How to troubleshoot agent to central computer connectivity (NETIQKB72066)

  • 7772066
  • 29-Jan-2010
  • 28-Mar-2012

Environment

Security Manager 6.5

Situation

Diagnose agent to central computer network connectivity problems in Security Manager 6.5.

Resolution

1) Browse to the following address using HTTPS.
https://{central-computer}:8270/

2) The browser will block with a message about the site security certificate being untrusted. If you get this far, the browsers was able to begin SSL negotiation and the browser received the central computer certificate. You have network connectivity.

3) Acknowledge you want to continue to view the untrusted page. In IE, click 'continue to this website', in Firefox add an exception for the web page. The web page will then fail to load (timing out). The SSL negotiation is complete and the browser sent a web request to the central computer. Something like 'GET index.html'.

4) If the central computer received the web request from the browser, it rejected it. There should be an error in the nqsmsvc.txt log file on the central computer. The error message validates the agent is able to connect and talk to the central computer.

   Log file location:  C:\Documents and Settings\All Users\Application Data\NetIQ\Security Manager\Log Files

2010-01-28 16:05:55,169 [0x0000160c] ERROR Communication.Server.SChannelSocketServer: SChannelSocketServer::OnReadCompleted: MessageAppender::Append: Incoming message is too large: message size = 825184396 max message size = 78643200 

In SM 6.6 (Future releases) the message will look like this.

2010-01-28 17:27:50,153 [0x00000194] ERROR Communication.Server.SChannelSocketServer: SChannelSocketServer::OnReadCompleted: Message::GetMessageSize: not a valid message

Cause

 In SM 6.0 and earlier versions, telnet to port 1270 was used to diagnose network connectivity problems. This does not work with SM 6.5 because we now connect with SSL capabilities on port 8270 (default port setting). Telnet does not create SSL connections so we therefore need to use a browser with SSL support such as IE or Firefox.

Additional Information

Formerly known as NETIQKB72066

If the default communications port for agents has changed, substitute the new port for 8270.