Policy Error Code: 802... Any clues? (client fails to download packages on certain networks)

The_Lapin
New Contributor III

I've been chasing my tail with this for a week or so now. Our Macs recently started failing to download packages/DMGs when their policies triggered. I've isolated the issue to only occurring on our private network, as policy initiated downloads fail consistently when connected through wired or VPN, but execute successfully when connected to the public wireless network.

In diagnosing this I've created a simple policy that should download and cache the Flash player dmg. This is what I see when I initiate and watch the policy with the verbose flag:

verbose: JAMF binary already symlinked verbose: JAMF agent already symlinked verbose: Checking for an existing instance of this application... Checking for policies triggered by "recurring check-in" for user "TheLapin"... verbose: Checking for active ethernet connection... verbose: Active ethernet connection found... verbose: Removing any cached policies for this trigger. verbose: Parsing servers... verbose: Parsing Policy TheLapinTEST (55)... verbose: The Management Framework Settings are up to date. verbose: Found 1 matching policies. Executing Policy TheLapinTEST Caching package Adobe Flash Player.dmg... Downloading https://casper.ourcompany.com/CasperShare/Packages/Adobe%20Flash%20Player.dmg... 2016-07-21 17:07:10.339 jamf[47697:845741] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) Could not connect to the HTTP server to download Adobe Flash Player.dmg. Retrying using distribution point alternatesite.int.ourcompany.com... Caching package Adobe Flash Player.dmg... Downloading http://alternatesite.int.ourcompany.com/CasperShare/Packages/Adobe%20Flash%20Player.dmg... The network connection was interrupted while downloading the package from http://alternatesite.int.ourcompany.com/CasperShare/Packages/Adobe%20Flash%20Player.dmg. Attempting to reconnect... Downloading http://alternatesite.int.ourcompany.com/CasperShare/Packages/Adobe%20Flash%20Player.dmg... Error: Adobe Flash Player.dmg is not available on the HTTP server. Submitting log to https://casper.ourcompany.com:8443/ verbose: Policy error code: 802

Now, if I copy and paste the URL "https://casper.ourcompany.com/CasperShare/Packages/Adobe%20Flash%20Player.dmg" then I'm prompted with a "Safari can't verify the identity of..." alert, referencing a self signed root certificate that expires June 2017. Also, googling the NSURLSession 9813 error in the output above returns several mentions of it referencing a bad HTTPS certificate. Ok, so maybe it's a certificate issue... I check the SSL certificate in our Apache Tomcat settings, issuer is the built in JSS Authority and expires two days earlier in June 2017. All of the JAMF info I've read points to this being ok and expected.

I'm by no means a network engineer, but this feels like a firewall/port issue to me since the behavior only occurs on our private/firewalled networks, and disappears completely when run from other (including our public wireless) networks. I've captured the traffic via Wireshark during failed and successful policies but our networking team doesn't see any issue with the results.

The only clue I haven't been able to decipher is that final "Policy error code: 802", which as far as I can tell isn't referenced anywhere online.

I'm stuck. Anyone have any ideas?

2 REPLIES 2

davidacland
Honored Contributor II
Honored Contributor II

It does sound to me like there is some kind of security device causing a problem with the connection.

What are the distribution points and where are they in relation to the client Macs when they fail?

My first thoughts are some kind of SSL dpi security device, or a proxy / web filter possibly interfering with the connection.

Do you have any policies that did work before the issue started?

SVM-IT
New Contributor III

I'm seeing the same error and also can't download files. Did you make any progress on this issue?

Seth