We have recently started experiencing problems with communication with our ESXi devices through CIM, TCP port 5989. At first we thought this was related to our remote monitoring and maintenance tool, N-central by SolarWinds N-able, however we now have reason to believe that this is not the case.
The reason for why I believe this is a Vmware is that I've attempted to reach one of the ESXi devices at 5989 by browsing to it with Internet Explorer. These attempts have all resulted in the HTTP error message 501/505 Not Implemented.
I have already attempted to browse to the page with HTTP 1.1 both enabled and disabled in Internet Explorer, no change. I've tried with and without compatibility view, no change. I've tried Google Chrome, I only get a blank page and when I check the response from the server Google Chrome just says "Failed to load response data."
Is anyone able to assist me in figuring out what is wrong, and fixing the error(s)? Please do let me know what information is required to best troubleshoot this issue.
I may misunderstood of your question;
the port 5989 descripted here in vmware website:
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2039095
vcenter server should access the esxi host with this port(CIM XML transactions over HTTPS), the error code 501/505 means that the esxi host did not recognize your client(which you use browser try connected to).
if you can pretend the agent to be vcenter, I guess you can fix the problem.
Related
I am trying to connect to an external API from .net.
It is working as expected from other machines.
But we are not getting any respond from the API call when trying from the server.
We have tried accessing the api url on the browser and it failed with the same no response error.
This is what we have done so far.
We have checked VPC firewall and tried some firewall rules ( Google Cloud firewall) and made sure that there is no blocking to this API.
We have checked Windows firewall and it is switched off now. We also made sure that there is no rules to block this API. However to test it further, we are now switched it off.
Checked that we are able to connect to other websites from the server.
Checked whether we can access the API from other machines. We are able to connect to the API successfully using the tokens from the server.
We have also installed Wireshark to analyze the incoming and outgoing packets from the server. From this analysis, we were able to find that there are network packets sending to this API and it is trying the retransmits the packets, but there is no acknowledgement packet received. This might be of the below two scenarios.
The acknowledgement packet sent from the API server lost in transition.
The data that we have sent from the server to the API lost in transition.
Contacted the API technical team and made sure that the IP is not getting blocked on their end.
Tried contacting Google Support but we have not received much help from them as ours are in "Bronze plan"
This was working without any issues from the server in the past. Not sure what is happening now.
Thank you in advance for all the helps.
Thank you Jeffrey and Patrick for your kind reply. As suggested by Patrick, I am adding here my comments as an answer to close this post. We were able to identify the issue from the wireshark analysis. It was the API provider who was blocking the IP. We have contacted them again with the results and they confirmed this. Thank you very much.
I'm using a Microsoft add-in for Powerpoint called 'Web Viewer' (it's just an iframe, you insert a URL, it displays it in the slide).
I inserted a webpage that uses Socket.IO, and I'm seeing it is not able to connect to the server (even the long polling it's falling back on is not working).
Clearly this is not an issue with the add-in: Any ideas what is going on here?
I tested on Mac 10.13.4 (latest) / Powerpoint (16.12, Office 365 Home) (latest).
The same webpage works in an iframe in the latest Chrome, Firefox, Safari, IE11, so I'm thinking something wonky is going on with the embedded (Webkit) browser that Powerpoint is using on Mac.
The general request flow is:
Browser -> AWS ALB (with stickiness enabled) -> Nginx -> Node
UPDATE
Looked into this further, and having tested other pages that use Socket.IO, I think the only difference in their setups and here is the ALB.
Even with stickiness enabled, the load balancer is clearly seen (in the logs) passing traffic between all EC2s. This leads me to believe the cookie they use is either not being set or not being passed with the requests.
First of all, based on this github issue it should be possible to open a websocket.
There might be a problem with using the unsecure ws://. I know that officejs rejects all requests to http:// and forces you to use https:// with a secure certificate. So they might do the same with WebSockets and force you to use wss:// with a valid certificate.
You can test this more easily in Power Point Online with Chrome. The addin is the same but you get much better error logging in the Devtools Console (hit F12). If it's asecurity issue there should be an error message indicating it.
I had the same issue and S.Freederle is correct. Now I'm able to use socket.io via ngrok to create a secure tunnel (HttpS) to connect to my server and emit the data to my client side in office add-in.
Today I have an exception with the ECM with the content/evidence as below :
[NonCriticalException]: Unable to connect to the remote server
My "SMTP.ConnectionStringName" no problem.
I cannot send mail, do you have any idea to fix this ?
This error occurs when the preview frame tries to download the email content. You should check the RendererUrl field on the Manager Root item and verify that the server is capable of resolving that url sucessfully.
This could be a number of things. I've had an issue in the past where software on the server was conflicting with ECM. If it was working before it's likely that something has changed on the server to cause this issue.
I would recommend following these steps on the Sitecore Knowledge base, which might get you a more meaningful error message:
https://kb.sitecore.net/articles/553662
If this doesn't achieve anything then contact Sitecore support.
I started with a problem connecting to a webservice on a remote server [internal] from a custom made program.
We tested the ws from Firefox and Chrome - both latest and it connects instantly. But in IE10 (latest version for windows 2012 not R2) we get a page can't be displayed error:
Make sure the web address https://remoteserver:9443 is correct.
Look for the page with your search engine.
Refresh the page in a few minutes.
Make sure TLS and SSL protocols are enabled. Go to Tools > Internet Options > Advanced > Settings > Security
I think that IE10 and our program are using the same system libraries, and thats the reason both cannot connect to the web service. If i solve the problem with IE i presume that i could connect to the ws from the program.
The url port is custom and OK as other browsers work. IE10 can open HTTPS connection to other remote servers.
I tried:
flushing DNS setting,
reinstalling the CA certificate. Certificate is valid in chrome.
enabling TLS1.0, TLS1.1, TLS1.2, SSLv3 and SSLv2
telnet to remote server on port 9443 works
Using developer tool in IE simulated IE 9, IE8, ...
ping to remote sever works
nslookup finds the remote server
What could be the cause of this issue?
A combination of hardening for PCI DSS(securing servers) and the webservice provider not announcing protocols that were enabled was causing the issue.
Moving the server out of PCIDSS policy made the webservice connection function normally.
The changes were displayed only after restarting the server, because of registry modification.
Thanks to #Steffen Ullrich for driving me in the right direction.
I have a web service running under IIS7 on a server with a host header set so that it receives requests made to http://myserver1.mydomain.com.
I've set Windows INtegrated Authentication to Enabled and everything else (basic, anonymous, etc) to Disabled.
I'm testing the web service using a powershell script, and it works fine when I run it from my workstation against http://myserver1.mydomain.com
However, when I run the same exact script on the IIS server itself, I get a 401-Unauthorized message.
In addition, I've tried installing the web service on a second server, myserver2.mydomain.com. Again I can call my test script fine from BOTH my workstation and from myserver1.
So it seems the only issue is when the client is on the same box as the web server itself - somehow the windows credentials are not being passed or recognized.
I tried playing with IE settings on myserver1 (checked and unchecked 'Enable Windows Integrated Authentication', and added the URL to Local Sites). That did not seem to have an effect.
When I look at the IIS logs, I see the 401 unauthorized line but very little other information.
I see basically the same behavior when testing with IE (v9) - works from my workstation but not when IE is running on the IIS server.
I found the answer after several hours:
By default, there is something called a LoopbackCheck which will reject windows authentication if the host header used for the site does not match the local host's name. This behavior will only be seen when the client is on the local host. The check is there to defeat possible reflection attacks.
More details here:
http://support.microsoft.com/kb/896861
The kb item discusses ways to disable the Loopback check, but I ended up just switching from using host headers to ports to distinguish the different sites on the IIS server.
Thanks to those who gave assistance.
Try checking the actual credential that is being passed when you are running on the server itself. Often times you will be running on some system account that doesn't have access to the resource in question.
For example, on your box your credentials are running as...
MYDOMAIN\MYNAME
and the server will be something like...
SYSTEM\SYSTEM_ACCOUNT
and so this will fail because 'SYSTEM\SYSTEM_ACCOUNT' doesn't have credentials.
If this is the case, you can fix the problem in one of two ways.
Give 'SYSTEM\SYSTEM_ACCOUNT' access to the resource in question. Most people would avoid this strategy due to security concerns (which is why the account has no access in the first place).
Impersonate, or change the credentials of the client manually to something that does have access to the resource, 'MYDOMAIN\MYNAME' for example. This is what most people would probably go with, including myself.