BES Gather error

bfadmin · June 15, 2018, 6:47am

Greetings - We have installed BigFix 9.5.9.62 server on RHEL6 server and proxy server is configured in our network which blocks everything except the IBM public sites (sync.bigfix.com, software.bigfix.com etc.). We have configured the BigFix server to work with proxy server, but we’re continuously getting below error.

GatherDB.log

Fri, 15 Jun 2018 09:04:56 +0300 – Unexpected exception during gather of site BES Support: Unexpected HTTP response: 404

BESRelay.log

Fri, 15 Jun 2018 08:20:08 +0300 - 1422366464 - 2: Unable to get site content (failed to pass sha1 hash value checks).
Fri, 15 Jun 2018 09:04:56 +0300 - 1422366464 - 2: GetURL failure on HTTP Error 18: An unknown error occurred while transferring data from the server: transfer closed with 746562 bytes remaining to read

Gather Status report

Failed:

Id: 2 Date: Fri, 15 Jun 2018 06:37:45 +0000

Url: http://sync.bigfix.com/cgi-bin/bfgather/bessupport

Error Message: 2: GetURL failure on HTTP Error 18: An unknown error occurred while transferring data from the server: transfer closed with 746562 bytes remaining to read

Ready:

Id: 1 Date: Thu, 01 Jan 1970 00:00:00 +0000 Version: 4

Note: We are unable to ping the Proxy server from bigfix server, but able to access sites from web browser.

bessupport content on web browser

Anybody met with these errors? Can anyone suggest a fix here?

Thanks

jgo · June 15, 2018, 12:36pm

I think your proxy server or perhaps some other network device may be detaining a few files from each site.

I would recommend 1 of these three things to Test.

use Airgap process to work around all network.
get your proxy admin or network admin to fully whitelist the BigFix sites gather sites.
Allow your BigFix server to reach those sites without use of proxy.

None of these is a long term solution, but especially #1 will get you working and will impact troubleshooting.
@jgo

bfadmin · June 16, 2018, 7:09am

Thanks @jgo for ur reply,

We have contacted network admin team and they said they have given full access to all the IBM public sites which seems not to cause a problem.

Do you think is it because of some kind of proxy content filtering policy which is not allowing to download some file?

Thanks

cmcannady · June 18, 2018, 12:35pm

I would recommend checking with your firewall/proxy team to ensure that data/packets being returned from the IBM/BigFix sites aren’t being tagged or modified in any way as this would cause SHA1/SHA256 validation errors.

For example, BlueCoat has a HTTP packet tagging option within the proxy configuration that will absolutely cause the “Unable to get site content (failed to pass sha1 hash value checks)” errors you’re seeing in the BESRelay.log file.

Based on the logs you’ve posted, there’s some sort of packet manipulation occurring that causing the downloaded data from the BigFix sites to fail the hash validation. This is likely the root cause of the proxy issues you’re experiencing with BigFix.

Hope this helps.

Best,
@cmcannady

JasonWalker · June 18, 2018, 2:10pm

All great points @cmcannady

I’d add that after seeing these errors, several others in the forum have reported better results configuring their server to gather over HTTPS.
See https://www.ibm.com/support/knowledgecenter/en/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Config/c_https_gathering.html

bfadmin · June 19, 2018, 5:47am

@cmcannady, we have confirmed with Proxy team and they are saying they don’t have such kind of validation which will make the issue you have mentioned.

Will you suggest any other ways to find the root cause for the issue.

Thanks

cmcannady · June 19, 2018, 2:57pm

Given the "Unable to get site content (failed to pass sha1 hash value checks)” errors you’re seeing in the BESRelay.log, I would recommend leveraging WireShark to identify what’s potentially manipulating the data coming from the BigFix sites.

Specifically look at the HTTP header details for those BigFix sites to see if anything is being injected as that’s the likely culprit of the above errors.

bfadmin · June 19, 2018, 7:45pm

Thanks @cmcannady, we will follow up with network team and will check if there is anything which is manipulating the data.

bfadmin · June 25, 2018, 9:15am

Thanks everyone, this issue is resolved by customizing HTTPS for Gather service.

https://www.ibm.com/support/knowledgecenter/en/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Config/c_https_gathering.html

uitouw · January 3, 2019, 3:45pm

Just for my understanding: You set it to 1 so it only pulls over HTTPS? Since the default says it’s set to 2 which will first try to pull over HTTPS.

bfadmin · January 4, 2019, 4:48am

I’m not exactly sure if the document has changed recently but If I remember correctly then there was only 2 options at that time i.e 0 for HTTP gathering and 1 for HTTPS gathering and we are using BigFix version 9.5.9.62.

uitouw · January 4, 2019, 1:26pm

Yeah the documentation now has 0,1,2. I was able to change it to 1 and was able to gather again.