Skip to main content
Question

Error running recon: Connection Failure


Show first post

92 replies

Forum|alt.badge.img+24
  • Honored Contributor
  • 341 replies
  • March 26, 2016

@amanda.wulff I am seeing some of the same issues. After talking with my TAM, we upgraded the RAM on the DP, thinking it might just not be able to handle the requests. (I'm also having issues with packages failing par-way through sometimes)

I had 5 failures overnight and during that same span, this is the Jamf Server Log:

2016-03-25 23:53:59,351 [WARN ] [Tomcat-184 ] [CRUDHelper               ] - User does not have UPDATE privileges for Package
2016-03-26 01:51:48,641 [INFO ] [oolThread-0] [icKeyInfrastructureHelper] - Refreshing pki information
2016-03-26 07:51:48,641 [INFO ] [oolThread-9] [icKeyInfrastructureHelper] - Refreshing pki information

Forum|alt.badge.img+17
  • Contributor
  • 570 replies
  • March 28, 2016

@mscottblake

Issues with a distribution point (and its amount of RAM) likely have nothing to do with Recon connection failures, so I'd suggest you keep working with your TAM to get them resolved; the error you posted is pretty clear in pointing out the problem you're having, however.

"User does not have UPDATE privileges for Packages" is pretty self-explanatory and points toward there being a permissions problem in your JSS.

Even if the user you're logged in as says it's an Administrator, we've seen permissions go strange sometimes for no good reason.
In those cases, switching the permissions set to Custom, saving, then setting it back to Administrator and saving tends to get it back to where it needs to be.

If the permissions are meant to be custom, just go and check and make sure that user has privileges to update packages.

If the user in question is not supposed to have permission to update packages, then the error is not an error at all and is expected behavior.

In this case, I don't think the problem you're seeing is related to what we're looking for in this thread; the error I was asking about in my post from 3/25 is looking for a very specific error that points to a very specific problem that can cause Recon failures.
If you're not seeing that exact "Exception javax.xml.bind.UnmarshalException" error in the JAMFSoftwareServer.log when a recon fails, then that particular issue isn't affecting you and it's likely something else that I'd recommend continuing working with your TAM on to figure out what's going on.

Amanda Wulff
JAMF Software Support


Forum|alt.badge.img+24
  • Honored Contributor
  • 341 replies
  • March 28, 2016

@amanda.wulff Thats actually the point I was trying to illustrate. I saw a handful of the same policy errors come through overnight, but there was nothing in the JSS Server logs to indicate any problems.


Forum|alt.badge.img+17
  • Contributor
  • 570 replies
  • March 28, 2016

@mscottblake

There are numerous things that can cause Recon failures; the one I was asking about specifically, that contains the "Exception javax.xml.bind.UnmarshalException" is a very specific one that is related to an open issue we're aware of, which is why I'd been asking specifically about that.

If that isn't what you're seeing in your JAMFSoftwareServer.log, then there is something else going on and your TAM will be able to dig into it a bit with you to figure out what's going on. Most times, if you cross-reference the time of failure in the jamf.log with the system.log you can find out what the client machine thinks happened.

The permissions error you'd posted in your comment, however likely doesn't have anything to do with Recon failures, as nothing in a Recon should be requesting privileges to update packages in the JSS. There may be a slim possibility that they're related (for example, if you have an EA that needs to update package information in the JSS), but that would require your TAM digging into it a bit deeper with you to figure it out.

Amanda Wulff
JAMF Software Support


Forum|alt.badge.img+24
  • Honored Contributor
  • 341 replies
  • March 28, 2016

@amanda.wulff Like I said, that's what I was illustrating. I had a handful of recon errors come into my email (I've since deleted them) that matched the description of this thread. To aid in the discovery process, I wanted to show that in my case, there were no errors on the JSS that correspond to the Recon problems I was seeing.

I am not trying to say the errors I copied into this thread are part of the problem, I was simply trying to show that there was nothing coming through at the time of the recon errors.


dpertschi
Forum|alt.badge.img+19
  • Contributor
  • 459 replies
  • March 28, 2016

@amanda.wulff I get from 2-10 recon failures a day. Looking at the past 48 hours, 20 recon errors, I do not see the error you noted in the JSS server log anywhere around the recon error times.

I do however see the error at other times, in this form:

2016-03-22 16:48:51,764 [ERROR] [Tomcat-6974] [JAMFHttpServlet ] - The JSS received an error (javax.xml.bind.UnmarshalException - with linked exception: [org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1074; cvc-complex-type.2.4.a: Invalid content was found starting with element 'ns2:platform'. One of '{"http://www.jamfsoftware.com/JAMFMessage":reportedIP}' is expected.]) for a request made by device: com.jamfsoftware.communication.beans.DeviceInformation@27e4ae39 2016-03-23 15:54:49,418 [ERROR] [Tomcat-7590] [JAXBMessageMarshaller ] - Exception javax.xml.bind.UnmarshalException - with linked exception: [org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1624; cvc-complex-type.2.4.a: Invalid content was found starting with element 'ns2:make'. One of '{"http://www.jamfsoftware.com/JAMFMessage":modelIdentifier}' is expected.] 2016-03-23 15:54:49,418 [ERROR] [Tomcat-7590] [JAMFHttpServlet ] - The JSS received an error (javax.xml.bind.UnmarshalException - with linked exception: [org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1624; cvc-complex-type.2.4.a: Invalid content was found starting with element 'ns2:make'. One of '{"http://www.jamfsoftware.com/JAMFMessage":modelIdentifier}' is expected.]) for a request made by device: com.jamfsoftware.communication.beans.DeviceInformation@540941dd

And, for what it's worth, the recon errors I see as reported in the policy logs are always one of the following:
Connection failure: "The request timed out.”
Connection failure: "The network connection was lost.”
Connection failure: "The host casper.company.com is not accessible."
Connection failure: "A server with the specified hostname could not be found."
Connection failure: "The Internet connection appears to be offline."
Connection failure: "The Internet connection appears to be offline."
Unknown Error - An unknown error has occurred.


Forum|alt.badge.img+19
  • Valued Contributor
  • 568 replies
  • March 28, 2016

I just went live in the last few weeks. Currently have > 200 Macs with another ~100 still to be enrolled. Overall a successful project.

The most common error I get states:

Error Occurred While Running Policy "Policy - Base - Update JSS Inventory" on Computer "foo"

I see ~10-20 of these failures per day. Seems like a high ratio to me for only have ~200 enrolled thus far.

The errors are of the following variety:

-Connection failure: "The request timed out.”
-Connection failure: "The network connection was lost.”
-Connection failure: "The host jss.foo.org is not accessible."

About 1/2 the Macs in question are laptops (on the WLAN and out on the Internet too), so I assume these errors are due to laptops changing networks, sleeping, flakey Wi-fi, etc.

The other 1/2 are Mac desktops on the LAN (a couple are in IT dept). I assume the errors are related to power/sleep etc.

When I see these errors, I get a tad paranoid, and will SSH into the Mac(s) and poke around if I am able to do so. The Macs generally appear to be able to resolve the JSS server(s) and usually can make manual connections via the recon command, etc. So I think my infrastructure is OK.

I'm on JAMF 9.81. I have (2) JSSs (LAN and DMZ) and I run split-DNS.

Question:

When I get these errors, how are they being acknowledged/generated? If the recon/inventory connection failed in the first place, then how does the JSS know it failed? How is it able to inform me of the failure? Chicken-and-egg, right?


Forum|alt.badge.img+5
  • Contributor
  • 59 replies
  • March 28, 2016

FWIW I saw the exact same errors in about the same numbers for awhile, since updating the JSS from v8 to v9, I believe. Recon as part of a policy failed consistently (though not every time) on the same group of Macs, while the "meat" of the policy went through fine. Manual recon was never an issue. Errors included:
Connection failure: "The request timed out."
Connection failure: "The network connection was lost."
Connection failure: "The host jss.whatever is not accessible."

I was never able to resolve the errors with my TAM/support or elsewhere.

Since upgrading the JSS from 9.73 to 9.82 recently, all those recon errors have gone away.


dpertschi
Forum|alt.badge.img+19
  • Contributor
  • 459 replies
  • March 28, 2016

@jonscott

Since upgrading the JSS from 9.73 to 9.82 recently, all those recon errors have gone away

That's mildly interesting as I'm on 9.81.

@mscottblake @tcandela what version JSS you on?


Forum|alt.badge.img+24
  • Honored Contributor
  • 341 replies
  • March 28, 2016

Forum|alt.badge.img+8
  • Contributor
  • 131 replies
  • March 29, 2016

I too still see them, but I am also still on 9.81.


Forum|alt.badge.img+20
  • Contributor
  • 981 replies
  • April 18, 2016

so has everyone stopped seeing Connection failure: "The host jss.whatever is not accessible." since upgrading past 9.81 ??


Forum|alt.badge.img+8
  • Contributor
  • 131 replies
  • April 18, 2016

I still see it on 9.9.

An error occurred while running the policy "Reboot Notification" on the computer "BLAHBLAH".

Actions from policy log:
    Executing Policy Reboot Notification
    Mounting Casper to /Volumes/CasperShare...
    Could not mount distribution point "Casper"
    Running Recon...
    Error running recon: Connection failure: "The host jss.blah.edu is not accessible."
    The results of this policy were not logged at the time of execution.
    The actual execution time was Mon Apr 18 07:45:21 PDT 2016.

Chris_Hafner
Forum|alt.badge.img+23
  • Jamf Heroes
  • 1718 replies
  • April 18, 2016

No, I still see it on occasion. However, it's only occasionally and I have a high suspicion that it's due to either machines being closed (slept) at the end of a policy, or some other minor network issue on our end.

P.S> We're still 9.82 for the moment.


Forum|alt.badge.img+19
  • Valued Contributor
  • 568 replies
  • April 19, 2016

I'm relatively new to JAMF. "Jumpstarted" in November 2015, and went live in March 2016. Have ~250 managed Macs. I have been running 9.81 exclusively, so I have no other version of JAMF to compare to.

I get alerts for various timeout and/or generic recon errors a few times a day from various clients (Speak of the devil - just had an error reported as I was typing this post). The clients appear to be utterly random. Various VLANs and hardware models (desktops and laptops).

When I have time to do so, I QA them by SSHing into the hosts and executing a manual recon via the command line. This works every time. Certainly odd, but I'm not losing sleep over it.

Ill be upgrading to 9.9.1 this Spring.


Forum|alt.badge.img+4
  • Contributor
  • 24 replies
  • October 4, 2017

any fix on this issue? i'm also getting these constant daily recon errors...very annoying! i'm running latest JSS 9.101.0-t1504998263


Forum|alt.badge.img+4
  • Contributor
  • 10 replies
  • December 13, 2017

Just a note, I was having issues similar to these on a couple machines, and it turned out that the DNS settings had been changed from our DHCP delivered addresses to Google DNS entries. That killed the ability of the jamf binary from reaching back to the JSS.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings