Symptoms

When deploying an agent from the Protect console you see the agent installation fail at 67%.

Manually installing an agent fails during the registration process.

Cause

This normally indicates that the agent cannot establish a connection with the console. There may be a firewall issue, there may be ports that are unopened, there may be a DNS issue, or the agent service may not be active on the agent machine.

Solution

Check the following to ensure you are meeting all requirements for agent registration to occur:

1) Ensure the port TCP 3121 is open from the client system back to the Protect console system, and that the Protect console system is listening on this port. You can use Telnet commands (if telnet client is installed) to test the connection and netstat commands to see if the port is listening. Create firewall exceptions as necessary.

2) In the Protect console, go to Tools > Console alias editor. Ensure that the IP address, netbios name, and FQDN (fully qualified domain name) of the console system are all listed here for best results. Sometimes the agent may be attempting to use one of these methods to contact the Protect console for registration, but if the method used is not listed in the console alias editor it will fail registration.

3) Ensure that DNS resolution is working correctly when contacting the Protect console system. From the client system run the following commands. The results should match up.

nslookup consolemachinename

nslookup consoleipaddress

If the results do not match up or the machine cannot be resolved you will need to work with your network administrator to resolve possible DNS issues.

4) Ensure that date/time is synced between the Console and Agent

The following entry can be found in the STAgentUpdater.log:

Error detail example:

The server returned a security fault: 'An error was discovered processing the <wsse:Security> header'.

This normally indicates the time/date is incorrect on the agent machine.

5) Make sure to give the local system account full permissions on the C:\ProgramData\Microsoft\Crypto\RSA and RSA\MachineKeys directories on the agent machine. If the registration still fails, try renaming the MachineKeys folder to MachineKeys.old and making a new MachineKeys folder with the same permissions.

Error detail example in the STAgentManagement.log:

E RegistrationEngine.cpp:820 Error during registration: class STWin32::CWin32Exception at X509Certificate.cpp:82: Error 5: Access is denied.

6) Run a packet analyzing tool from the agent machine to the console to see if any packets being sent from the agent machine during the registration process are being blocked.

7) Try whitelisting the files listed under the Agent-Based Deployments section of this document AntiVirus Exclusions For Patch Deployments

8) On the client system, go to the following directory containing the agent logs:

Shavlik Protect 9.x:

-Windows Vista,7,8,2008, 2012: C:\ProgramData\LANDesk\Shavlik Protect\Logs

-Windows XP/2003:  C:\Documents and Settings\All Users\Application Data\ LANDesk\Shavlik Protect\Logs

vCenter Protect 8.x:

-Windows Vista,7,8,2008, 2012: C:\ProgramData\Shavlik Technologies\Logs

-Windows XP/2003:  C:\Documents and Settings\All Users\Application Data\Shavlik Technologies\Logs

Additional Information

The following logs may contain useful information:

• RegistrationLog.txt
• STAgentUpdater.log
• STAgentManagement.log

Affected Products

Ivanti Patch for Windows Servers 9.3.x
Shavlik Protect 9.2.x