• DCOM Error - Event ID 10009

    Cause:

    Distributed COM (DCOM) extends the Component Object Model (COM) technology to enable applications using a COM server communicate across machines on the network.

    COM Server is a dynamic-link library (DLL) or an executable (.exe) file that exposes some functionality to be used by different applications.

    Event ID 10009 (Event ID 10028 for Windows Server 2012 and above) indicates that the remote machine could not be found by DCOM, in most cases this error is not fatal.

    Might be caused, because the remote machine is not available, either because it is down or there is has no network connectivity, by default Windows Firewall does not allow COM+ network access.

    Frequent instances of this error might be caused when trying to perform “Discovery” with “Citrix AppCenter” with the help of a remote XenApp server, and it does not respond for example.

    Could also appear because of a remote ControlUp Agent failing to communicate with the ControlUp Console.

    User Actions:

    • Verify that the remote machine is up and running, and there are no firewall rules restricting the TCP connection, which uses Extended Remote Procedure Call (RPC) with port 135.
    • Verify that the protocol settings on the machine for DCOM are configured properly.

    From the command prompt type, “dcomcnfg”, it will open the Component Services mmc.

    In the left pane, expand Component Services, then expand Computers, and right click on My Computer and open Properties.

    Switch to Default Protocols tab and ensure that the DCOM Protocols are configured to use “Connection-oriented TCP/IP”.

     

     

     

  • ControlUp KaaS SChannel Events

     Various Schannel events in the System Log

    Symptoms:

    There are three Schannel events which are most commonly seen. Those are 36874, 36887, and 36888.

    Log Name:  System
    Source:      Schannel
    Date:         13/05/2016 07:29:32
    Event ID:    36888
    Task Category: None
    Level:         Error
    User:          SYSTEM
    Computer:   CUXEN65TS20.controlUp.demo
    Description: The following fatal alert was generated: 10. The internal error state is 12.

    Troubleshooting/Research Steps:

    Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communication.

    These errors indicate a problem with the cipher suite chosen, or just the fact that the two sides (client and server) cannot agree on a cipher suite to use. The error message description will vary depending on the actual error involved.

    Event IDs 36888, 36874 can be caused by certificate/TLS communication issues (like lack of compatibility)

    Event ID 36887 indicates an SSL fatal alert. The error itself is vague. This may be logged if you try to initiate an HTTP connection to an HTTPS server, or if the server is being probed or scanned for vulnerabilities.

    Similar to other Windows Events problems, the ControlUp Incidents pane is an excellent place to start troubleshooting application errors such as this. Start by double-clicking on the ‘Windows Events’ row in order to get to the 2nd level.

    Once there, we want to group and sort in order to group all events from Schannel, so we type ‘channel’ in the filter box in the upper right corner. Grouping by the Event ID can be useful if there are a lot of errors, so we check that box. We clicked the ‘Computer’ column header to sort the list and make it easier to find what we’re looking for.

    Now that we have grouped just the events we are interested in. double-click on that line takes us to the 3rd level, which will give us a list of every event captured by the Incident Trigger that meets the grouping of the previous screen. You can read through the list here, or export the entire table into Excel using the button at the top in order to further analyze the data, find patterns, make reports, etc.

    For these errors, Wireshark and Fiddler are going to be the best sources of more in-depth information to get to the root cause of the specific message.

    If the issue cannot be solved, or the error is expected, there is always the option of turning off Schannel logging altogether by setting EventLogging=0 (dword), under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL. Hiding the log is not good security practice, but it is an option. See https://support.microsoft.com/en-us/kb/260729 for more information.

     

  • ControlUp action auditing - Event ID 5000

    Symptoms:

    Event ID 5000 Error appears on the Application Log, in the event viewer with the source ControlUp Auditing. This event comes as an error and information. This event indicates weather an action within the ControlUp Console (i.e. Get Session Screenshot, start Hypervisor, power actions, Change XenApp Logon Mode, etc.) succeeded or failed.

    If the action was on the agent \ target computer, i.e. Flush DNS, the event will be written in the event viewer of the target computer.

    Event ID 5000 appears on ControlUp Monitor as an Error 

    Event ID 5000 appears on ControlUp Monitor as an Information 

    Solution:

    The audit trail in ControlUp allows admins to track actions that took place in the console (successful and failed). The auditing trail is crucial for admins due to the extensive management actions that are available within the ControlUp Real-time Console. In the current version of ControlUp the audit trail is hard-coded in the product and not yet configurable.

     

     

     

  • Application Error - Event ID 1000

    Application Log Event ID 1000

    Symptoms:

    Occasionally an application will crash with Application Log event ID 1000, for example:

    Event ID 1000 – Application Error

    Faulting application name: v4pa_agent.exe, version: 6.2.0.173, time stamp: 0x56574930
    Faulting module name: v4pa_process.dll, version: 6.2.0.173, time stamp: 0x56574945
    Exception code: 0xc0000005
    Fault offset: 0x0000000000042300
    Faulting process id: 0x3c0

    Troubleshooting/Research Steps:

    The ControlUp Incidents pane is an excellent place to start troubleshooting application errors such as this. Start by double-clicking on the ‘Windows Events’ row in order to get to the 2nd level.

    Once there, we want to group and sort in order to group all events from event ID 1000, so we tick the ‘Event Id’ checkbox. Separating by computer is not needed in our case, so we uncheck that box. If the list is too long, you can also use the filter in the upper right corner to shorten the list. We clicked the ‘Event Id’ column header to sort the list and make it easier to find what we’re looking for.

     

    Now that we have grouped just the events we are interested in. a double-click on that line takes us to the 3rd level, which will give us a list of every event captured by the Incident Trigger that meets the grouping of the previous screen. You can read through the list here, or export the entire table into Excel using the button at the top in order to further analyze the data, find patterns, make reports, etc.

    With this level of data gathered, it should enable you to fine-tune the troubleshooting process and provide deeper insight into the specific problem and find potential solutions.