Hi,
This seems to be an certificate issue, Please follow the below steps and let me know if you are still facing an issue. Moreover its not related to an Network issue.
Document ID: TEC557259
Tech Document
Title: In ITCM 12.5 there is a critical issue where a duplicate anonymous certificate gets created after one year, that prevents proper communication/authentication with other ITCM devices.
Description:
The problem is that after one year, usually if a machine has been renamed (at any point after the ITCM agent has been installed), a duplicate anonymous certificate will get created on the agent causing authentication to fail. Once this happens it prevents the agent from communicating properly with its Scalability Server and Domain Manager and thus does not allow Software Delivery, Asset Management, or Remote Control to function on the affected agent machines. This means it is critical to roll out the corrective fix immediately in order to prevent the problem from occurring while you can still use Software Delivery to push out the patch.
Some of the common errors that you may see that will indicate you have this problem are listed below:
•
For Software Delivery, you may see the error
"Job execution postponed by user at the agent. Job is rescheduled until the next time the agent connects.
[SDM228487]"
•
For Remote Control, you may see the error below when trying to make a connection
"Unable to establish a remote control session: The network connection was lost during negotiation of encryption."
•
For asset management, you may not see updated w00000x.xml files in the "%sdroot%\..\Agent\units\00000001\uam" directory
•
The key error message may be seen in the following logs, TRC_USD_SDAGENT, TRC_AMAGENT, or
TRC_CF_CERT_UTIL logs...
ERROR | CSecretStore::storeSecret: appTag: tag name: itcm-anonymous: duplicate item found
ERROR | CCertStore::AssociateCertificate: can't save cert tag
Solution:
In order to address this problem the following patches have been published on Support.ca.com under the Published Solutions section for IT Client Manager.
RO38033 is the Master Image fix, if you have not already installed 12.5 you can patch the 12.5 Install media with this to prevent the problem from ever happening.
RO32103 (formerly TF6F616) is for patching existing Domain Managers, Scalability Servers and Agents.
If you have not installed ITCM 12.5 with the patched master image, it is critical that RO32103 need to be applied to all machines as this corrects an issue where a duplicate anonymous certificate may get created after a year of installing ITCM 12.5.
Once the problem occurs, you will no longer be able to send software, run asset scans, or remote control affected agents until the fix is applied. So this is critical to apply before the problem happens.
If the problem has already occurred, you can use the following commands via login script or other methods as a temporary means to get the agents working again for one year.
cacertutil remove -t:itcm-anonymous
cacertutil list -v"
Once these commands are run on the machine you should still work on packaging the fix RO32103 and deploying the fix out to ALL machines in your infrastructure.
You can use the tech doc at the URL below to package the fix with ApplyPTF to apply the patch through software delivery.
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC407128.
Document ID: TEC557259
Tech Document
Title: In ITCM 12.5 there is a critical issue where a duplicate anonymous certificate gets created after one year, that prevents proper communication/authentication with other ITCM devices.
Description:
The problem is that after one year, usually if a machine has been renamed (at any point after the ITCM agent has been installed), a duplicate anonymous certificate will get created on the agent causing authentication to fail. Once this happens it prevents the agent from communicating properly with its Scalability Server and Domain Manager and thus does not allow Software Delivery, Asset Management, or Remote Control to function on the affected agent machines. This means it is critical to roll out the corrective fix immediately in order to prevent the problem from occurring while you can still use Software Delivery to push out the patch.
Some of the common errors that you may see that will indicate you have this problem are listed below:
•
For Software Delivery, you may see the error
"Job execution postponed by user at the agent. Job is rescheduled until the next time the agent connects.
[SDM228487]"
•
For Remote Control, you may see the error below when trying to make a connection
"Unable to establish a remote control session: The network connection was lost during negotiation of encryption."
•
For asset management, you may not see updated w00000x.xml files in the "%sdroot%\..\Agent\units\00000001\uam" directory
•
The key error message may be seen in the following logs, TRC_USD_SDAGENT, TRC_AMAGENT, or
TRC_CF_CERT_UTIL logs...
ERROR | CSecretStore::storeSecret: appTag: tag name: itcm-anonymous: duplicate item found
ERROR | CCertStore::AssociateCertificate: can't save cert tag
Solution:
In order to address this problem the following patches have been published on Support.ca.com under the Published Solutions section for IT Client Manager.
RO38033 is the Master Image fix, if you have not already installed 12.5 you can patch the 12.5 Install media with this to prevent the problem from ever happening.
RO32103 (formerly TF6F616) is for patching existing Domain Managers, Scalability Servers and Agents.
If you have not installed ITCM 12.5 with the patched master image, it is critical that RO32103 need to be applied to all machines as this corrects an issue where a duplicate anonymous certificate may get created after a year of installing ITCM 12.5.
Once the problem occurs, you will no longer be able to send software, run asset scans, or remote control affected agents until the fix is applied. So this is critical to apply before the problem happens.
If the problem has already occurred, you can use the following commands via login script or other methods as a temporary means to get the agents working again for one year.
cacertutil remove -t:itcm-anonymous
cacertutil list -v"
Once these commands are run on the machine you should still work on packaging the fix RO32103 and deploying the fix out to ALL machines in your infrastructure.
You can use the tech doc at the URL below to package the fix with ApplyPTF to apply the patch through software delivery.
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC407128.
Regards,
Sreedhar