This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 3%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU1%3C/text%3E%3C/svg%3E)
Hi all,
I am having an issue with SCCM clients on the Citrix VPN Gateway. They are not receiving policies or new applications\updates. This is only on the Citrix Gateway. I can connect a client and ping\telenet to all MP’s and DP’s. However they will not pull down any new policy changes.
Subnets are in the correct boundary group.
I have contacted the networks team and they have confirmed that all the same firewall rules are in place on the VPN subnets that are on the existing on premise subnets.
I am getting the below errors in the CcmMessaging.log
<![LOG[Post to http://Xxxxxxx/ccm_system_windowsauth/request failed with 0x87d00231.]LOG]!><time="10:14:42.638-60" date="10-23-2020" component="CcmMessaging" context="" type="2" thread="58996" file="messagequeueproc_outgoing.cpp:452">
<![LOG[Client is not on internet]LOG]!><time="10:14:43.607-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="requestresponse.cpp:228">
<![LOG[Client is not set to use any webproxy.]LOG]!><time="10:14:43.609-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="requestresponse.cpp:246">
<![LOG[ccmhttp: Host=Xxxxxxx, Path=/ccm_system/request, Port=80, Protocol=http, CcmTokenAuth=0, Flags=0x4201, Options=0x4c0]LOG]!><time="10:14:43.609-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="utils.cpp:160">
<![LOG[Created connection on port 80]LOG]!><time="10:14:43.611-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="requestresponse.cpp:401">
<![LOG[Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78]LOG]!><time="10:14:43.790-60" date="10-23-2020" component="CcmMessaging" context="" type="2" thread="58996" file="requestresponse.cpp:774">
<![LOG[[CCMHTTP] ERROR: URL=http://Xxxxxxx/ccm_system/request, Port=80, Options=1216, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE]LOG]!><time="10:14:43.790-60" date="10-23-2020" component="CcmMessaging" context="" type="1" thread="58996" file="ccmhttperror.cpp:306">
<![LOG[[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=]LOG]!><time="10:14:43.790-60" date="10-23-2020" component="CcmMessaging" context="" type="1" thread="58996" file="ccmhttperror.cpp:317">
<![LOG[Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:95c232d8-bf09-4a65-8816-125d568a037e";
DateTime = "20201023091443.792000+000";
HostName = "Xxxxxxx";
HRESULT = "0x80072f78";
ProcessID = 92776;
StatusCode = 0;
ThreadID = 58996;
};
]LOG]!><time="10:14:43.792-60" date="10-23-2020" component="CcmMessaging" context="" type="1" thread="58996" file="Event.cpp:840">
<![LOG[Successfully submitted event to the Status Agent.]LOG]!><time="10:14:43.794-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="Event.cpp:862">
<![LOG[Successfully queued event on HTTP/HTTPS failure for server 'Xxxxxxx'.]LOG]!><time="10:14:43.794-60" date="10-23-2020" component="CcmMessaging" context="" type="1" thread="58996" file="ccmhttperror.cpp:374">
<![LOG[Post to http://Xxxxxxx/ccm_system/request failed with 0x87d00231.]LOG]!><time="10:14:43.796-60" date="10-23-2020" component="CcmMessaging" context="" type="2" thread="58996" file="messagequeueproc_outgoing.cpp:452">
I have spoken with the Citrix team and they have informed me that the VPN traffic is all tunneled through the VPN as intranet traffic.
Any ideas? Is it something to do with how SCCM is interpreting the traffic? Internet or Intranet.
I’m not sure what the issue is.
Regards
Kevin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 2%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI9%3C/text%3E%3C/svg%3E)
Roma, can you confirm that what you said works with new version ADC VPN and SCCM?
If so then it's most likely due to one of these restrictions in the strict profile as those were enhancements due to some new vulnerabilities, which means SCCM is non-compliant with new industry standard vulnerability rules and an issue should be filed with MS.
"Mark HTTP Header with Extra White Space as Invalid"
"Mark RFC7230 Non-Compliant Transaction as Invalid"
Can someone please confirm?
Hi Travls,
We made the following changes on the Citrix end;
There was also a problem with the Citrix client 13.0.67.39, it wasn't showing the VPN IP address correctly, so SCCM could not tell what boundary should be in and could not download software after receiving the policies. We had to upgrade to version 13.0.67.42 to resolve it.
Regards
Kevin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 2%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
It is not SCCM being non-compliant. It's identified by Citrix support that it is a bug they they mark the request incorrectly when "Mark HTTP Header with Extra White Space as Invalid" is enabled. This is at least affected on Build 13.0-67.39.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 57.00000000000001%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Can each of you verify what Build of ADC 13.0 was upgraded to when it stopped?
13.0.64.35
Can anyone also verify if it worked in a prior build of 13.0?
It worked on 12.1.56.22.
IIS Logs on the SCCM management point has no CCM_POST /ccm_system/request - 80 - ... ccmhttp - 200 0 0 319 123 entries for VPN networks when on version 13
Can anyone verify if it continues to work if the Client Gateway Plugin is NOT upgraded when ADC is upgraded?
Still does not work when old plugin used.
If you roll-back to 12.1.56.22 it works again.
Its only 'Mark HTTP Header with Extra White Space as Invalid' in the strict profile that stops the SCCM client from working. Creating a custom http profile or unchecking that setting from strict profile works.
0x2f78 = "The server returned an invalid or unrecognized response"
Something external to ConfigMgr is interfering or tampering with the client's traffic or the server's response. There is no way, from ConfigMgr's perspective to know which or to determine the source of this. You need to trace the network traffic and identify the source of this.
Is it something to do with how SCCM is interpreting the traffic? Internet or Intranet.
No. This simply dictates which MP the client will use. It doesn't change the nature of the traffic or the traffic itself. The log above clearly shows the client is "not internet". Additionally, it shows exactly which MP it is attempting to connect to so you can easily validate whether this is correct per your expectations and configuration.
Thanks Jason,
I am able to connect to the url "http://Xxxxxxx/ccm_system/request" via IE and I can telnet to that server on port 80 via the machine on the VPN. How else can I identify what is interferring with the traffic?
The MP's are correct and I have force the client to use other MP's, they all have the same issue.
Kevin