Solved

Unable to install file agent from new system since about SP20. Have to use the SP18 installer

  • 26 August 2021
  • 16 replies
  • 2209 views

Userlevel 1
Badge +6

When trying to install the Unix file system agent on a new machine.  I use the following procedure.

  1. Create the client on the Commserver,but only for the purpose of being able to create a certificate.
  2. On the new client, run the cvpkgadd program.  When it asks if there is a firewall, I say “no”.  There is a firewall, but sufficient ports are open that when using the installer from Sp18 that it works fine.  Using any installer SP20 or later, it us unable to establish a proper connection to the Commserver.
  3. If I tell it there is a firewall, and it tries using port 8403, it still times out.  I have verified that the Commserve is reachable from the new client on that port.
  4. When using SP18, once the installer has completed, then I go into the commserve and provide firewall settings, push the network config and perform a check readiness.
  5. I can then update the software to SP23 from the commserve.

The SP18 installer does not have this issue.  SP20 or later does.  The Commserve is currently at SP23.

Also, would be nice if the documentation was update as the interface seems to have changed in the last couple of SPs, and all I can find in the documentation is “follow the instructions in the wizard”, which is not very helpful.

icon

Best answer by DavidB 11 October 2021, 18:58

View original

16 replies

Userlevel 7
Badge +23

Hey @DavidB -

Do you have lockdown mode enabled and hence the need for cert generation?

The client name is case sensitive and can sometimes cause issues if there is a mismatch.

On the new client, run the cvpkgadd program.  When it asks if there is a firewall, I say “no”.  There is a firewall, but sufficient ports are open that when using the installer from Sp18 that it works fine. 

 

8400 should be open bi-directionally at least to get the install done. Any blocked ports will likely fail a backup/restore since we use high ephemeral ports during backup operations unless you restrict it down to a firewall port. On the commServe you can look at the cvinstall*.log files to try figure out what is happening. If you have cvfwd.log from the client and the CommServe you could try use that to diagnose as well.

Userlevel 1
Badge +6

lockdown is enabled. Looking at the firewall logs, when using SP23 installer, only see port 8403 attempts about the time I specified using the firewall setting.  No other traffic is indicated, either allowed or blocked.  This is a local installation problem only, as once I complete the configuration on the Commserv site everything is working fine.  Once I switch to SP18, it connects quickly and I can complete the install.  I do not have any logs from the client side for the SP23 attempts, as I deleted that install when going back to SP18.  None of the “install” logs on the commserve indicate that anything was attempted (or rejected) during the SP23 install attempts.

Userlevel 1
Badge +6

@Damian Andre error in previous comment.

Should be “Once I switch to SP18, it connects quickly...”

Userlevel 7
Badge +23

@DavidB , is this something you can recreate?  We’d love to get this analyzed (and potentially escalated to development for a permanent fix).

Userlevel 1
Badge +6

yes I can.  Just need to find the time to create a temporary VM.  Also want to see if the behavior is different if the client is on the same subnet.  Note that there is a firewall between the CV subnet and the majority of the rest.  We are allow 8400-8410, 8450-8459 TCP to pass through. Don’t know if part of my issue is that the prompts are different since SP18, and that I’m just not selecting the right options.

Userlevel 7
Badge +23

Ok, great.  Would definitely like to see this get analyzed and escalated as needed!

Userlevel 7
Badge +23

Hey @DavidB , hope your weekend was restful!  Following up to see if you had a chance to recreate and escalated via support.

Thanks!

Userlevel 7
Badge +23

@DavidB , hope all is well!  Any luck retesting the issue?  FR23 is so new that I’d want to get this addressed quickly :sunglasses:

Userlevel 1
Badge +6

It’s on my shortlist.  Hoping to get to it within the next 3 or 4 days, not including the weekend.

Userlevel 7
Badge +23

Thankls for the speedy reply!

I’ll keep an eye out.

Userlevel 1
Badge +6

Thought I sent this earlier today, but guess not.

Took a linux VM that was retired last month, removed Commvault from it, and then  ran a manual install using cvpkgadd. Using SP24.  We upgraded to SP24 last month.

Selected "File Server"

  Server Information
    CommServe/Gateway hostname: used fqdn of commserve
Did not check "Commserve will connect to this computer to finish later

   Configure HTTP proxy: no

Processing firewall - Firewall Configuration (did not ask for any input)

Went straight to "Connecting to the server"
   After timing out, said "The server computer is not reachable please check

Looked at our firewall logs, and showed two successful connections attempts on port 8400 and 8403.  Did not show any blocks.

On the client, in the BASE folder:

        FwConfig.txt
                tunnel port = 0
                outgoing @@GATEWAY@@ cvfwd=commserve:8403
                @@COMMSERVE@@ proxy=@@GATEWAY@@

        FwConfigLocal.txt: all commented out

In BASE/Temp/env
        CVFWD_PID
        CVFWD_CLIENT_PORT4=33939
        CVFWD_CLIENT_PORT6=51190

In cvfwc_ping.log:
        Destination mangled name is missing a valid cvd port number
        Failed to find tunnel

In cvfwd.log
        Successfully connected to commserve:8403
        Failed to init SPP from registry
        Couldn't find any existing usable tunnel between ANY and @@COMMSERVE@@

 

 

Userlevel 1
Badge +6

Just tried a system on the same subnet as the commserve.  Same problem

I verified I am using the correct commserve fqdn

Userlevel 7
Badge +23

I would suggest opening a case at this point then.  share the incident number here so I can track it for you.

Thanks!

Userlevel 1
Badge +6

Incident 211008-368

Looks like the installer is missing some things it ought to ask for.   Or the documentation needs a serious update.

Was finally able to make it work on a new client (not a re-install), by adding the clients certificate file in the middle of the install, after it failed to connect, but without restarting the install.

Can’t believe that I’m that unique in doing local client installs against a locked down commserve.

Still need to verify other install options where there is a firewall between the client and commserve.

Userlevel 1
Badge +6

That process works on a re-install as well.

  1. Start install/re-install
  2. When it gets past copying the files, and has created the folder structure, go to the Commserve, revoke the certificates, create a new one, and copy it to the Base/certificates folder (have to create that manually as well) on the client. Named it export.txt.
  3. Continue the installation which then completes successfully.

Looks like a bug to me.

Note this test was done on a client where there is a firewall between the client and commserve.  So there appear to be no other problems with the installation process.

Userlevel 1
Badge +6

Seems I need to remember to re-read the documentation from the beginning.

To bring up the lockdown/certificate prompr during the installer.

touch /tmp/cvpkgadd_unlock_clientcertificate

Breezed right past that every time I looked at the install documentation.

d’oh

Reply