Issue with installing SCOM agent on Linux machine in SCOM 2019.

Question

Hello All,

We have tried to discover the Linux machine (Ubuntu, v20.04) after opening the ports (TCP 22, TCP 1270) using the discovery wizard, but we are not successful.

Added the IP address of the Linux machine to the Trusted Host list for the WinRM Client.( In local group policy) and Enabled Allow basic authentication.
In the Operations Console ran task Enable Linux Authentication Type (\Monitoring -> Data Warehouse -> Collection Servers -> <Management Server name> for the servers in all management servers resource pool.

Below is the error while discovering the Linux machine.

WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.
It is possible that:

1. The destination computer is unreachable (because it is down, or due to a firewall issue).
2. The destination certificate is signed by another certificate authority not trusted by the management server.
3. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.
4. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.
5. List item

We are using an account which is having the root user access while trying to discover the Linux machine.
We didn't create any run as account as of now.

Currently we have the below Linux mp's in our environment.

Do we need to import any additional MP.

Are we missing any steps to be followed.

Please Suggest.

Ravi shankar

Answer 1

Hi Ravi,

what bothers me is this statement in the Microsoft Documentation (link in the previos reply):

To fix this issue, verify that the management server can ping the agent host using its FQDN.

Can ypou please do a test: PLease allow ICMPO through the firewall, make sure you can ping the host and try again getting it into managed state.

Please let me know how it looks. Thanks,

Regards,
Stoyan

Answer 2

Hey Ravi,

this error is known, but it related to the port. From:

Troubleshoot UNIX/Linux agent discovery in Operations Manager
https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/troubleshoot-unix-linux-agent-discovery#the-target-address-is-unreachable

Same here:

Target address is not reachable
https://social.technet.microsoft.com/Forums/Lync/en-US/955e3638-c838-4f10-8967-bd682bae3ab0/target-address-is-not-reachable?forum=operationsmanagerunixandlinux

So a very important question arises: Do you got confimration that the port is open or you have tested it yourselff?
Please make sure you can tellnet to port 1270 on the Linux server from each management server.

Another detail: You have configured an SCOM resource pool to monitor Linux. You must make sure that each management server can access the Linux system on Port 1270, not only one of the management servers.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov

Answer 3

Hi Ravi,

exactly what I meant with this "Do you got confimration that the port is open or you have tested it yourselff?"
What you see in the picture is a screenshot from an azure interface. What you need to do is login on the management servers (actually on each management server that is member of the Linux resource pool) and the make a test with telnet:

telnet <FQDN of the Linux System> <Port>  

Here an example:

telnet linux1.domain.com 1270  

This needs to be done from each management server.

I have seen countless examples of the same: the config is active on the firewall, but the communication does not work in reality, because of other factors.
Another important question: Are you able to resolve the FQDN of the Linux machine from SCOM?

Regards,
Stoyan

Answer 4

Hi Stoyan,

We have resolved the issue with pinging Linux agent.

However, we are facing the below issue when we try to discover the Linux machine using discovery method.
(We have installed the agent manually before)

We are now able to discover the Linux agent, but after clicking manage we get the sign certificate Manage failure message.

We are using the following steps/command to create Vaid certificate from ManagementServer1 for the Linux host authentication.


Is it possible to add the ManagementServer2 also in the above command, as we have 2 management servers configured for Managing SCOM agent, (Part of the Unix/Linux resource pool)

Error:
Agent verification failed. Error detail: The server certificate on the destination computer linuxagent.com:1270) has the following errors:
The SSL certificate contains a common name (CN) that does not match the hostname.
It is possible that:

1. The destination certificate is signed by another certificate authority not trusted by the management server.
2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection. The FQDN used for the connection is: plextrac.nl.kworld.kpmg.com.
3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.

Answer 5

Hi @Kadam, Sushanth ,

can yous please crate new, clean thread with the issue description and I will try to priovde you an answer ASAP. Please check this one before opening the new thread:

The certificate Common Name (CN) does not match when deploying the Operations Manager Linux agent
https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/deploy-linux-agent-fails

Many thanks for updating this one!
Regards,
Stoyan