Hi, I'm having a repeating issue with the host checker on different client sites, I've identified it on 5.5 and 6.0r3.1, I've tried creating a TAC case but having no luck as the issue is so random..
Bascially, what I am seeing is this:
Has anyone else seen this? I notice referenses to "fixed an issue with host checker" in the 6.0r5 release notes, but doesn't say what!
Hi, just for clarfication the log entry I see is:AUT22927 2008-07-08 10:21:53 - ive - <SNIP> - System process detected a Host Checker time out on host 184.108.40.206 for user 'auser'(last update at 2008-07-08 10.02.42 +0100 BST).
I've got the same issue. I've temporarily fixed this by disabling HostChecker policy re-evaluation by changing "Perform check every:" to 0. I've got an open JTAC case on this because I'm having a difficult time duplicating it in my lab. My EPCheck.Log is fine. My problem is seen in dsHostChecker.log pretty clearly (must enable HostChecker logging).
It does this until it gives up and the user is booted.
2008/05/27 09:57:40.888 dsHostChecker: tFFC "DebugId" 'CHttpNAR::WaitForNetwork()' [Debug] CHttpNAR::WaitForNetwork(): HTTP_RETRY, Network problem, retry in 15 seconds
2008/05/27 09:57:55.872 dsHostChecker: tFFC "DebugId" 'sendTncOverHttp()' [Debug] sendTncOverHttp(): session cookie DSSIGNIN=url_25; path=/dana-na/hc/tnchcupdate.cgi; secure;
2008/05/27 09:58:16.943 dsHostChecker: tFFC "DebugId" 'CHttpNAR::WaitForNetwork()' [Debug] CHttpNAR::WaitForNetwork(): HTTP_RETRY, Network problem, retry in 15 seconds
I don't think we have the same problem but I'm pretty sure that I've seen this before too! In my case, my epcheck.log looks healthy, even after repeated checks but the user access log doesn't report the update.
In your case, I think you're running something pre- 6.0r3.1; Basically the host checker fails to correctly interpret the browser proxy settings and get stucks in loop trying to transmit its update back to the IVE. Try upgrading to see if it goes away..
I'm running 6.0R5. You may be right about it being different, but it sure sounds identical.
My epcheck.log shows no problems, user booted off NC, the following in the IVE log -
Info AUT22927 2008-05-19 15:17:39 - ive - [220.127.116.11] domain\user(Network Connect)[Network Connect - Autolaunch] - System process detected a Host Checker time out on host 18.104.22.168 for user 'domain\user' (last update at 2008-05-19 14.38.38 -0400 EDT).
The only difference I see is that my problem appears in dshostchecker.log, and that I can get around it by turning off policy re-evaluation. This is what I see in dshostchecker.log
2008/05/27 10:02:29.109 dsHostChecker: tFFC "DebugId" 'CHttpNAR::run()' [Debug] CHttpNAR::run(): Error 1 sending HTTP payload. Host Checker quitting...
When I set "Perform check every" to 0 (which disables periodic re-evaluation of compliance), my users are fine.
I've had several JTAC cases on this for several months, uploaded hundreds of megs of snapshots, etc.
Do you still have the same problem ? I have the same problem on 6.1r4, and I have a SA6000 cluster (two boxes).
I'm trying to follow the same steps like you, just wondering if someone knows the answer to this problem. I didn't tried to put recheck to 0 yet.
Thanks a lot,
Yes, unfortunately they haven't fixed it yet. I'm on 6.1R5 and the problem is in that version too.
I've had an open case with JTAC, but it takes sooooooo long to get the data they want. If only we got paid to upload system snapshots to Juniper, we'd all be RICH!
I've simply disabled the recheck (by setting Perform check every to 0). That doesn't make my security folks happy, but until Juniper fixes this there isn't much that can be done.
Anyway, I will open a ticket by my side, just to make some pressure on them to have a real solution.
For the moment I will put my recheck also in 0, of course also my security team will be not happy, but users are first.
I just upgraded to 6.3R3 today and I still see this problem. I initally thought it was corrected since no one in my test group reported it. But now that the whole user community is in on the new release and the problem resurfaced. It turns out that the complaints are coming from users with company supplied devices (which have Internet access passed through proxy settings).
Maybe one day this can be corrected.
I am having a very similar issue.... running 6.0R with ESAP 1.33. Opened up a case, and they seem to think that some modules aren't loading properly and causing issues......however, they completed missed that the host checker was completing successfully, but the IVE wasn't getting a response and there were HTTP errors like Kevin was experiencing. Not to mention my laptop gets the same "module not found" message in the dshostchecker log, but I have never had this issue.
Thinking about proxy settings further, I always use the "use proxy server for all protocols" on my laptop. I never have a problem with being kicked out as a result of a host checker time out, and I get those BS "modeules failed to load" messages in my dshostchecker log. Most of my users have it set so they use a proxy for HTTP, HTTPS, and FTP, but not socks. How is everyone else's proxy settings configured? Perhaps I'm just barking up the wrong tree, but I thought it might be working asking.