NetXMS Support Forum

Hi,

Windows version 2.2.13.  Agent tunnels have been working now for just over 1 year.  Some nodes have alerts "Native agent is not responding" and have been changed to "unbound" in Agent Tunnel Manager.  I have found the problem to be the certificate created by tunnel has expired. 

Location of generated agent tunnel certificate = C:\Windows\System32\config\systemprofile\AppData\Local\nxagentd\certificates 

It appears when the agent is first "bound", this certificate is created with one year expiration.

Fixing the problem is a matter of "Bind to" existing node.  However, this resets some of the "Instance Discovery" DCI's, which I use a lot of. 

Is there a way to rebind without loosing dci data?
Can you change the default expiration of the generated tunnel certificate?
Other remedies?

Thanks.

Hi!

One day in a future version behaviour regarding certificate expiry might change. As of 3.2 it still the same.

Normally discovered DCIs should not get lost - after rebinding server continues to perform discovery and if it gets all instances, all stays as it was. The problem could be with particular discovery method that is used.

Does it affect only some of the DCIs, not all of them? What method of instance discovery is used for these?

In server configuration there is setting InstanceRetentionTime. It defines, how long instances are retained, if they stop to get discovered. Setting this to some value will keep discovered DCIs for some time, allowing to fix problems with their discovery.

Thanks.  I was able to set InstanceRetentionTime = 5 (days) to allow time to re-bind without loosing discovered dci instances.

In Server Configuration, I have tried changing AgentTunnels.UnboundTunnelTimeoutAction = "Bind tunnel to existing node" or "Bind tunnel to existing node or create new node", however neither of these settings seem to do anything. 

Could you explain how these should work?

Thanks.

AgentTunnels.UnboundTunnelTimeoutAction defines what happens when unbound tunnel connects to the server. When it connects, server puts it into a list and does nothing. This allows to perform a manual action. Then, after a timeout (it's configurable, I think it's 1 hour by default) server performs an action
- bind to existing node - if there is an appropriate node, tunnel will be bond to it. If not, the tunnel will stay unbound.
- bind to existing or create - if no appropriate node, it will be created
- there's also option to drop tunnel - in that case agent will reconnect and after mentioned timeout process will repeat.

I just faced the same issue to my suprise.

Server version 3.2
agent version 3.2

What is the recommended way to renew those certificates?

What i did (linux agent) is to delete the expired certificate from /var/lib/netxms/certificates; restart nxagent; it appeared as new unbound tunnel on the server and bound it again on the correct node.

Although it worked, it seems a bit "rough" to say the least.. is that the recommended way to go?

Thanks!

Hi,

upgrade to version 3.3 or 3.4, it will renew expiring certificates automatically before expiration date.

Best regards,
Victor