================================================================================ NetXMS Agent Tunnel Bind Failure - Diagnostic Logs ================================================================================ Sanitization notes: - Server hostname replaced with - Test host names replaced with and - Organization in cert subjects replaced with XYZ - Country, state, locality in cert subjects replaced with XYZ - Timestamps preserved ================================================================================ TEST 1: Win 10 Pro 22H2 (build 19041) + NetXMS Agent 6.1.1 Result: Bind FAILS with error 923 ================================================================================ --- Agent log (excerpt around bind attempt) --- [tunnel] : Certificate "C=XYZ,ST=XYZ,L=XYZ,O=XYZ,CN=" for issuer C=XYZ,ST=XYZ,L=XYZ,O=XYZ,CN=NetXMS Root CA - verification successful [tunnel] : Server certificate pinning is disabled [tunnel] : Sending message CMD_SETUP_AGENT_TUNNEL (1) [tunnel] : Received message CMD_REQUEST_COMPLETED (1) [ ] Tunnel with established [tunnel] : Tunnel is active [tunnel] : Received message CMD_BIND_AGENT_TUNNEL (1) [tunnel] : Sending message CMD_REQUEST_CERTIFICATE (1) [tunnel] : Received message CMD_NEW_CERTIFICATE (1) [tunnel] : certificate request failed (923) [tunnel] : Sending message CMD_REQUEST_COMPLETED (1) --- Server log (excerpt) --- [crypto.cert] IssueCertificate: new certificate request (CN override: , OU override: ) [crypto.cert] IssueCertificate: certificate request verification failed [agent.tunnel.N] Cannot issue certificate [agent.tunnel.N] Certificate cannot be issued: agent error 923 (Encryption error) Note: Server-side parse failure occurs in 0 ms - failure is at DER parse, not at signature verification. ================================================================================ TEST 2: Win 11 Home 24H2 (build 26200) + NetXMS Agent 6.1.1 Result: Bind FAILS with error 923 (identical to Test 1) ================================================================================ --- Agent log (full sequence from agent start through bind failure) --- 2026.04.29 12:11:50.581 *D* [tunnel ] : Certificate "C=XYZ,ST=XYZ,L=XYZ,O=XYZ,CN=" for issuer C=XYZ,ST=XYZ,L=XYZ,O=XYZ,CN=NetXMS Root CA - verification successful 2026.04.29 12:11:50.581 *D* [tunnel ] : Server certificate pinning is disabled 2026.04.29 12:11:50.583 *D* [comm.vs.1 ] Requesting metric "System.PlatformName" 2026.04.29 12:11:50.583 *D* [comm.vs.1 ] Requesting metric "System.UName" 2026.04.29 12:11:50.583 *D* [comm.vs.1 ] Requesting list "Net.InterfaceList" 2026.04.29 12:11:50.590 *D* [tunnel ] : Sending message CMD_SETUP_AGENT_TUNNEL (1) 2026.04.29 12:11:50.653 *D* [tunnel ] : Received message CMD_REQUEST_COMPLETED (1) 2026.04.29 12:11:50.653 *I* [ ] Tunnel with established 2026.04.29 12:11:50.653 *D* [tunnel ] : Tunnel is active 2026.04.29 12:12:20.646 *D* [tunnel ] : Sending message CMD_KEEPALIVE (2) 2026.04.29 12:12:20.646 *D* [tunnel ] : Received message CMD_KEEPALIVE (2) 2026.04.29 12:12:50.660 *D* [tunnel ] : Sending message CMD_KEEPALIVE (3) 2026.04.29 12:12:50.684 *D* [tunnel ] : Received message CMD_KEEPALIVE (3) 2026.04.29 12:13:02.971 *D* [tunnel ] : Received message CMD_BIND_AGENT_TUNNEL (1) 2026.04.29 12:13:16.239 *D* [tunnel ] : Sending message CMD_REQUEST_CERTIFICATE (1) 2026.04.29 12:13:16.254 *D* [tunnel ] : Received message CMD_NEW_CERTIFICATE (1) 2026.04.29 12:13:16.254 *D* [tunnel ] : certificate request failed (923) 2026.04.29 12:13:16.255 *D* [tunnel ] : Sending message CMD_REQUEST_COMPLETED (1) 2026.04.29 12:13:20.684 *D* [tunnel ] : Sending message CMD_KEEPALIVE (4) 2026.04.29 12:13:20.687 *D* [tunnel ] : Received message CMD_KEEPALIVE (4) ================================================================================ TEST 3: Win 11 Home 24H2 (build 26200) + NetXMS Agent 5.2.8 Result: Bind FAILS with error 923 (IDENTICAL to 6.1.1 - rollback workaround from forum thread msg=35265 does NOT resolve on this environment) ================================================================================ --- Agent version verification --- NetXMS Core Agent Version 5.2.8 Build 5.2-506-g7d4137c08a (UNICODE) --- Agent log (full sequence, two consecutive bind attempts) --- 2026.04.29 12:50:05.581 *D* [tunnel ] : Certificate "C=XYZ,ST=XYZ,L=XYZ,O=XYZ,CN=" for issuer C=XYZ,ST=XYZ,L=XYZ,O=XYZ,CN=NetXMS Root CA - verification successful 2026.04.29 12:50:05.581 *D* [tunnel ] : Server certificate pinning is disabled 2026.04.29 12:50:05.583 *D* [comm.vs.1 ] Requesting metric "System.PlatformName" 2026.04.29 12:50:05.583 *D* [comm.vs.1 ] GetMetricValue("System.PlatformName"): 0 (SUCCESS) value = "windows-x64" 2026.04.29 12:50:05.583 *D* [comm.vs.1 ] Requesting metric "System.UName" 2026.04.29 12:50:05.583 *D* [comm.vs.1 ] GetMetricValue("System.UName"): 0 (SUCCESS) value = "Windows 10.0.26200 Windows 11 Build 26200 AMD-64" 2026.04.29 12:50:05.583 *D* [comm.vs.1 ] Requesting list "Net.InterfaceList" 2026.04.29 12:50:05.659 *D* [comm.vs.1 ] GetListValue(): result is 0 (SUCCESS) 2026.04.29 12:50:05.659 *D* [tunnel ] : Sending message CMD_SETUP_AGENT_TUNNEL (1) 2026.04.29 12:50:05.739 *D* [tunnel ] : Received message CMD_REQUEST_COMPLETED (1) 2026.04.29 12:50:05.739 *I* [ ] Tunnel with established 2026.04.29 12:50:05.739 *D* [tunnel ] : Tunnel is active 2026.04.29 12:50:06.583 *I* [filemon ] Path list for file monitor is empty 2026.04.29 12:50:06.583 *I* [ ] NetXMS Agent started 2026.04.29 12:50:26.770 *D* [tunnel ] : Received message CMD_BIND_AGENT_TUNNEL (1) 2026.04.29 12:50:34.145 *D* [tunnel ] : Sending message CMD_REQUEST_CERTIFICATE (1) 2026.04.29 12:50:34.161 *D* [tunnel ] : Received message CMD_NEW_CERTIFICATE (1) 2026.04.29 12:50:34.161 *D* [tunnel ] : certificate request failed (923) 2026.04.29 12:50:34.161 *D* [tunnel ] : Sending message CMD_REQUEST_COMPLETED (1) 2026.04.29 12:51:16.661 *D* [tunnel ] : Received message CMD_BIND_AGENT_TUNNEL (2) 2026.04.29 12:51:25.305 *D* [tunnel ] : Sending message CMD_REQUEST_CERTIFICATE (2) 2026.04.29 12:51:25.319 *D* [tunnel ] : Received message CMD_NEW_CERTIFICATE (2) 2026.04.29 12:51:25.319 *D* [tunnel ] : certificate request failed (923) 2026.04.29 12:51:25.319 *D* [tunnel ] : Sending message CMD_REQUEST_COMPLETED (2) ================================================================================ TEST 4: AlmaLinux 9.7 local Linux agent + NetXMS Agent 6.1.1 (control) Result: Bind SUCCEEDS ================================================================================ --- Agent cert post-bind (proof of successful flow) --- Externally provisioned...: NO Certificate subject......: C=XYZ,O=XYZ,OU=,CN= Certificate issuer.......: C=XYZ,ST=XYZ,L=XYZ,O=XYZ,CN=NetXMS Root CA Note: Linux agent uses system OpenSSL 3.5.1 (same as the server). CSR generated by Linux agent is accepted by server-side CSR parser without issue. This confirms server cert issuance flow itself is functional - the failure is specifically with CSRs produced by the Windows agents tested above. ================================================================================ SUMMARY ACROSS TESTS ================================================================================ Failure pattern is identical across all three Windows tests regardless of: - Windows OS version (10 22H2 vs 11 24H2) - NetXMS agent version (6.1.1 vs 5.2.8) - Windows OS build number In every Windows case: 1. TLS handshake completes successfully 2. Tunnel reaches "active" state 3. CMD_BIND_AGENT_TUNNEL received from server 4. CMD_REQUEST_CERTIFICATE sent by agent 5. Server attempts to parse CSR -> fails in 0 ms 6. CMD_NEW_CERTIFICATE returned with error 7. Agent logs "certificate request failed (923)" Linux agent against same server, same CA, same configuration: binds successfully.