Problems migrating our agents from old (6.5) to new (last version) ESET server

[mgfeal 0]

Hi,

As we recovered our old server (problems with database connection) with 6.5 version, we installed a new one with the last version. So, now we are reading this KB:

https://support.eset.com/en/kb6492-client-computer-migration-in-eset-remote-administrator-6x

We created a new policy in the old server. Testing it we assigned to a desktop agent. This agent received the policy, but in trace.log we see a few errors, and the client not appear at the new console.

2020-10-27 13:34:50 Error: NetworkModule [Thread 27a0]: Verify user failed for all computers: 172.20.xx.yy: NodVerifyCertificateChain failed: NodVerifyTrustResult: 42, NVT_NotTrusted, X509ChainStatus: 0x10000, X509CSF_PartialChain
2020-10-27 13:34:50 Error: NetworkModule [Thread 27a0]: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format., ResolvedIpAddress:172.20.5.204, ResolvedHostname:, ResolvedPort:2222
2020-10-27 13:34:50 Error: NetworkModule [Thread 27a0]: Protocol failure for session id 277, error:Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.
2020-10-27 13:34:50 Error: CReplicationModule [Thread 36d8]: CReplicationManager: Replication (network) connection to 'host: "antivirus3.xxxx.yyyy" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.

 

172.20.xx.yy is the new server IP

antivirus3.xxxx.yyyy is the new server DNS

All certificates in the new server are autogenerated. In the old server all the certificates are yet autogenerated.

 

This is our "Server configuration" with the autogenerated cert assigned:

We don't understand in the KB that in the new server create a new policy with the Agent certificate. But this policy is for clients that appear in the new server, we haven't reached that yet.

Many thanks!

 

[Marcos 5,092]

If the agent on clients is no longer connecting to the ESMC server, I'd recommend generating a new agent live installer and deploying it on the clients.

[mgfeal 0]

Ok, but how do you deploy it?

The old servers uses this cert:

Agent peer certificate with subject 'CN=Agent at *, C=US' issued by 'CN=Server Certification Authority, C=US' with serial number '0194xxxxxxxxxxxxx9301'

We create a policy in the old server to only modify the "Servers to connect to ..." option with the new server DNS and port 2222.

And the clients connect to the new one but show the errors that we put before.

Maybe we need to export the Agent cert in the new server, import in the old server and apply to the same policy that modify the server?

 

[MartinK 378]

From original problem, it seems that AGENT do not trust new ESMC certificate, or in other words, AGENT are missing CA certificate of new ESMC servers. To resolve this, new CA certificate (CA certificate used to sign new ESMC's certificate) has to be imported into old ERA before migration is started. This should ensure that this CA certificate is distributed to AGENT before they are redirected to new ESMC.

In case AGENT are already redirected and no longer able to connect to original ERA server, there might be possibility to recover from this situation in case you have backup of certificate that was used by original ERA. For more details, I would recommend to check "migration scenarios" in ESMC documentation - it described required steps for various scenarios, depending on situation.