We have some Windows 2022 servers that have been running updates fine through patch policies, etc. This month we had a small percentage that had an error where the BESClient service stops and will not stay running for more than a couple of minutes. We also noticed that new servers getting built are also having this same error. Any ideas?

Event ID 34
The wrong diskette is in the drive. Insert %2 (Volume Serial Number %3)into drive %1

BES Client 10.0.9.21 on Server 2022
Error in BES logs - Error collecting client certificate with server message: SSL protocol not supported.

This warrants opening a case with Support, but could you share more of the lines from the Client log before the service stops for reference?

Thanks for the response. Here is the complete log

Current Date: August 20, 2024
Client version 10.0.9.21 built for WINVER 6.0 i386 running on WINVER 10.0.20348 x86_64
Current Balance Settings: Use CPU: True Entitlement: 0 WorkIdle: 10 SleepIdle: 480
IP Address 0: 10.254.64.4
Host name: AM0001AME001
Executable Location: C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
File Log Location: C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Logs
ICU 54.2 init status: SUCCESS
Agent internal character set: UTF-8
ICU report character set: UTF-8 - Transcoding Disabled
ICU fxf character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled
ICU local character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled

At 04:53:35 -0500 -
Starting client version 10.0.9.21
FIPS mode disabled by default.
Cryptographic module initialized successfully.
Using crypto library libBEScrypto - OpenSSL 1.0.2zg 7 Feb 2023
Initializing Site: actionsite
Restricted mode
Processing Download plugins
Setting _BESClient_Download_FastHashVerify enabled: Off
Sending key exchange request to http://redacted:52311/
At 04:53:36 -0500 -
Error collecting client certificate with server message: SSL protocol not supported.
At 04:54:18 -0500 -
Sending key exchange request to http://redacted:52311/
Error collecting client certificate with server message: SSL protocol not supported.
At 04:54:19 -0500 -
Client shutdown (Failed to register to the Authenticating Relay with the provided password)

Current Date: August 20, 2024
Client version 10.0.9.21 built for WINVER 6.0 i386 running on WINVER 10.0.20348 x86_64
Current Balance Settings: Use CPU: True Entitlement: 0 WorkIdle: 10 SleepIdle: 480
IP Address 0: 10.254.64.4
Host name: AM0001AME001
Executable Location: C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
File Log Location: C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Logs
ICU 54.2 init status: SUCCESS
Agent internal character set: UTF-8
ICU report character set: UTF-8 - Transcoding Disabled
ICU fxf character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled
ICU local character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled

At 04:56:40 -0500 -
Starting client version 10.0.9.21
FIPS mode disabled by default.
Cryptographic module initialized successfully.
Using crypto library libBEScrypto - OpenSSL 1.0.2zg 7 Feb 2023
Initializing Site: actionsite
Restricted mode
Action site masthead keys are not compatible, starting client reset
Processing Download plugins
Setting _BESClient_Download_FastHashVerify enabled: Off
Sending key exchange request to http://redacted:52311/
Error collecting client certificate with server message: SSL protocol not supported.
At 04:57:20 -0500 -
Sending key exchange request to http://redacted:52311/
Error collecting client certificate with server message: SSL protocol not supported.
At 04:57:21 -0500 -
Client shutdown (Failed to register to the Authenticating Relay with the provided password)

Current Date: August 20, 2024
Client version 10.0.9.21 built for WINVER 6.0 i386 running on WINVER 10.0.20348 x86_64
Current Balance Settings: Use CPU: True Entitlement: 0 WorkIdle: 10 SleepIdle: 480
IP Address 0: 10.254.64.4
Host name: AM0001AME001
Executable Location: C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
File Log Location: C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Logs
ICU 54.2 init status: SUCCESS
Agent internal character set: UTF-8
ICU report character set: UTF-8 - Transcoding Disabled
ICU fxf character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled
ICU local character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled

At 07:26:56 -0500 -
Starting client version 10.0.9.21
FIPS mode disabled by default.
Cryptographic module initialized successfully.
Using crypto library libBEScrypto - OpenSSL 1.0.2zg 7 Feb 2023
Initializing Site: actionsite
Restricted mode
At 07:26:57 -0500 -
Processing Download plugins
Setting _BESClient_Download_FastHashVerify enabled: Off
Sending key exchange request to http://redacted:52311/
Error collecting client certificate with server message: SSL protocol not supported.
At 07:27:33 -0500 -
Sending key exchange request to http://redacted:52311/
At 07:27:34 -0500 -
Error collecting client certificate with server message: SSL protocol not supported.
At 07:27:35 -0500 -
Client shutdown (Failed to register to the Authenticating Relay with the provided password)

Current Date: August 20, 2024
Client version 10.0.9.21 built for WINVER 6.0 i386 running on WINVER 10.0.20348 x86_64
Current Balance Settings: Use CPU: True Entitlement: 0 WorkIdle: 10 SleepIdle: 480
IP Address 0: 10.254.64.4
Host name: AM0001AME001
Executable Location: C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
File Log Location: C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Logs
ICU 54.2 init status: SUCCESS
Agent internal character set: UTF-8
ICU report character set: UTF-8 - Transcoding Disabled
ICU fxf character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled
ICU local character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled

At 08:13:05 -0500 -
Starting client version 10.0.9.21
FIPS mode disabled by default.
Cryptographic module initialized successfully.
Using crypto library libBEScrypto - OpenSSL 1.0.2zg 7 Feb 2023
Initializing Site: actionsite
Restricted mode
Processing Download plugins
At 08:13:06 -0500 -
Setting _BESClient_Download_FastHashVerify enabled: Off
Sending key exchange request to http://redacted:52311/
Error collecting client certificate with server message: SSL protocol not supported.
At 08:13:49 -0500 -
Sending key exchange request to http://redacted:52311/
At 08:13:50 -0500 -
Error collecting client certificate with server message: SSL protocol not supported.
At 08:13:51 -0500 -
Client shutdown (Failed to register to the Authenticating Relay with the provided password)

Current Date: August 20, 2024
Client version 10.0.9.21 built for WINVER 6.0 i386 running on WINVER 10.0.20348 x86_64
Current Balance Settings: Use CPU: True Entitlement: 0 WorkIdle: 10 SleepIdle: 480
IP Address 0: 10.254.64.4
Host name: AM0001AME001
Executable Location: C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
File Log Location: C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Logs
ICU 54.2 init status: SUCCESS
Agent internal character set: UTF-8
ICU report character set: UTF-8 - Transcoding Disabled
ICU fxf character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled
ICU local character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled

At 08:42:07 -0500 -
Starting client version 10.0.9.21
FIPS mode disabled by default.
At 08:42:08 -0500 -
Cryptographic module initialized successfully.
Using crypto library libBEScrypto - OpenSSL 1.0.2zg 7 Feb 2023
Initializing Site: actionsite
Restricted mode
Processing Download plugins
Setting _BESClient_Download_FastHashVerify enabled: Off
Sending key exchange request to http://redacted:52311/
Error collecting client certificate with server message: SSL protocol not supported.
At 08:42:53 -0500 -
Sending key exchange request to http://redacted:52311/
At 08:42:54 -0500 -
Error collecting client certificate with server message: SSL protocol not supported.
At 08:42:55 -0500 -
Client shutdown (Failed to register to the Authenticating Relay with the provided password)

Current Date: August 20, 2024
Client version 10.0.9.21 built for WINVER 6.0 i386 running on WINVER 10.0.20348 x86_64
Current Balance Settings: Use CPU: True Entitlement: 0 WorkIdle: 10 SleepIdle: 480
IP Address 0: 10.254.64.4
Host name: AM0001AME001
Executable Location: C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
File Log Location: C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Logs
ICU 54.2 init status: SUCCESS
Agent internal character set: UTF-8
ICU report character set: UTF-8 - Transcoding Disabled
ICU fxf character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled
ICU local character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled

At 11:37:21 -0500 -
Starting client version 10.0.9.21
FIPS mode disabled by default.
Cryptographic module initialized successfully.
Using crypto library libBEScrypto - OpenSSL 1.0.2zg 7 Feb 2023
Initializing Site: actionsite
Restricted mode
Processing Download plugins
Setting _BESClient_Download_FastHashVerify enabled: Off
Sending key exchange request to http://redacted:52311/
At 11:37:22 -0500 -
Error collecting client certificate with server message: SSL protocol not supported.
At 11:38:07 -0500 -
Sending key exchange request to http://redacted:52311/
At 11:38:08 -0500 -
Error collecting client certificate with server message: SSL protocol not supported.
At 11:38:09 -0500 -
Client shutdown (Failed to register to the Authenticating Relay with the provided password)

Looks like the Client is trying to securely register with an authenticating Relay. Is the Client able to connect to the Relay via HTTPS on port 52311 (not HTTP)?

Thanks so much for these replies. The IP/port are open from the clients having issues, but is there is a better way to test?

Test-NetConnection <redacted> -Port 52311 ComputerName : <redacted>
RemoteAddress : <redacted>
RemotePort : 52311
InterfaceAlias : Ethernet0
SourceAddress : <redacted>
TcpTestSucceeded : True

I might suggest trying curl instead:

curl -k https://<relay name specified in client log>:52311

If you get a response (for instance either a 403 or 404), then the SSL connection was successful. Otherwise, if you get something like ‘Failed to connect’, that suggests there may be something blocking SSL traffic on port 52311 between the Client and the given Relay.

Yes - It looks like it pulled a 404. Also, some of my coworkers tried upgrading the client to 11.0.1.104 and had the same error after rebooting. The service seems to run for a full minute when starting, but then it stops with that error…

curl -k https://<redacted>:52311/

404 -- Not Found

OK, so, based on this, it looks like it’s able to connect via SSL. Perhaps next, let’s check/confirm the secure registration credentials given the error in the logs (Failed to register to the Authenticating Relay with the provided password).

I do not have those credentials to test with, and guessing I will need one of our BigFix admins to perform this step. Let me know if that is incorrect, or if there is anything else I can attempt on my side.

Yes, you’ll need your BigFix admins to verify your client has the right password to connect to their Authenticating Relay.

One last thing you could test from ‘curl’ is to try to retrieve a valid page from the relay, i.e.

curl http://your-relay.example.com:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=Version

With a non-authenticating relay, this would retrieve the deployment’s version number. On an Authenticating Relay you should receive an error 403:Unauthorized

Thanks for the reply - The curl appears to be working and I will check the rest with our BigFix Admins.

curl -k https://bigfixrelay3.<redacted>.com:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=Version

ClientRegister
Version 11.0.1.104

This ended up being some regkeys that needed changing, if anyone else ever has this issue

hklm\software\wow6432node\BigFix\EnterpriseClient\Settings\Client

change RelaySelect_Automatic=1
delete INTENTIONAL_MANUAL_RELAY
change bigfixrelay.<redacted1>.com to alpha.<redacted2>.com