An existing connection was forcibly closed by the remote host.

aaaaaa · ‎Jan 11, 2022

We have server using Windows Server 2008R2 and it got error: " Download failure. An existing connection was forcibly closed by the remote host."

We've followed section in this link: https://community.flexera.com/t5/FlexNet-Manager-Forum/FNMS-agent-installed-on-Windows-server-2003-and-2008-were-not/m-p/216723#M13712 and tried to enable TLS 1.2 on both beacon and server but it didn't work.

Is there any other way to fix it?

Thank you.

JohnSorensenDK · ‎Jan 17, 2022

@aaaaaa

There can be multiple causes of this situation, e.g. network blocking the traffic. Did you check that the agent is able to "reach" the beacon after the configuration change?

You may want to get Flexera Support involved in troubleshooting this situation if you need further guidance, so please feel free to open a support case.

Thanks,

jasonlu · ‎Jan 17, 2022

Can I recommend downloading IISCrypto and running it on both the client machine with the agent, and the beacon.

In there you'll be able to see the settings for both, and turn them on and off.

The hashes and algorithms used in the certificate need to be enabled on the client machine.

Another possibility is that access to the revocation server is unavailable to the client machine. Open up the certificate on the beacon to work out what the revocation server is, then running a test-netconnection command on the client machine with the correct port (usually 80 for http) to check that.

If the client machine does not have access to the revocation server, get a firewall hole punched for it.

The last resort is in the agent registry keys turn off checkcertificaterevocation and checkservercertificate.

j

durgeshsingh · ‎Jan 17, 2022

Hi Jasonlu

Below points must to ensure for proper communication of agent to beacon

Firewall Port must be allowed for beacon 443 or 80 based on your beacon configuration.

Beacon DL & RL URL must be working

If you are having legacy Windows OS like Win 2003 & 2008 then TLS1.0 & 1.2 must be enable enable in agent as well Beacon to communicate. Win 2k12 & above are already having required TLS.

Link How to check if TLS 1.2 is enabled?

https://support.site24x7.com/portal/en/kb/articles/how-to-check-if-tls-1-2-is-enabled

Even after doing these changes if still not working. please attach Agent logs along with IIS log in txt format to check further.

durgeshsingh · ‎Jan 17, 2022

TLS entry seems incorrect created.

jasonlu · ‎Jan 17, 2022

Durgeshsing, yeah that's why I use IISCrypto to set any of the registry entries. That way I'll know it is done right and I haven't made a mistake.

Your list misses out on the revocation URL, which I strongly recommend checking as well. I've had in the past this exact error where the cause was the revocation server was inaccessible. This is especially relevant for linux and unix machines, as quite often they are on networks that the Active Directory admins dont know about, and so the relevant ports have not been opened by default.

j

durgeshsingh · ‎Jan 17, 2022

To make it I would suggest to Update your mgssetup.ini with below lines. It will be taken care during agent installation.

; Registry settings to be created under
; HKLM\Software\ManageSoft Corp\ManageSoft\Common
[Common]
desc0 = MGSSetupIniApplied
val0 = True
desc1 = NetworkSense
val1 = False
desc2 = CheckServerCertificate
val2 = False
desc3 = CheckCertificateRevocation
val3 = False

ReshmaB · ‎Sep 02, 2022

Did this issue got resolved?