https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561412#M6488 <P>Hi Martin,</P><P>First of all, thank for the answer. You gave a really great reference, it's a shame I couldn't find it until now </P><P>Now, regarding the certificate. As I've told, I'm pretty sure we pass the authentication. We get the following log in the stunnel:</P><P></P> <P>2015.05.06 11:09:37 LOG7[main]: Service [psudo-tcp] accepted (FD=548) from 84.228.118.88:16994</P> <P>2015.05.06 11:09:37 LOG7[main]: Creating a new thread</P> <P>2015.05.06 11:09:37 LOG7[main]: New thread created</P> <P>2015.05.06 11:09:37 LOG7[13]: Service [psudo-tcp] started</P> <P>2015.05.06 11:09:37 LOG5[13]: Service [psudo-tcp] accepted connection from 84.228.118.88:16994</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): before/accept initialization</P> <P>2015.05.06 11:09:37 LOG7[13]: SNI: no virtual services defined</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 read client hello A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write server hello A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write certificate A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write certificate request A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 flush data</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 read client certificate A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 read client key exchange A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 read finished A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write change cipher spec A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write finished A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 flush data</P> <P>2015.05.06 11:09:37 LOG7[13]: 14 server accept(s) requested</P> <P>2015.05.06 11:09:37 LOG7[13]: 14 server accept(s) succeeded</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 server renegotiation(s) requested</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 session reuse(s)</P> <P>2015.05.06 11:09:37 LOG7[13]: 13 internal session cache item(s)</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 internal session cache fill-up(s)</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 internal session cache miss(es)</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 external session cache hit(s)</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 expired session(s) retrieved</P> <P>2015.05.06 11:09:37 LOG6[13]: SSL accepted: new session negotiated</P> <P>2015.05.06 11:09:37 LOG6[13]: No peer certificate received</P> <P>2015.05.06 11:09:37 LOG6[13]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)</P> <P>2015.05.06 11:09:37 LOG7[13]: Compression: null, expansion: null</P> <P>2015.05.06 11:09:37 LOG6[13]: Failover strategy: round-robin</P> <P>2015.05.06 11:09:37 LOG6[13]: s_connect: connecting 127.0.0.1:1234</P> <P>2015.05.06 11:09:37 LOG7[13]: s_connect: s_poll_wait 127.0.0.1:1234: waiting 10 seconds</P> <P>2015.05.06 11:09:37 LOG5[13]: s_connect: connected 127.0.0.1:1234</P> <P>2015.05.06 11:09:37 LOG5[13]: Service [psudo-tcp] connected remote server from 127.0.0.1:54891</P> <P>2015.05.06 11:09:37 LOG7[13]: Remote socket (FD=444) initialized</P> <P>2015.05.06 11:09:38 LOG3[13]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)</P> <P>2015.05.06 11:09:38 LOG5[13]: Connection reset: 140 byte(s) sent to SSL, 225 byte(s) sent to socket</P> <P>2015.05.06 11:09:38 LOG7[13]: Remote socket (FD=444) closed</P> <P>2015.05.06 11:09:38 LOG7[13]: Local socket (FD=548) closed</P> <P>2015.05.06 11:09:38 LOG7[13]: Service [psudo-tcp] finished (0 left)</P> <P></P><P>It's a bit different from the log in "Troubleshooting" section, but as far as I can understand from this log, we do manage to create a session and for some reason the client resets the connection.</P><P>&nbsp;</P>The only difference in our configuration is the port numbers, but I don't think this is the source of the problem. Thu, 07 May 2015 16:22:14 GMT EBara5 2015-05-07T16:22:14Z https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561410#M6486 <P>Hey everyone,</P><P>We're trying to setup an AMT remote solution. We're successfully getting the connection from the AMT device, passing the certificate check but then we're stuck.</P><P>The MPS server gives us the following error: "AMT_Tunnel_Supplier: failed to read tcp forward request".</P><P>We're wondering if anyone here can give us a direction to were the problem comes from.</P><P>The full MPS log is attached.</P> Thu, 07 May 2015 14:41:41 GMT https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561410#M6486 EBara5 2015-05-07T14:41:41Z https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561411#M6487 <P>Hello Evgeny,</P><P></P><P>I recommend you review the excellent document "Intel vPro Technology Use Case Reference Design - CIRA Ref Architecture" which can be found here: <A href="https://downloadcenter.intel.com/download/22694">https://downloadcenter.intel.com/download/22694</A> Intel® Download Center</P><P></P><P>Check stunnel, mps and apache config files according to this guide and the samples provided. From an MPS perspective it looks like the AMT Port Forwarding (APF) authorisation service (mailto:<A href="mailto:auth@amt.intel.com">auth@amt.intel.com</A> <A href="mailto:auth@amt.intel.com">auth@amt.intel.com</A>) and Intel AMT port forwarding requests (mailto:<A href="mailto:pfwd@amt.intel.com">pfwd@amt.intel.com</A> <A href="mailto:pfwd@amt.intel.com">pfwd@amt.intel.com</A>) are successful but if Stunnel log output doesn't look similar to section 9 "Troubleshooting" in the above document then you likely have issues with your SSL certificate and setting up the secure tunnel, which APF relies upon.</P><P></P><P>Follow the guide to the letter and you will be successful! You may also find additional detail in the latest <A href="https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/">https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/</A> Intel® AMT SDK Documentation useful.</P><P></P><P>Regards</P><P></P><P>- Martin.</P> Thu, 07 May 2015 15:23:04 GMT https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561411#M6487 Anonymous 2015-05-07T15:23:04Z https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561412#M6488 <P>Hi Martin,</P><P>First of all, thank for the answer. You gave a really great reference, it's a shame I couldn't find it until now </P><P>Now, regarding the certificate. As I've told, I'm pretty sure we pass the authentication. We get the following log in the stunnel:</P><P></P> <P>2015.05.06 11:09:37 LOG7[main]: Service [psudo-tcp] accepted (FD=548) from 84.228.118.88:16994</P> <P>2015.05.06 11:09:37 LOG7[main]: Creating a new thread</P> <P>2015.05.06 11:09:37 LOG7[main]: New thread created</P> <P>2015.05.06 11:09:37 LOG7[13]: Service [psudo-tcp] started</P> <P>2015.05.06 11:09:37 LOG5[13]: Service [psudo-tcp] accepted connection from 84.228.118.88:16994</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): before/accept initialization</P> <P>2015.05.06 11:09:37 LOG7[13]: SNI: no virtual services defined</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 read client hello A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write server hello A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write certificate A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write certificate request A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 flush data</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 read client certificate A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 read client key exchange A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 read finished A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write change cipher spec A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 write finished A</P> <P>2015.05.06 11:09:37 LOG7[13]: SSL state (accept): SSLv3 flush data</P> <P>2015.05.06 11:09:37 LOG7[13]: 14 server accept(s) requested</P> <P>2015.05.06 11:09:37 LOG7[13]: 14 server accept(s) succeeded</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 server renegotiation(s) requested</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 session reuse(s)</P> <P>2015.05.06 11:09:37 LOG7[13]: 13 internal session cache item(s)</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 internal session cache fill-up(s)</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 internal session cache miss(es)</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 external session cache hit(s)</P> <P>2015.05.06 11:09:37 LOG7[13]: 0 expired session(s) retrieved</P> <P>2015.05.06 11:09:37 LOG6[13]: SSL accepted: new session negotiated</P> <P>2015.05.06 11:09:37 LOG6[13]: No peer certificate received</P> <P>2015.05.06 11:09:37 LOG6[13]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)</P> <P>2015.05.06 11:09:37 LOG7[13]: Compression: null, expansion: null</P> <P>2015.05.06 11:09:37 LOG6[13]: Failover strategy: round-robin</P> <P>2015.05.06 11:09:37 LOG6[13]: s_connect: connecting 127.0.0.1:1234</P> <P>2015.05.06 11:09:37 LOG7[13]: s_connect: s_poll_wait 127.0.0.1:1234: waiting 10 seconds</P> <P>2015.05.06 11:09:37 LOG5[13]: s_connect: connected 127.0.0.1:1234</P> <P>2015.05.06 11:09:37 LOG5[13]: Service [psudo-tcp] connected remote server from 127.0.0.1:54891</P> <P>2015.05.06 11:09:37 LOG7[13]: Remote socket (FD=444) initialized</P> <P>2015.05.06 11:09:38 LOG3[13]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)</P> <P>2015.05.06 11:09:38 LOG5[13]: Connection reset: 140 byte(s) sent to SSL, 225 byte(s) sent to socket</P> <P>2015.05.06 11:09:38 LOG7[13]: Remote socket (FD=444) closed</P> <P>2015.05.06 11:09:38 LOG7[13]: Local socket (FD=548) closed</P> <P>2015.05.06 11:09:38 LOG7[13]: Service [psudo-tcp] finished (0 left)</P> <P></P><P>It's a bit different from the log in "Troubleshooting" section, but as far as I can understand from this log, we do manage to create a session and for some reason the client resets the connection.</P><P>&nbsp;</P>The only difference in our configuration is the port numbers, but I don't think this is the source of the problem. Thu, 07 May 2015 16:22:14 GMT https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561412#M6488 EBara5 2015-05-07T16:22:14Z https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561413#M6489 <P>I'm still trying to identify the problem. So after going over the reference again I noticed one interesting thing.</P><P>In section 4.3.3 the IP which is specified for Http, Socks and SOAP is 10.10.10.100. I'm wondering what does this IP represent? In the <A href="https://youtu.be/SM-XpcQrg0w?t=43s">https://youtu.be/SM-XpcQrg0w?t=43s</A> video tutorial the address is 192.168.1.1. In our configuration we set this address to 127.0.0.1 (because the proxy resides on the same machine). So, say we've got an Amazon server instance with IP 123.456.78.9. What shall we specify in the MPS configuration?</P> Tue, 12 May 2015 14:19:00 GMT https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561413#M6489 EBara5 2015-05-12T14:19:00Z https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561414#M6490 <P>Following the guide to the letter did the work. Thanks!</P> Tue, 26 May 2015 09:17:48 GMT https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561414#M6490 EBara5 2015-05-26T09:17:48Z https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561415#M6491 <P>Excellent, glad you found the guide useful!</P><P></P><P>Regards</P><P></P><P>- Martin.</P> Wed, 27 May 2015 08:42:51 GMT https://community.intel.com/t5/Intel-vPro-Platform/MPS-failed-to-read-tcp-forward-request/m-p/561415#M6491 Anonymous 2015-05-27T08:42:51Z