Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Static IP address in SCS console while client's IPv4 Ethernet addresses keep changing

MEbel
Beginner
3,328 Views

I'm a system admin and had the task to configure the MEBx PW of our vPro clients.

Using SCS on a W2012R2 VM in DB mode (SQL2014 Express), all my clients are configured in 'Admin Control Mode'.

For newly configured clients, the remote admin PW can be retrieved from the DB. All of this works very well indeed.

Now I want to find out how I can take advantage of the AMT features.

My problem at this point: as the (internal) IP address of my clients changes, the console's 'Get configured password' function becomes a bit of a lottery. Typically it fails and the client's 'Connection Status' changes to 'Disconnected'.

My question: I suspect that my SCS console's inability to keep up with the ever changing IPv4 Ethernet port addresses of my clients is part of the problem?

Can anybody confirm this?

The (Lenovo) clients:

 

- Win10 x64 1703, BitLocker=ON

- The BIOS is up to date

- The IntelME firmware is up to date

- We have a disjoint DNS name space. I.e. the SCS server's name space is different from the client's.

- DNS resolution from SCS server to client and client to server works

- The errors I'm getting:

Finishing Get configured password for UUID:E8DD1901-5472-11CB-9746-BD924F82E988, With returned status: Initial connection to the Intel(R) AMT device failed. (0xc00007d2). A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. (0xc000521c).

If there's anybody out there who can give me a hint, I'd be very grateful.

Martin

0 Kudos
14 Replies
idata
Employee
1,513 Views

Hello Martin Ebell(marebe),

 

 

Are you using a Dedicated IP?

 

 

Do you get a specific error code like "91"

 

 

 

On an Intel AMT system, the host platform and the Intel AMT device both have an IP address. These IP addresses are usually the same, but they can be different. Intel SCS configures the IP address of the Intel AMT device. By default, Intel SCS configures the Intel AMT device to get the IP address from a DHCP server. If this default is not correct for your network, change the setting in the configuration profile. For information about the available settings, see https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf Defining IP and FQDN Settings on page 127.

 

 

Please take into consideration the RCS communicates with the Intel AMT device using the Transmission Control Protocol (TCP).

 

 

During communication, if the device does not answer within a specified time the RCS cancels the communication. This default "Timeout" setting is 10 seconds.

 

 

This is usually enough time for the device to respond. To change this default, enter a new value (between 10 and 80 seconds) in this field: Timeout for connection with systems (in seconds).

 

 

 

Additionally, reconfiguration can fail when all these conditions are true:

 

 

1. The Intel AMT device was configured with an FQDN and IP different from the host operating system (for example, by using a dedicated network settings file).

 

 

2. The dedicated network settings file contains FQDN and IP values different from those currently defined in the Intel AMT device.

 

 

3. Intel SCS needs to reconfigure the device using the new values in the dedicated network settings file.

 

 

If this is the case make sure you supply the current IP address or FQDN of the Intel AMT device in the tag of the dedicated network settings file.

 

 

For more information refer to https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf Intel® Setup and Configuration Software (Intel® SCS) - User Guide https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf%20on%20page%20232 https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf on page 232.

 

 

Please let me know if you have any more questions.

 

 

Best regards,

 

 

Caesar B_Intel.

 

0 Kudos
MEbel
Beginner
1,513 Views

Thank you for your response.

To answer your questions:

We use DHCP for our clients. (Only the servers have a fixed IP.)

I don't see an error code 91 in the log.

We don't use a dedicated network file as described in the three scenarios you list above.

The two errors that keep showing up are always the same:

- "A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. (0xc000521c). "

- "Finish operation with Error (0xc00007d2) - Initial connection to the Intel(R) AMT device failed. (0xc00007d2). A TCP error occurred."

The network IP Settings section of my configuration Profile is identical to the one shown on page 127 of the 'User Guide'.

Consequently, one would expect it to be the same between Host and AMT device.

That said - and I want to thank you for the hint - it most likely isn't. Because, if for testing's sake, I create a Reservation in DHCP, so that a "lost" client is guided back to the IP address the SCS console holds, password retrieval works and the 'Connection Status' returns to 'Connected'.

For now, I'll try to find out why Host IP address and AMT Device IP address are not aligned and might have further questions.

...in the meantime:

The log of an .\acuconfig.exe systemdiscovery attempt:

PS C:\> .\ACUConfig.exe /output console systemdiscovery

Starting log 2018-04-09 17:30:21

ACUConfig 11.2.0.35

[ClientFQDN]: Starting to discover the system information...

Wire support:************** 1

System Discovery failed to get data from some of the interfaces on this system.

Failed to get data from the GetDNSLookupName interface.

Failed to get the FQDN.

Call to function failed.

DNS server failure.

***********

Exit with code 32.

Details: Intel(R) AMT operation completed with warnings:

System Discovery failed to get data from some of the interfaces on this system.

Failed to get data from the GetDNSLookupName interface.

Failed to get the FQDN.

Call to function failed.

DNS server failure.

What I notice, .\acuconfig.exe systemdiscovery does correct the IP address stamped into the registry of the client

Disappointingly, .\acuconfig.exe systemdiscovery /ReportToRCS /RCSaddress [FQDN of RCServer] make no impression on the connection status in the SCS console.

Again, thanks for your help.

Martin

0 Kudos
idata
Employee
1,513 Views

Hello Martin Ebell(marebe),

 

 

Let me check into this situation and as soon as I have an update I will let you know.

 

 

Please let me know if you have any more questions.

 

 

Best regards,

 

 

Caesar B_Intel.
0 Kudos
MEbel
Beginner
1,513 Views

I start to understand this a little better.

The 'Intel AMT IPv4' value in the 'List of Systems' in the 'SCS' console is irrelevant.

The 'Get configured Password' function will come up with the remote admin password even if there's a mismatch between IPv4 shown in the SCS and the actual IP address of the client.

Important is that the 'IP' string value in:

HKLM\SOFTWARE\Intel\Setup and Configuration Software\SystemDiscovery\ConfigurationInfo\AMTNetworkSettings\AMTWiredNetworkAdapter\IPv4IPSettings

...is kept up to date.

Questions:

- Isn't it the job of the LMS service to stamp the current IP address of a client into its registry?

- If so, at what interval is this supposed to happen?

- If not, what service/component is responsible to keep above 'IP' string value up to date?

Best regards,

Martin

0 Kudos
idata
Employee
1,513 Views

Hello marebe ,

 

 

You can use Intel SCS to configure Intel AMT on systems that have Intel AMT 6.2 and higher. Each system that you want to configure using Intel SCS must have these drivers and services installed and running in the operating system:

 

• Intel MEI – The Intel® Management Engine Interface (Intel® MEI) driver, also known as HECI, is the software interface to the Intel AMT device. This driver is usually located under "System devices".

 

• LMS – The Local Manageability Service (LMS.exe) enables local applications to send requests and receive responses to and from the device. The LMS listens for and intercepts requests directed to the Intel AMT local host, and routes them to the device via the Intel MEI.

 

The Intel MEI driver is usually installed by the manufacturer or by running Windows Update on a system, but often the LMS service is not installed. If they are missing, or you need to reinstall them, contact the manufacturer of your system to get the correct versions for your system.

 

Note: Support for versions of Intel AMT earlier than 10.0 is deprecated. You can still use Intel SCS 11.2 to configure Intel AMT 9.x and earlier, though the support agreements for Intel SCS 11.2 do not include support for issues related to the above.

 

 

Let me look for more information on how the LMS accomplishes its tasks related to the IP.

 

 

Best regards,

 

 

CaesarB _Intel

 

0 Kudos
idata
Employee
1,513 Views

Hello marebe ,

 

 

We would like to know if there is anything else we could help out with?

 

 

Best regards,

 

 

CaesarB _Intel

 

0 Kudos
MEbel
Beginner
1,513 Views

Hello Caesar,

You wanted to: "look for more information on how the LMS accomplishes its tasks related to the IP."

There's got to be an answer to that.

Best regards,

Martin

0 Kudos
idata
Employee
1,513 Views

Hello Martin,

 

 

I am still working on your case, I will keep you posted.

 

 

Best regards,

 

Caesar B_Intel
0 Kudos
idata
Employee
1,513 Views

Hello Martin,

 

 

It seems the problem is that the SCS Console information is static. So in order to keep this information up-to-date you will need to run a systemdiscovery with a /reporttorcs switch on each client through something like a system local scheduled task unless you have SCCM.

 

 

Please let us know if you have SCCM?

 

 

If you had SCCM, you could run a task sequence to do the system discovery in a cadence appropriate to your DHCP scope.

 

 

It sounds like your IPs change a lot, which means you need to have a management software in order to run tasks you might need to run the systemdiscovery as a scheduled task on the client.

 

 

Please let me know if you have any questions.

 

 

Best regards,

 

Caesar B_Intel.

 

 

Share this information with them and then also find out if they use SCCM.
0 Kudos
MEbel
Beginner
1,513 Views

Hello Caesar,

We do have SCCM and I have considered using it to help SCS along.

Our DHCP lease times are limited to 12h. That said, I cannot see how a longer lease time would fundamentally address the problem.

Can you confirm that neither the LMS service nor the IME client software on the AMT host cares about keeping the IP string value in the registry up to date?

Regards,

Martin

0 Kudos
idata
Employee
1,513 Views

Hello Martin,

 

 

I am checking if that is the behavior of AMT. I will get back to you with more information.

 

 

Best regards,

 

Caesar B _Intel
0 Kudos
idata
Employee
1,513 Views

Hello Martin,

 

 

The LMS service will keep AMT's IP address in sync with the OS, but it doesn't update the SystemDiscovery information in the registry. The registry data is static and is only ever updated when you run an ACUConfig.exe SystemDiscovery.

The problem you are having with the SCS Console "Get Configured Password" is twofold.

 

 

The problem is that just like the registry on the local AMT system, the information in the SCS database is static. This problem is compounded by the fact that there is a known issue with the ACUConfig.exe SystemDiscovery /ReportToRCS /RCSAddress command. It does not update the IP address in the SCS database (the Remote System Discovery from the SCS Console does update it).

The second problem is that the "Get Configured Password" flow currently requires the RCS to successfully establish a connection to AMT before showing you the password. So if the IP address of AMT has changed, this will fail and RCS will throw an error. I have already put in a request for that flow to change when you're not using the Digest Master Password option.

Currently, you have two workarounds:

 

  1. Use Active Directory integration. This would allow them to use your Kerberos accounts to manage AMT, minimizing the need for the digest admin password.
  2. Set up DHCP reservations for your AMT computers.
Best regards,

 

Caesar B _Intel
0 Kudos
MEbel
Beginner
1,511 Views

Hello Caesar,

My question is answered.

Thank you for taking this scenario into account and for the list of possible workarounds.

The thread can be closed.

Best regards,

Martin

0 Kudos
idata
Employee
1,511 Views

Hello Martin,

 

 

You are more than welcome. I am glad to assist and hope this helps other customers in the future.

 

 

Best regards,

 

Caesar B_Intel.
0 Kudos
Reply