Resume Client Agent from the taskbar.
Client Agent Requests
If the client agent is able to send in request to the AgentTaskWS or audit file to the TransportProcessor on the ISM Discovery web server, and no errors are seen on the client logs, but nothing gets written to the integration queue, what do I check?
1.Check the following log files on the ISM Discovery web server: AgentTaskWS.frslog and TransportProcessor.frslog.
2.If the logging service is running, check the Logs workspace for the tenant.
3.When a message arrives at the ISM Discovery web server, the receiving service (AgentTaskWS or TransportProcessor) sends the message to the message queue. It is unable to do so if the required port is not open. From the ISM Discovery web server, run the following command (or request the IT department) to open the port: telnet Message_queue_IP 7200. If the port is opened successfully, the system displays a blank screen.
Unable to Import Software information from HEAT Discovery Release 9.3.x or Later
When you preview the XML that the system generates in the final step of the data import connection (in the Review and Publish step) check the SoftwarePackages category for the following issues:
1.The ID for Component Type="SoftwarePackage" is blank.
2.There are multiple product details for each property. For example:
<Category Name="SoftwarePackages">
<Component Type="SoftwarePackage" Id="">
<Property Name="DisplayName">Juniper Networks, Inc. Setup Client Activex Control Security Update for Microsoft Office Security Update for Microsoft Office</Property>
<Property Name="DisplayVersion">2.1.1.1 2010 (KB2810073) 32-Bit Edition 2010 (KB2850016) 32-Bit Edition 2.0 </Property>
<Property Name="DSMInstalled">False False False</Property>
<Property Name="Freq">Never Never Never Never</Property>
<Property Name="FrequencyId">5 5 5 5</Property>
<Property Name="Guid">{CA67548A-5EBE-413A-B50C-4B9CEB6D66C6} {2318C2B1-4965-11D4-9B18-009027A5CD4F}</Property>
.
.
.
This happens when the field mapping for the software package ID is missing in the import. The following field mapping needs to be added to the ISM Discovery Release 9.x connector: HEAT_Export_SoftwarePackage.PackageAud -> Category.Component.Property-SoftwarePackages.SoftwarePackage.ID
Troubleshooting Mobile Device Inventory (MDI)
1.Ensure that the MDI service is started.
2. Inspect the file called MDIServiceHost.exe.config.
By default, it should be located at: ~\MDIServiceHost. Ensure that the MDIServiceBaseAddress is correctly set to https://your_registered_domain:8734/MDM.
3.For the SSL port binding, follow the steps under Service Manager powered by HEAT, in Connecting the MDI Service SSL Port Binding .
The .netsh http show sslcert command displays the SSL certificate binding information. Ensure that ports 8734 and 4423 are bound to it.
4.Check the port binding and ensure that port 8734 is actively listened to by running the following command in a command window: netstat -ano | find "8734".
5.Temporarily turn off the firewall on the server to rule it out as a cause.
6.Ensure that you are using the correct SSL certificate for the domain. Identify and install the correct certificate.
7.Ensure that you are using the correct root certificate authority certificate name (available from the certificate authority provider) when creating the enroll.mobileconfig file.
If not, regenerate the file following the steps in the Service Manager powered by HEAT.
8.Ensure that the server hosting the MDI service is not blocked from accessing the following services at ports 2195 and 2196:
•gateway.push.apple.com
•gateway.sandbox.push.apple.com
•feedback.push.apple.com
•feedback.sandbox.push.apple.com
9.Run the following command from a command window to test the connection: telnet gateway.push.apple.com 2195. A blank screen confirms that the connection is successful.
10.To check that you are able to connect, rerun the telnet command with the appropriate port numbers for each of the addresses listed above.
Was this article useful?
The topic was:
Inaccurate
Incomplete
Not what I expected
Other
Copyright © 2017, Ivanti. All rights reserved.