Automatic Relay seems to be not working

(imported topic written by russwm91)

I placed a relay in my DMZ then I manually assigned it to my Top level relay then Top level relay communicates to main server.

I have at least 7 servers in the DMZ that I installed agents on them. There is a task that is ran for them to use automatic relay selection. This should make the DMZ relay there primary since it’s on the same LAN as these 7 servers with zero hops to get to the relay. All 7 of these servers are only point to main BES server as there primary relay.

My question to the forum is there something I’m missing. I checked telnet to the relay port from the DMZ servers to the relay and it connects. It seems that the DMZ servers aren’t trying to do a ping sweep for there closest relay.

Thanks,

Russ

(imported comment written by SY57_Jim_Montgomery)

Check the client logs on the DMZ clients. Unless you’ve done something special (like this: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=244) then the client wants to talk to the main BES the first time he comes up.

Then he does his first gather to get all the policies and fixlets, then he figures out who all the relays are, then he starts pinging (unless he has an action to manually configure them)

So, unless you did a special install, it sounds like he can’t get to the main BES, and is just stuck. The client log will shed some light if that is the case.

–Jim

(imported comment written by russwm91)

All the DMZ server are getting to the main BES server fine. I think it has to do with how our network guys are setting up the firewall rules from the DMZ into main data center. They are allowing all DMZ servers to communicate to TCP port only to main BES server.

Does this sound correct for automatic relay selection. Each client gets a list of available relays to choose from main BES server. Then using automatic relay selection checks to see which one is closest then assigns that one. Only if client can ping object and establish a connection to TCP port that has been assigned to relay.

Thanks in advance,

Russ

(imported comment written by SY57_Jim_Montgomery)

Your description sounds right to me. During automatic client relay selection the client pings (ICMP) each of the relays with increasing TTL until they get a response.

FYI, there is also a fallback setting, where you enter a relay. If they can’t get

anything

to work, they just try connecting to that entry without ping.

–Jim

(imported comment written by BenKus)

Two thoughts:

  • Make sure the relay has the right DNS name so that the agents can reach it (there is a Task to change the default name if you need to).
  • Note that the agents will only see the updated relay list after you send out an action (any action) as a master operator after the relay is installed (because the updated relay list is sent out for every action).

Ben

(imported comment written by SystemAdmin)

When set to Automatic relay selection and the Name Override setting (to look at IP address, instead of DNS), clients still get associated with a far of relay 4 hop-counts away while there is a 1 hop-count away relay available.

Have checked the foll -

Relay.dat file — has all IP addresses of all relays

no firewall / nat rules blocking traffic between clients - relays - BES server

selection is automatic

ICMP is enabled

relays are working fine (as they are still supporting other systems)

sent out a blank task to all clients to get the updated relay info

Is load on Relays a factor for selecting a relay ? What happens if the Relay has over 1000 (recommended) clients ?

Ravi

(imported comment written by BenKus)

Hi Ravi,

Sounds like you might want to contact support… It would be rare for a relay to reject a client unless it was under very heavy load (much more than 1000 agents) or unless you turned on the setting that would tell the relay to only keep a certain number of agents (and I assume you would know that).

You can try to hit the url:

http://relayname:52311/clientregister?requesttype=registerme

See if it says “success”…

Ben