Some clients are not able to register with the relay server, even though I am able to telent the relay server from the client successfully.
Insufficient information to assist, hence queries:
Is the relay being selected automatically, or do you using manual selection to connect a particular relay?
Are you seeing any error in the BESClient logs?
Is DMZ Relay & New Client? If yes, is relay authentication enabled on your end?
For automatic relay selection, both ICMP and telnet should be permitted. Generally, if only telnet is permitted, your client can connect to a particular relay based on manual relay selection.
And in the event that one of your new clients tries to connect to a DMZ or internet-facing relay, itâs possible that they have enabled relay authentication. In this scenario, you can either use the client setting â_BESClient_SecureRegistrationâ or carry out a manual key exchange. However, your client cannot connect until it has an authentication certificate.
The relay selection is automatic. I have checked the client logs, and it is showing a failure to register with Relay.
It is not a DMZ relay.
Both ICMP and telnet are enabled.
Automatic relay selection was working previously but suddenly stopped.
What failure error you are seeing in the logs?
Have you verified that the relay is up and running? Can the remaining clients from that relay also successfully register?
If relay selection is automatic, Is it trying to connect with other relays or stuck with one?
Note: If your relay is in hung state but still able to respond to ping, client will not route to any other relay automatically.
Agree, we need the error messages to diagnose. You may consider opening a Support ticket, if you donât want to give full details here. Theyâll send you an instruction on how to collect every log and submit it to the ticket so we save time on asking questions here.
One thing that comes to mind though is that you keep talking about âtelnetâ to the relay. If you have a layer-4 firewall between client and relay (like a Palo Alto), those firewalls can tell the difference between âtelnet on tcp/52311â versus âhttp and https on tcp/52311â. Those may allow the initial TCP socket connect but then terminate the connection when it detects HTTP/s traffic. If you have such a firewall be sure you have the protocol configured correctly.
Test by using a browser to connect from the client to the relay instead of using telnet.
http://server.example.com:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=Version
https://server.example.com:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=Version
Directed at either the Root or a Relay, these should both return an HTML page containing the server server number.
Also you can go through the following KB - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0023680
1 Like
Additionally, there is a problem with the network. We have created groups based on subnet bases, which means clients should take IPs within that subnet. but the client is taking multiple IPs from a different subent. creating network conflict
Iâm not sure what that has to do with BigFix?