I have several clients that are not registering with their relay. The following message is in the client log: BAD SERVERNAME (winsock error 4294967290 - registration url. The firewall is not the issue. No traffic is being blocked. However, the route from the relay to the client is different from client to the relay. Going from the client to the relay goes through a load balancer, whereas, going from the relay to the client does not go through a load balancer.
I can tracert in both directions with different answers. Ping works in both direction. telnet from client to relay on port 52311 does not work.
A Load Balancer should act as a proxy, so the client sees the Load Balancer’s external IP as the destination for traffic to the Relay, and the Relay should see the Load Balancer’s internal IP as the source address for traffic coming from the client.
In this case “relay” should resolve as the Load Balancer’s external IP address. That should either get the masthead file, or get a “403 Forbidden” if Relay Authentication is turned on. I’m not sure whether the Telnet test should work through a balancer.
I would guess at the moment the Load Balancer isn’t proxying the traffic correctly. Load Balancers in front of the relay can work, but be sure the Load Balancer uses a very sticky assignment - once a client has registered on one relay, it should not be transparently switched to a different internal relay.
For relay, I entered the host name of the relay. I don’t think there is an external address. I think the load balancer is just and internal device that separates VLANs. They are just using the load balancer as a gateway.
Why is it that I can ping and tracert the relay from the endpoint without issue, but the Bigfix agent has issue? Bigfix does find the relay it just can’t seem to talk on TCP port 52311.
I am being told that our only solutions are:
1) Move Relay server from vlan 1133 to vlan 1134 ( if relay server and bigfix servers need to be in different vlans as per design requirements this is not a possible option).
2) Add route for 10.248.36.0/24 with 10.248.35.3 as gateway on relay server to exclude firewall in the path when communicating to Bigfix servers.
No those solutions are the suggestion to resolve the registration between the client and the relay. We are planning to move the relay to the same vlan as the client, and hope that it communicates with all of the other clients in the data center.
For whatever reason, the traffic going from the relay to the client goes through a firewall and not the load balancer. Then coming from the client to the relay traffic goes through the load balancer to the relay. The is an asymmetric route. I appears that the Bigfix agent does not like asymmetric routes for relay registration.
I don’t think that’s strictly a BigFix thing, esp if your browser can’t connect either.
I’m also not sure that assymetric routing is the issue, strictly speaking. A Load Balancer would normally act as a proxy, like I described earlier.
To troubleshoot further I would do packet captures at the client and at the relay to see what’s actually happening with the traffic. I suspect either your firewall, or load Balancer, or both are blocking it.