Re: FlexNet Agent on Win 7 over TLS 1.2 [Issue] [Error]

martin_schulz · ‎Jun 27, 2019

Hi,

At the beginning of 2019 Q1 we rolled out the FlexNet Agent 13.1.1 Build 8.712 on all devices for a customer. Since the end of March, all Windows 7 devices no longer transfer their inventory to the Beacon Server. All other devices (Win 10, RHEL, AIX, Win Server, ...) communicate successfully.

Then the customer confirmed that TLS 1.0/1.1 was switched off centrally.

A check on the Win 7 devices showed that TLS 1.2 is active in the OS, but the agent throws the following error message:

An existing connection was forcibly closed by the remote host.

Therefore we went into the KB article and other links:

https://community.flexera.com/t5/FlexNet-Manager-knowledge-base/Transport-Layer-Security-TLS-1-1-1-2-Configuration/ta-p/2250

https://community.flexera.com/t5/FlexNet-Manager-knowledge-base/How-to-setup-https-SSL-TLS-to-secure-and-encrypt-internal-FNMS/ta-p/2085

https://docs.microsoft.com/de-de/dotnet/framework/network-programming/tls

As a result, we made the following changes on the registry of a test client, but unfortunately we got the same result after a test:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword: 00000800

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

Has someone fixed TLS 1.2 issues with Win 7 and maybe went through the same steps?

Thanks a lot.

Martin

ashurts1 · ‎Jun 28, 2019

Hi Martin,
Can you post snippets from the upload logs with any additional context around the error you are encountering?

martin_schulz · ‎Jul 11, 2019

Hi,

Thanks for the reply.

I found the following at the tracker.log for a manual test, as the agent tries to reach several upload locations.

Each of those are responding with the same error messages. Please find the last one in the log bellow:

“…

[27.06.2019 10:18:04 (N, 0)] {3324} Error 0x80072746: An existing connection was forcibly closed by the remote host.

[27.06.2019 10:18:04 (N, 0)] {3324} Error 0xE050044D: Failed to create remote directory /ManageSoftRL

[27.06.2019 10:18:04 (N, 0)] {3324} Error 0xE0690099: Specified remote directory is invalid, or could not be created

[27.06.2019 10:18:04 (G, 0)] {3324} ERROR: Remote directory is invalid

[27.06.2019 10:18:04 (G, 0)] {3324} Upload failed due to a server side issue. This server may be retried during this upload session.

[27.06.2019 10:18:04 (G, 0)] {3324} WARNING: FlexNet Manager Platform has failed to upload a file to all configured upload servers; aborting attempt to upload these file(s)

[27.06.2019 10:18:04 (G, 0)] {3324} Uploading finished

[27.06.2019 10:18:04 (G, 0)] {3324} ************************************************************

[27.06.2019 10:18:04 (G, 0)] {3324} Unable to upload inventory file(s)

[27.06.2019 10:18:04 (U, 0)] {3324} ERROR: Error (s189m263)

[27.06.2019 10:18:04 (U, 0)] {3324} ----------------

[27.06.2019 10:18:04 (U, 0)] {3324} FlexNet Manager Platform could not upload the inventory.

[27.06.2019 10:18:04 (G, 0)] {3324} Program exited with code -524484345

[27.06.2019 10:18:04 (G, 0)] {3324} ************************************************************

…“

bruce_giles · ‎Jul 11, 2019

Hi Martin, not sure if you have already done this but you need to make some changes on the Beacon servers if they are not already configured for TLS 1.2. I have attached the Flexera Article that shows you what you need to do. Basically, they are adding some new registry keys.

Take a quick look on one of your Beacon servers to see if the registry settings identified in the article are in place.

ImIronMan · ‎Jan 29, 2020

Hi Martin

@martin_schulz

@bruce_giles

We too facing similar error, however we ensured the tls 1.2 settings are enabled on beacons and few win7 agents computers as well. However, we facing below errors :

1. Few agents started reporting even without tls 1.2 setting on end computers, but few failed

2. Then we enabled tls 1.2 on a few win 7 computers, few started reporting but not reporting after a few days. with error logs say: hostname not found,few other errors says - connection forcibly terminated by host

so, we need to answer the customer that - why few machines were reporting even without a tls 1.2 setting while the security policies are same across the domain and how to fix all the errors.

Appreciate your help

JohnSorensenDK · ‎Feb 06, 2020

@ImIronMan

If you're still having issues, I suggest that you create a support case and request assistance in further troubleshooting.

Thanks,