Environment
NetIQ AppManager 6.x
NetIQ AppManager 7.0.x
Situation
How do I troubleshoot connection issues associated with NetIQ AppManager agents outside of a firewall?
Resolution
After installing the AppManager Managed Client on the Server on the opposite side of the firewall from the AppManager Management Server, run the AMAdmin_ConfigSiteCommType knowledge script specifying n for the Use IP Address? parameter. This will test the Agent to resolve back to the AppManager Management Server by hostname rather than by IP Address.
The AppManager Agent uses name resolution to communicate with the Management Server (MS). You can use these steps to test name resolution:
- Launch a command prompt.
- Type:
ping <machinename>
If the machine name resolves to an IP Address, the "ping" command will produce output similar to the following:
c:\winnt> ping machinename
Pinging machinename [10.1.1.128] with 32 bytes of data:Reply from 10.1.1.128: bytes=32 time<10ms TTL=128
Reply from 10.1.1.128: bytes=32 time<10ms TTL=128
Reply from 10.1.1.128: bytes=32 time<10ms TTL=128
Reply from 10.1.1.128: bytes=32 time<10ms TTL=128If the "ping" command fails to resolve to an IP Address, it will produce an error message similar to the following:
Bad IP Address machinename
This would indicate that the name of the server could not be resolved and that WINS, DNS or a local host file may not contain that server name or that name resolution is not functional.
NOTE: It is recommended that local host files are used on the target machines if there is no DNS name resolution available.
Additional Information
The AppManager Managed Client needs to use the hostname instead of the IP Address to resolve back to the AppManager Management Server because firewalls can be set up to deny request to specific IP Addresses.
The network administrator should ensure that the firewall is configured properly so that AppManager Managed Clients outside of the firewall can communicate with the AppManager Management Server. For further information on how to configure AppManager Managed Clients for connectivity across firewalls and port information, refer to the NetIQ AppManager Administrators Guide packaged with the Install files.
To verify connectivity if ICMP is disabled:
- On the Management Server (MS) launch a command prompt.and type:
telnet <Management Client name> 9998
This should enter a telnet session. If there is no connectivity the following message will appear:
Could not open a connection to host on port 9998: Connect failed
- On the Managed Client (MC) launch a command prompt and type:
telnet <Management Server name> 9999
This should enter a telnet session. If there is no connectivity the following message will appear:
Could not open a connection to host on port 9999: Connect failed
An additional way to test connection to the Management server would be through the use of the NetIQctrl utility's trip command
- open a command prompt on the agent machine
- type netiqctrl
- type trip mchostname netiqmc mshostname
The connection will indicate a failure if any of the first column contains a 0 (zero) instead of a full Unix timestamp.