Re:Intel AMT wireless on Lenovo: connection lost when OS goes down

Moon · ‎02-23-2021

Dear all,

Testing wireless Intel AMT on a Lenovo T590 laptop (LAN is not connected).
Am able to connect from another computer via meshcommander and VNC Viewer Plus when the host OS is running (Windows).
However, am not able to reboot and see the boot messages nor access the BIOS. As soon as the host OS shuts down, the connection is lost.
I've enabled ping, but am unable to ping the machine when the host OS is down (am able to ping when host OS is up).
The DHCP server is set to give the wireless mac always the same ip: 10.0.0.59
When the host OS goes down, 10.0.0.59 disappears from the wireless modem. It never shows up again. No other device (with a different MAC) shows up on the modem (assuming the Intel AMT could have a different MAC).
I've given the AMT device it's own FQDN: T590amt.local. OS FQDN: T590.local (the T590amt.local name never shows up)
The wireless modem only seems to support WPA2-PSK-CCMP/AES so I've put in network settings: SSID, WPA + Counter mode CBC MAC Protocol (CCMP), Passphrase
(after I first tried only "Enable synchronization of Intel AMT with host platform WIFI profile")

A few questions:
1. Is the MAC from Intel AMT the same as the MAC from the wireless card?
2. The AMT should be pingable when the host sleeps correct (blinking led)?
3. Is there a way to make sure AMT takes over when the host OS goes down? I've tried disabling wireless remotely assuming AMT would take over the remote AMT connection but it doesn't.
4. Is there a way to determine AMT is indeed trying to take over the connection?
5. How to make sure the connection is not dropped?

Some more details:
MeshCentral Command (MeshCmd) v0.7.66
VNC Viewer Plus 1.2.11(r122915) (Intel AMT KVM mode)
See also attached xml from ACUConfig's SystemDiscovery (tidy-ed it and replace some info with ...)

JoseH_Intel · ‎02-23-2021

Hello Moon,

Thank you for joining the Intel community

Before answering your questions let me ask you a couple things first.

Did you provisioned (configured AMT) this Lenovo laptop through the wireless connection?

If yes then this system was configured in Client Control Mode which will restrict some of the AMT capabilities. Actually if configured in CCM the laptop will require user consent every time you try to remote into it from MeshCommander.

In order to get full access you will need to chance the configuration to Admin Control Mode. For more details on how to do this you can check this here: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=14

About your questions: 1. MAC for the WLAN and AMT are the same. 2. Yes 3.When the system is out of band it requires either a WLAN or LAN connection to be enabled so AMT could manage it. 4. Whenever the system is OOB AMT always takes over 5. It is possible to trace the packets but it goes beyond the scope of our support

Hope it helps

Regards

Jose A.

Intel Customer Support Technician

Moon · ‎02-24-2021

Hi Jose A,
- I configured the laptop on the machine itself. So not via wireless.
- The mode is Admin Control Mode. The xml file confirms this: <AMTControlMode>Admin Control Mode</AMTControlMode>. However indeed user consent is still configured to be required.
- I guess my problem is that somehow the AMT does not take over when the OS shuts down.
Is there anything I can check/do to understand better what is going wrong... I assume that AMT would not be working at all (also not when to OS is up) if the network config is wrong? (well I can test that of course... will do)
Thanks for you reply!
Moon

Moon · ‎02-24-2021

Tested the following assumption:
"I assume that AMT would not be working at all (also not when to OS is up) if the [wifi] network config is wrong?"

I set the following to make sure AMT should not have any correct wireless settings:
- Network configuration - Wifi
[ ] Enable synchro of Intel AMT with host platform WIFI profiles
[x] Enable WIFI connection in all operating system power states (S0-S5)
Setup 1: wrong
SSID: wrong, Key Management Protocol: WPA, Ecrypt. Alg.: CCMP, Pass: wrong
In config - Network configuration
[ ] allow wifi connection without a WIFI setup
No home domain was specified in the setup

When rebooted and once in Windows, to my surprise I can remotely access AMT. Remote desktop connection is fully functional.
Do I correctly understand that:
1. The whole wireless setup/profile is only relied upon once the host OS switches off.
Only then the wireless profile is used to keep connected to the wireless network?
2. If the host OS has a wireless IP, AMT will always be reachable via that IP, no matter how AMT is configured with regards to wireless profiles.

Hope someone can confirm or explain.

Despite the above it remains a mystery to me why configuring AMT with ("correct network settings"):
[x] Enable synchro of Intel AMT with host platform WIFI profiles
[x] Enable WIFI connection in all operating system power states (S0-S5)
In config - Network configuration
[x] allow wifi connection without a WIFI setup
(And not specifying any wifi profiles)

Would fail in AMT taking over the wireless connection as it copies the profile from the host (which obviously has the correct settings if connected to the wireless network).

Kind Regards,
Moon

JoseH_Intel · ‎02-24-2021

Hello Moon,

So, just to understand correctly, it doesn't matter if you have the "correct" or "incorrect" network configuration, you can always establish a remote connection to the AMT system (laptop) but in either case you cannot manage it when out of band?

I will research on your questions and will let you know soon

Regards

Jose A.

Intel Customer Support Technician

Moon · ‎02-25-2021

Hi Jose A,
"correct" (via [x] Enable synchro of Intel AMT with host platform WIFI profiles) or "incorrect" wifi setup does not seems to influence the possibility of establishing the remote AMT connection. As long as the host OS is up (and has wireless), connecting to AMT works.

It almost seems as if the synchronization of the WIFI profile from the OS to AMT fails. Is there any commmand to retrieve that profile from AMT? To check it for consistency.

Thanks for your effort.
Serge

Moon · ‎03-02-2021

Hi Jose A.,

Any updates on the research?
If you need any additional information or I need to try something else, please let me know.

Kind Regards,
Moon

JoseH_Intel · ‎03-04-2021

Hello Moon,

I apologize for the long delay. I was waiting for our senior team to reply on your issue.

It appears that the wireless profile is not sync'd to AMT. The profile was likely created with ACS Wizard or SCS. If you know where the wireless profile is located you can manually configure the SSID and insert it into the config profile.

It is also important to note which WiFi setup the you want. It defaults to WPA with TKIP when people often want RSN with CCMP, SCS User Guide section 5.11.1. https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=117

The GMS logs to this file will also show the wireless profile sync when using ACU Wizard or SCS to sync the profiles.

Please let me know if you have further questions

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎03-08-2021

Hello Moon,

I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you as a very last time on next Thursday 11th. After that we will mark the thread as closed

Regards

Jose A.

Intel Customer Support Technician