Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1381 Discussions

Serial-over-LAN: TLS Connection Failed

Trevor_Sullivan
Beginner
‎02-12-2009 12:03 PM
1,805 Views
I'm getting an error message saying "Serial-over-LAN error: IMR_RES_TLS_CONNECTION_FAILED" from the Intel AMT DTK Commander tool.

Here is a screenshot of the message:

http://screencast.com/t/YakBboR62Nz

I know there was a long thread about this, but it was closed by Gael. Here is the link:

http://software.intel.com/en-us/forums/showthread.php?t=61561page/2/

No one ever posted what the resolution to the problem was. My certificate configuration seems to be working fine.

I can access SoL using the Microsoft Configuration Manager OOBconsole.

Thanks,

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
0 Kudos

Link Copied

34 Replies
Trevor_Sullivan
Beginner
‎02-20-2009 10:19 AM
534 Views
Alright, well the IMR_SOLOpenTCPSession method is defined in the unmanaged imrsdk.dll library. Unfortunately I don't believe I have visibility into this source code, so my troubleshooting will probably end here.

[DllImport("imrsdk.dll")]
static extern IMRResult IMR_SOLOpenTCPSession(uint clientId, byte[] loginparams, IntPtr touts, IntPtr loopback);

----

Hmmmm, I see that there is a n imrsdk.ini file in the same folder as imrsdk.dll. Looking inside this file, there is a parameter called Debug_Level. Can I set this to a non-zero value to enable logging? What values would be valid?

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
0 Kudos
Copy link
Trevor_Sullivan
Beginner
‎02-20-2009 10:26 AM
534 Views
Now this is interesting ... so, because the ConfigMgr OOB console works, and the DTK Commander doesn't, and also because I have isolated the problem to a call into imrsdk.dll, I had a suspicion that the there was possibly a difference between the version of imrsdk.dll included with ConfigMgr versus the one included in the AMT DTK tools & source.

I just cross-checked the versions of imrsdk.dll in the ConfigMgr console i386 subfolder, and the version included with the DTK source, and here is what I found:

ConfigMgr (imrsdk.dll)
------------------------------
File Version: 1.0.1.54
Product Version: 1.0.1
Date Modified: 4/8/2008 6:27 PM
Copyright: Copyright (c) 2000-2006 Intel Corporation

AMT DTK (imrsdk.dll)
----------------------------
File Version: 1.1.2.0
Product Version: 1.1.2
Date Modified: 2/19/2009 2:43 PM
Copyright: Copyright (c) 2004-2008 Intel Corporation, All rights reserved

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
0 Kudos
Copy link
Trevor_Sullivan
Beginner
‎02-20-2009 10:29 AM
534 Views
Alright, so I replaced imrsdk.dll in the DTK with imrsdk.dll from the ConfigMgr console, and it still exhibits the same exact error. :-(

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
0 Kudos
Copy link
TIMOTHY_D_Intel
Employee
‎02-23-2009 01:02 PM
534 Views
Hi Trevor,

I really appreciate your tenacity & patience here. Please ignore the last email for more detail ;) I'll get in the lab by by noon tomorrow (my afternoon is shot today) and attempt to replicate. Building the SCCM wasn't easy.
Tim


0 Kudos
Copy link
Trevor_Sullivan
Beginner
‎02-24-2009 05:33 AM
534 Views
Tim,

No, I completely agree .... building an SCCM environment isn't exactly a simple task. Thank you for taking the time to try replicating my issue though.

I would also like to extend the offer to you, to set up a Live Meeting session so that you can see (and/or debug) the issue on my system(s). I have a couple different machines we could work with, one running Vista and one running XP, and you could easily see the issue we're having.

If you would like to do this, let me know what times would work well for you, and I will set up a session through our conference provider.

Trevor Sullivan
Systems Engineer
OfficeMax Corporation

Quoting - Tim Tool Guy Duncan (Intel)
Hi Trevor,

I really appreciate your tenacity & patience here. Please ignore the last email for more detail ;) I'll get in the lab by by noon tomorrow (my afternoon is shot today) and attempt to replicate. Building the SCCM wasn't easy.
Tim



0 Kudos
Copy link
jacace
New Contributor I
‎02-24-2009 10:07 AM
534 Views
Hello Trevor,


Wow, you're facing some of the same problems I got =)
Maybe there are a couple of things you can try:
-Why don't you disable TLS certificates and try again? it'sjust to isolate the problem.
-Is theDTK installed in a Windows Vista machine? It'd be nice if you install in a WinXP just to try.

Good luck
0 Kudos
Copy link
Trevor_Sullivan
Beginner
‎02-24-2009 11:54 AM
534 Views
Javier,

I have tried Windows XP, Windows Server 2003, and Windows Vista. All of them exhibit the same behavior. Thank you for the suggestion though.

Can you expand on the idea of disabling TLS certificates? How do I do this on an AMT device that has already been provisioned with Configuration Manager?

Trevor Sullivan
Systems Engineer
OfficeMax Corporation

Quoting - javierandrescaceres
Hello Trevor,


Wow, you're facing some of the same problems I got =)
Maybe there are a couple of things you can try:
-Why don't you disable TLS certificates and try again? it'sjust to isolate the problem.
-Is theDTK installed in a Windows Vista machine? It'd be nice if you install in a WinXP just to try.

Good luck

0 Kudos
Copy link
jacace
New Contributor I
‎03-03-2009 09:43 AM
534 Views
Hello Trevor,


I understand that you have Microsoft System Center Configuration Manager and I don't know it.
I suppose that you provisioned the AMT machine by using it, so I don't know if this product offers a way to unprovision the system (and then provisioning without security certificates).
The goal of disabling security certificates it's to verify if this is the problem.
But again, I don't know how to do it with this tool

=(

0 Kudos
Copy link
Trevor_Sullivan
Beginner
‎03-04-2009 09:25 AM
534 Views
Hey Tim,

Got anything new for me, or do you need any more information about this issue?

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎03-13-2009 09:08 AM
534 Views

Hi Trevor - are you and Tim working off-line on this issue?Just wondering since there haven't been any updates.
--Gael
0 Kudos
Copy link
Trevor_Sullivan
Beginner
‎03-13-2009 11:16 AM
534 Views

Hi Trevor - are you and Tim working off-line on this issue?Just wondering since there haven't been any updates.
--Gael

Gael,

I appreciate you following up. I e-mailed him for a status update on March 10th, but haven't heard anything back yet. Can you see where he's at with this?

Also, he called me up a couple weeks ago and gave me his phone number, but I don't think I wrote it down. Would you mind e-mailing that to me offline? FirstLast@OfficeMax.com

A tidbit of information that might be helpful .... I was able to get the utility to work on Windows 2003, but not XP or Vista.

Thanks,

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
0 Kudos
Copy link
jacace
New Contributor I
‎03-21-2009 05:14 AM
534 Views
Quoting - Trevor Sullivan


Hello Trevor,

Have you ever read my post about this error message?
Maybe this hels you:
http://software.intel.com/en-us/blogs/2009/03/19/troubleshooting-the-imr_res_tls_connection_failed-error-in-mutual-tls/
0 Kudos
Copy link
Trevor_Sullivan
Beginner
‎03-22-2009 10:24 AM
534 Views
Javier,

Thanks for the posting. I've configured the debug_level property to 2 in the imrsdk.ini file, per the directions in your article. Here is the contents of the log.txt file, after attempting to use Serial-over-LAN with this debug level:

LOG STARTED Sun Mar 22 12:10:22 2009
NETMGR: Signal socket created: 1716
SSLSocket::connect: func SSL3_GET_SERVER_CERTIFICATE, reason certificate verify failed

Do you know what this means, and how to resolve it?

Trevor Sullivan
Systems Engineer
OfficeMax Corporation

Quoting - javierandrescaceres

Hello Trevor,

Have you ever read my post about this error message?
Maybe this hels you:
http://software.intel.com/en-us/blogs/2009/03/19/troubleshooting-the-imr_res_tls_connection_failed-error-in-mutual-tls/

0 Kudos
Copy link
jacace
New Contributor I
‎03-24-2009 08:44 AM
534 Views
Quoting - Trevor Sullivan


Hello Trevor,

This tells us that is something about certificates. I have not seen this error message before but here Igive you some steps you can perform:
-Verify the expiration dates of the client/server certificate.
-Verify that the machine where your management console is installed owns a client certificate that AMT machine can accept (no matter if it's the server, anyway it's required a client certificate for the server too).
-Navigate to the client certificate (by using its WebUI) and look at the issuer certificate's serial number to verify that matches your server root serial number.
-Navigate to the server certificateand verify if ti holds a "Server Authentication" enhanced key usage.

If you can verify all these steps and theyare ok, I think it's a good time to contact the Intel support guys to ask them under what circumnstances does this error apper?

I hope this helps you

=)
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.