Ylianst
commented
2 years ago What version of AMT?
Open DnDNero opened 2 years ago
Ylianst
commented
2 years ago What version of AMT?
DnDNero
commented
2 years ago Intel AMT v12.0.45
alexkolomolo
commented
2 years ago Did you solve this? I also hit this.
DnDNero
commented
2 years ago I did not solve this @Ylianst Do you have any recommendation ?
alexkolomolo
commented
2 years ago I can say that i provisioned the same machine once using ACM AMT. Cira failed. I tried to clear everything and start again, and then started hitting this issue. I will try wipe the MEBX via a bios update on Monday and see if that resolves things.
alexkolomolo
commented
2 years ago SEND: <?xml version="1.0" encoding="utf-8"?>
Request 6 response status code => 200 Response: 200
RECV: <?xml version="1.0" encoding="UTF-8"?>
Failed to generate a key pair (400). REMOVING reference to HttpStream: client DISCONNECT on 0x1ab95c8 DISCONNECT on 0x1951148
Above is with --debugflags 1
alexkolomolo
commented
2 years ago 9:15:29 PM - MPS: CIRA websocket closed, mesh//hi95fpWp1@0TvDW0PTOLHurso8XOoHduo5yyf0I4CN6pK$cPLddM09wqLcSORtva, node//AwACAAQABQAABgAHAAgACQMAAgAEAAUAAAYABwAIAAkDAAIABAAFAAAGAAcACAAJ 9:15:29 PM - MPSCMD: --> CHANNEL_CLOSE, 10 9:15:29 PM - MPSCMD: <-- JSON_CONTROL, close 9:15:29 PM - MPSCMD: <-- CHANNEL_CLOSE, 10 9:15:29 PM - AMT: just-raisin-packet, Remove device, node//AwACAAQABQAABgAHAAgACQMAAgAEAAUAAAYABwAIAAkDAAIABAAFAAAGAAcACAAJ, 2, 20 9:15:29 PM - MPSCMD: <-- JSON_CONTROL, console 9:15:29 PM - AMT: just-raisin-packet, Failed to generate a key pair (400). 9:15:29 PM - MPSCMD: <-- CHANNEL_WINDOW_ADJUST, 10, 16687 9:15:25 PM - MPSCMD: <-- JSON_CONTROL, console 9:15:25 PM - AMT: just-raisin-packet, Intel AMT connected. 9:15:25 PM - AMT: just-raisin-packet, Initial Contact Response, 200 9:15:25 PM - MPSCMD: --> CHANNEL_OPEN_CONFIRMATION, 10, 10, 32768 9:15:25 PM - MPSCMD: <-- CHANNEL_OPEN, forwarded-tcpip, 10, 32768, :16992, 1.2.3.4:1030 9:15:24 PM - MPSCMD: --> CHANNEL_CLOSE, 9 9:15:24 PM - MPSCMD: <-- CHANNEL_CLOSE, 9 9:15:24 PM - MPSCMD: --> CHANNEL_OPEN_CONFIRMATION, 9, 9, 32768 9:15:24 PM - MPSCMD: <-- CHANNEL_OPEN, forwarded-tcpip, 9, 32768, :16992, 1.2.3.4:1029 9:15:24 PM - AMT: just-raisin-packet, LMS-Connect, NoTLS, $$OsAdmin 9:15:24 PM - AMT: just-raisin-packet, Attempt Initial Contact, CIRA-LMS 9:15:24 PM - AMT: just-raisin-packet, Initial Contact Response, 408
alexkolomolo
commented
2 years ago Any thoughts @Ylianst ?
jsastriawan
commented
2 years ago Would you please let us know the brand of the PC?
I am sensing potential TLS is disabled through misconfiguration.
DnDNero
commented
2 years ago Mine is an Intel NUC (NUC8v7PNH) version K60013-402 Bios: PNWHL57v.0032.2019.1213.1529
alexkolomolo
commented
2 years ago Mine is from Advantech.
I believe mine got into a misconfigured state, as I had got past this part before, but then it would not allow my password in meshcommander, so I ended up trying many things to clear it/reprovision it.
I tried to reset everything in mebx, full unprovision, but still have this error.
I was thinking maybe to check some mebx tls settings to see if it was disabled? Does that make sense to do? I'll also try to flash the bios again to see if that could clear this. I didnt see a factory reset in my mebx, but I will check again on Monday when i'm at the office.
DnDNero
commented
2 years ago I dont think mine got into misconfigured state as I can still use meshcommander to go into the PC (not with TLS).
Do you think adding AMT certificate to the server and reconfigure the PC MBEX with trusted FQDNS would fix the issue ?
jsastriawan
commented
2 years ago Advantech could potentially be misconfigured in such a way that TLS support is disabled. I know this may be unreal in this age to have an option to disable TLS but there is such setting. Unfortunately this setting is permanent so you should raise this issue to Advantech but it is unlikely that you will be able to get replacement since the product may be out of warranty.
For NUC Provo Canyon, I will try to reproduce the issue since I have one unit in my possession. But I cannot promise any timeline.
alexkolomolo
commented
2 years ago The same machine had been provisioned by mesh central with ACM and TLS hours before. I saw ACM TLS in mesh commander for this machine.
alexkolomolo
commented
2 years ago Also this is a new product, we are working closely with the manufacturer so support is not an issue.
jsastriawan
commented
2 years ago Hi, for NUC. Are you able to connect using clear text, disable TLS and then remove the TLS certificates from the machine? Btw, how many certificates are registered in the firmware? It may have certain limits. AMT formware has small flash capacity. Remove unnecessary certs and try provision CIRA again.
DnDNero
commented
2 years ago Hi, I don't think there's any certs in the AMT firmware. Will double check and trouble shoot as suggested on Monday. thank you for the advises
alexkolomolo
commented
2 years ago I disabled AMT in MEPx (Ctrl -P) at startup, and then enabled again (after a reboot). This gave me a factory reset and it provisioned after this. I only used full unprovision before, but that was not enough to fix this error state.
Ylianst
commented
2 years ago I added auto-retry of the key generation and better error display for this issue. Going to be in MeshCentral v0.9.90. Once published, update and let me know what you see.
Hi there,
First I would like to say that I appreciate the effort your team has put into developing this amazing piece of software.
Im having some problem adding new Computer to Meshcentral in WAN mode
When running meshcmd command to set up the amt it gives: "Failed to generate a key pair (400)" error
MeshCentral version is 0.9.78 and running on AWS remote server. While AMT cannot be configured on remote PC, Agent can be installed and PC can be added to the Meshcentral server. No amt cert has been imported into the server.
Remote PC can telnet to server on port 4433
Any troubleshooting tips or advice is much appreciated