aaaaaa
Level 6

An existing connection was forcibly closed by the remote host.

We have server using Windows Server 2008R2 and it got error: " Download failure. An existing connection was forcibly closed by the remote host."

We've followed section in this link: https://community.flexera.com/t5/FlexNet-Manager-Forum/FNMS-agent-installed-on-Windows-server-2003-and-2008-were-not/m-p/216723#M13712  and tried to enable TLS 1.2 on both beacon and server but it didn't work.

Is there any other way to fix it?

Thank you.

log.PNG

mgspolicy.PNG

TLS-1.PNG

TLS-2.PNG

 

6 Replies
JohnSorensenDK
Moderator Moderator
Moderator

@aaaaaa 

There can be multiple causes of this situation, e.g. network blocking the traffic. Did you check that the agent is able to "reach" the beacon after the configuration change?

You may want to get Flexera Support involved in troubleshooting this situation if you need further guidance, so please feel free to open a support case.

Thanks,

0 Kudos
jasonlu
Level 7 Champion
Level 7 Champion

Can I recommend downloading IISCrypto and running it on both the client machine with the agent, and the beacon.

In there you'll be able to see the settings for both, and turn them on and off. 

The hashes and algorithms used in the certificate need to be enabled on the client machine.

Another possibility is that access to the revocation server is unavailable to the client machine. Open up the certificate on the beacon to work out what the revocation server is, then running a test-netconnection command on the client machine with the correct port (usually 80 for http) to check that.

If the client machine does not have access to the revocation server, get a firewall hole punched for it.

The last resort is in the agent registry keys turn off checkcertificaterevocation and checkservercertificate.

 

j

 

 

 

 

 

Hi Jasonlu

Below points must to ensure for proper communication of agent to beacon

Firewall Port must be allowed for beacon 443 or 80 based on your beacon configuration.

Beacon DL & RL URL must be working

If you are  having legacy Windows OS like Win 2003 & 2008 then TLS1.0 & 1.2 must be enable  enable in agent as well Beacon to communicate. Win 2k12 & above are already having required TLS.

Link How to check if TLS 1.2 is enabled?

https://support.site24x7.com/portal/en/kb/articles/how-to-check-if-tls-1-2-is-enabled

Even after doing these changes if still not working. please attach Agent logs along with IIS log in txt format to check further.

 

0 Kudos
durgeshsing
Level 8

TLS entry seems incorrect created.

0 Kudos

Durgeshsing, yeah that's why I use IISCrypto to set any of the registry entries. That way I'll know it is done right and I haven't made a mistake.

Your list misses out on the revocation URL, which I strongly recommend checking as well. I've had in the past this exact error where the cause was the revocation server was inaccessible. This is especially relevant for linux and unix machines, as quite often they are on networks that the Active Directory admins dont know about, and so the relevant ports have not been opened by default.

 

j

 

0 Kudos

To make it I would suggest to Update your mgssetup.ini with below lines. It will be taken care during agent installation.

 

; Registry settings to be created under
; HKLM\Software\ManageSoft Corp\ManageSoft\Common
[Common]
desc0 = MGSSetupIniApplied
val0 = True
desc1 = NetworkSense
val1 = False
desc2 = CheckServerCertificate
val2 = False
desc3 = CheckCertificateRevocation
val3 = False

0 Kudos