cutor 0 Posted February 2, 2016 Share Posted February 2, 2016 We have ERA server on virtual apliance. Local network works OK. If i install Agent on PC i can see on ERA. But i dont see PC on other location. On server i have redirect port 2222 on internal IP (with Eset 5 this works fine) On /var/log/eset/RemoteAdministrator/server/trace.log i see 2016-02-02 11:49:54 Error: NetworkModule [Thread 7facb6bfd700]: ProtocolLayer: unsupported protocol version, ResolvedIpAddress:xx.yy.zz.yyy, ResolvedHostname:, ResolvedPort:279162016-02-02 11:49:59 Error: NetworkModule [Thread 7facb6bfd700]: ProtocolLayer: unsupported protocol version, ResolvedIpAddress:rr.zz.xx.yy, ResolvedHostname:, ResolvedPort:112182016-02-02 11:50:22 Error: NetworkModule [Thread 7facc4dfa700]: ProtocolLayer: unsupported protocol version, ResolvedIpAddress:dd.yy.xxx.xxx, ResolvedHostname:, ResolvedPort:28084 i think this is old eset 5 (i dont upgrade all pc on 6, most is still on eset 5) But i dont see no 6 agent. What is wrong? Can you hel me? Thanks. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted February 2, 2016 Administrators Share Posted February 2, 2016 Endpoint v5 does not communicate with ERA6 directly. You must install ERA agent on those machines which will redirect the communication to localhost (will change the ERA setting in Endpoint v5 automatically) and will take care of further communication with ERAS v6. Link to comment Share on other sites More sharing options...
cutor 0 Posted February 2, 2016 Author Share Posted February 2, 2016 Endpoint v5 does not communicate with ERA6 directly. You must install ERA agent on those machines which will redirect the communication to localhost (will change the ERA setting in Endpoint v5 automatically) and will take care of further communication with ERAS v6. i know. I install ERA agent 6 on clean PC. Log is probably from old PC. Old PC i will update on 6 and install Agent 6 later. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 2, 2016 ESET Staff Share Posted February 2, 2016 i know. I install ERA agent 6 on clean PC. Log is probably from old PC. Old PC i will update on 6 and install Agent 6 later. Please try to check status.html or trace.log on AGENT that is not able to connect (located in C:\ProgramData\ESET\RemoteAdministrator\Agent\Logs\ /var/log/eset/RemoteAdministrator/Agent/) -> it may provide more details. Posted errors from SERVER are caused by EESv5 connecting to ERAv6, as you suggested. Link to comment Share on other sites More sharing options...
cutor 0 Posted February 3, 2016 Author Share Posted February 3, 2016 ok problem is certifikat. STATUS: Scope Time Text Last replication 2016-Feb-03 14:05:17 Error: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format. Peer certificate 2016-Feb-03 13:47:59 OK Agent peer certificate with subject 'CN=Agent at *, C=US' issued by 'CN=Server Certification Authority, C=US' with serial number '010d3c47f3c3c4463ebe30057b6a7e017501' is and will be valid in 30 days Replication security 2016-Feb-03 14:05:17 Error: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.local) Remote host: era.mydomain.cz trace: 2016-02-03 14:04:17 Error: CReplicationModule [Thread afc]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format. 2016-02-03 14:05:17 Error: CAgentSecurityModule [Thread cb4]: Certificated user verification failed with: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.local) 2016-02-03 14:05:17 Error: NetworkModule [Thread abc]: Verify user failed for all computers: XX.YY.XX.Y: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.local) 2016-02-03 14:05:17 Error: NetworkModule [Thread abc]: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format., ResolvedIpAddress:XX.YY.XX.Y, ResolvedHostname:, ResolvedPort:2222 2016-02-03 14:05:17 Error: NetworkModule [Thread abc]: Protocol failure for session id 18, error:Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format. i tried make new cert autority and new certif. agent but still wrong. Its wrong name of virtual host ? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 3, 2016 ESET Staff Share Posted February 3, 2016 i tried make new cert autority and new certif. agent but still wrong.Its wrong name of virtual host ? Problem is that certificate you created is tied to hostname era.local but AGENTS are connecting to era.mydomain.cz. You will have to create new SERVER certificate that will be created for mentioned hostname, or with special wildcard "*" for matching all hostnames (less secure). Link to comment Share on other sites More sharing options...
cutor 0 Posted February 4, 2016 Author Share Posted February 4, 2016 ok i create our authority and server certifikat apply this new certifikat to server and restart ERA then i create Agent certifikat signed by our authority and generate bat file and install to external PC. now is status from agent better: Last replication 2016-Feb-04 11:01:35 Error: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 12 Peer certificate 2016-Feb-04 10:53:20 OK Agent peer certificate with subject 'CN=Agent certifikát pro hostitele era.mydomain.cz xx.yyy.yyy.x1, O=optus, C=CZ' issued by 'CN=certifikacni autorita optus, O=optus, C=CZ' with serial number '01e891d0d871df45cba9c5c2b63925ffbd01' is and will be valid in 30 days Replication security 2016-Feb-04 11:01:35 OK Remote host: era.fokus-praha.cz Remote product: Server and trace from agent 2016-02-04 10:59:35 Error: CReplicationModule [Thread e88]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 10 2016-02-04 11:00:35 Error: CReplicationModule [Thread eb8]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 11 2016-02-04 11:01:35 Error: CReplicationModule [Thread a0c]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 12 what else is wrong? Link to comment Share on other sites More sharing options...
cutor 0 Posted February 4, 2016 Author Share Posted February 4, 2016 and trace log from server 2016-02-04 11:13:32 Error: NetworkModule [Thread 7f75eb5fe700]: Verify user failed for all computers: ip-xx-yy-zz-aa.net.upcbroadband.cz: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.mydomain.cz),xx-yy-zz-aa: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.mydomain.cz,xx-yy-zz-aa,10.0.10.99,127.0.0.1) 2016-02-04 11:13:32 Error: NetworkModule [Thread 7f75eb5fe700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:xx-yy-zz-aa, ResolvedHostname:ip-xx-yy-zz-aa.net.upcbroadband.cz, ResolvedPort:50848 2016-02-04 11:13:32 Error: NetworkModule [Thread 7f75eb5fe700]: Protocol failure for session id 945, error:Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 4, 2016 ESET Staff Share Posted February 4, 2016 ok i create our authority and server certifikat apply this new certifikat to server and restart ERA then i create Agent certifikat signed by our authority and generate bat file and install to external PC. now is status from agent better: Last replication 2016-Feb-04 11:01:35 Error: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 12 Peer certificate 2016-Feb-04 10:53:20 OK Agent peer certificate with subject 'CN=Agent certifikát pro hostitele era.mydomain.cz xx.yyy.yyy.x1, O=optus, C=CZ' issued by 'CN=certifikacni autorita optus, O=optus, C=CZ' with serial number '01e891d0d871df45cba9c5c2b63925ffbd01' is and will be valid in 30 days Replication security 2016-Feb-04 11:01:35 OK Remote host: era.fokus-praha.cz Remote product: Server and trace from agent 2016-02-04 10:59:35 Error: CReplicationModule [Thread e88]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 10 2016-02-04 11:00:35 Error: CReplicationModule [Thread eb8]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 11 2016-02-04 11:01:35 Error: CReplicationModule [Thread a0c]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 12 what else is wrong? Now it is exactly the same error, but on other side of connection When AGENT connects to SERVER, its name is resolved to ip-xx-yy-zz-aa.net.upcbroadband.cz, but this is not matching any name nor IP address in AGENTs certificate which contains: era.mydomain.cz,xx-yy-zz-aa,10.0.10.99,127.0.0.1. Therefore SERVER rejects connection for security reasons. I would recommend you to create new AGENT certificate suitable for any hostname/IP using wildcard *. Link to comment Share on other sites More sharing options...
cutor 0 Posted February 4, 2016 Author Share Posted February 4, 2016 thanks for your answer but i still doing some wrong settings. server trace: 2016-02-04 14:43:11 Error: NetworkModule [Thread 7fb3f35fe700]: Verify user failed for all computers: ip-xx-yy-zz-aaa.net.upcbroadband.cz: Authenticate: Certificate common name contains ambiguous or no product string,xx-yy-zz-aaa: Authenticate: Certificate common name contains ambiguous or no product string2016-02-04 14:43:11 Error: NetworkModule [Thread 7fb3f35fe700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:xx-yy-zz-aaa, ResolvedHostname:ip-xx-yy-zz-aaa.net.upcbroadband.cz, ResolvedPort:49227 my actual configuration: my cert. autority my server certf. ( subject: CN=Server certifikát pro hostitele *;S=CZ;C=CZ; address: * , ) my agent certif ( subject: CN=Agent certifikát pro hostitele *;C=CZ; address: * ) generate online instalation ( adress : era.mydomain.cz, and agent ) Sory im newbie in certifikation. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 4, 2016 ESET Staff Share Posted February 4, 2016 thanks for your answer but i still doing some wrong settings. server trace: 2016-02-04 14:43:11 Error: NetworkModule [Thread 7fb3f35fe700]: Verify user failed for all computers: ip-xx-yy-zz-aaa.net.upcbroadband.cz: Authenticate: Certificate common name contains ambiguous or no product string,xx-yy-zz-aaa: Authenticate: Certificate common name contains ambiguous or no product string 2016-02-04 14:43:11 Error: NetworkModule [Thread 7fb3f35fe700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:xx-yy-zz-aaa, ResolvedHostname:ip-xx-yy-zz-aaa.net.upcbroadband.cz, ResolvedPort:49227 my actual configuration: my cert. autority my server certf. ( subject: CN=Server certifikát pro hostitele *;S=CZ;C=CZ; address: * , ) my agent certif ( subject: CN=Agent certifikát pro hostitele *;C=CZ; address: * ) generate online instalation ( adress : era.mydomain.cz, and agent ) So now I am also confused. Error Certificate common name contains ambiguous or no product string means that in CommonName of AGENT's certificates contains not only expected word "Agent" but also "Server" or "Proxy" (regardless of case sensitivity), but that would be invalid state that is checked during certificates creation wizard - or you are using your own certificates created outside of ERA? Could you please check status.html on not-connecting AGENT and verify that "Peer certificate" used conforms to this limits, i.e. check that it is certificate that it was supposed to be? Link to comment Share on other sites More sharing options...
cutor 0 Posted February 4, 2016 Author Share Posted February 4, 2016 status agent Last replication 2016-Feb-04 23:05:58 Error: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 87 Peer certificate 2016-Feb-04 21:40:06 OK Agent peer certificate with subject 'CN=Agent certifikát pro hostitele *, C=CZ' issued by 'CN=certifikacni autorita optus, O=optus, C=CZ' with serial number '01633bc7aa251948e6b7792c17bc72d48b01' is and will be valid in 30 days Replication security 2016-Feb-04 23:05:58 OK Remote host: era.mydomain.cz Remote product: Server i createt cert from in ERA wizard Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 4, 2016 ESET Staff Share Posted February 4, 2016 We are sorry for your inconvenience - you have just found a bug. Seems that Common name of certificate cannot contain non-asci characters (in your case it is á). Please create new certificate for AGENTs with Common name: Agent certifikat pro hostitele * instead of default value containing diacritics. There is also chance you will have to regenerate SERVER certificate if AGENT will be reporting the same error as AGENT is reporting currently. Link to comment Share on other sites More sharing options...
Solution cutor 0 Posted February 4, 2016 Author Solution Share Posted February 4, 2016 We are sorry for your inconvenience - you have just found a bug What price i win ? :-) YES FINALY IT WORKS. server cert. dont need recreate. Thank you very mutch for your patience Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 4, 2016 ESET Staff Share Posted February 4, 2016 We are sorry for your inconvenience - you have just found a bug What price i win ? :-) One big "děkujem" Link to comment Share on other sites More sharing options...
Recommended Posts