NetXMS Windows-Agent-to-Server Connection broken after Upgrade from 5.2.7 to 6

Started by Manuel Schneider, March 09, 2026, 07:11:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Manuel Schneider

March 09, 2026, 07:11:08 PM
Hi all,

I've encountered a strange issue after upgrading from 5.2.7 (if I'm not mistaken) to version 6.

All my Windows-Agent-Proxy-Nodes cannot connect anymore - the tunnel just comes up as unbound and I cannot bind the tunnel to the Node, I cannot bind the tunnel to a new node either.

Is there currently any known issue for windows with the tunnels?

Code Select
Mar 09 18:01:27 netxms.domain.tld netxmsd[6645]: [crypto.cert        ] IssueCertificate: new certificate request (CN override: 2913bfd4-6a5c-4ab5-abaa-17354a97cdab, OU override: f0acdbf0-7240-4699-9ed2-f50e7e5a3ef4)
Mar 09 18:01:27 netxms.domain.tld  netxmsd[6645]: [crypto.cert        ] IssueCertificate: certificate request verification failed
Mar 09 18:01:27 netxms.domain.tld  netxmsd[6645]: [agent.tunnel.11    ] Cannot issue certificate
Mar 09 18:01:27 netxms.domain.tld  netxmsd[6645]: [agent.tunnel.11    ] Certificate cannot be issued: agent error 923 (Encryption error)

Code Select
ServerConnection = netxms.domain.tld
TrustedRootCertificate = C:\NetXMS\NetXMS-CA.crt
VerifyServerCertificate = yes
ZoneUIN = 4711
MasterServers = netxms.domain.tld
ConfigIncludeDir = C:\NetXMS\etc\nxagentd.conf.d
LogFile = {syslog}
FileStore = C:\NetXMS\var
SubAgent = winperf.nsm

EnableProxy = yes
EnableModbusProxy = yes
EnableSNMPProxy = yes
EnableSNMPTrapProxy = yes
EnableSyslogProxy = yes
EnableTCPProxy = yes
EnableWebServiceProxy = yes
SubAgent = ping.nsm

Any help is highly appreciated 😅

Thanks and best wishes,
Manuel

Alex Kirhenshtein

#1
March 09, 2026, 07:57:16 PM
That's rather interesting -- there are no similar reports.

Are you on 6.0.4? If not -- please give it a try. If it will not help -- temporary rollback to 5.2.8.

In 6.x we upgraded OpenSSL to mitigate CVE (we are not affected by it, but version scanners still getting triggered), and it might break something.

Manuel Schneider

#2
March 10, 2026, 09:31:39 AM
Jep - After seeing, that there was a problem, I've updated two of those Windows-Agents (the one from my deep-dive into Logs is one of them) to 6.0.4, but still doesn't work...

Filipp Sudanov

#3
March 10, 2026, 04:16:36 PM
You can add this to agent config for additional debug:

EnableSSLTrace = yes
DebugTags = ssl:8
DebugTags = tunnel:8

Does roll-back to 5.2.8 help (agent protocol is backward and forward compatible, so you can use older agent with newer server).
Print
Go Up Pages1
User actions