BSA: Resolving BSA RSCD Agent connectivity issues

Version 1

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    BMC BladeLogic Server Automation Suite


    BMC BladeLogic Server Automation Suite



    How do I troubleshoot RSCD Agent connectivity issues in BSA?




    Legacy ID:KA287249

      Updated October 2, 2008 - Please refer to the attached document for more detailed information about troubleshooting RSCD Agent connectivity.  
    The following is a list of common errors you may see in NSH, job run logs, or in the GUI when trying to connect to a remote host, along with the possible cause & solution to the problem.  
      "No authorization to access host"
    Probably the most common error, this is caused by a mismatch in the ACLs on the remote host and the credentials you are using to connect to the remote host. The files you will want to verify are the users or users.local files on the target, although the exports file may cause the error also. Generally, commenting the 'nouser' entry will temporarily solve this, but is not recommended. Refer to the rscd.log in the agent install directory of the remote host to validate the user trying to establish the connection vs. the entries listed in the ACLs on that server.  
      "Login not allowed for user"
    There are several reasons why this error may occur. The most common problem can happen when the ACLs on the remote host are mapping to a user that does not exist on the remote host. This often happens when the administrator account has been renamed on the remote host or is named differently from a standard defined in your environment.  
    In some cases this error may arise when you have incorrectly installed an agent onto a domain controller in your environment. Check your domain to see if you have a duplicate BladeLogicRSCD account.   
    Another cause of this issue is when your domain policy contains incompatible entries for "Log on as batch job" and/or "Don't expire password". If these two entries do not have a value for BladeLogicRSCD and are getting propagated across your environment, they will interfere with the BladeLogic agent, causing the "Login not allowed for user" message. Refer to the documentation for information about installing an agent to a Domain Controller.  
      "Impersonation Failed"
    This error can happen when you are mapping to a non-existent local user, or when you are mapping to a local user on Windows and the local account is in the "Deny Logon as Batch Job" security policy.  
      "Permission Denied"
    There are two possible causes of this issue and may related to one or both of the following cases. First, check permissions your role has against that server. In the Server view, right-click on the server you are trying to deploy to and select Properties. Click the Permissions tab and ensure you have write access on that server (for example, "BLAdmins Server.*").  
    Second, verify the ACLs on the remote host are granting you write access. View the agent ACLs (either the exports, users, or users.local files) and make sure your Role and login have read/write (rw) access.  
      "ERROR IN TLS PROTOCOL" or "Encryption configuration error"
    Generally this is caused when the secure file is different on the two hosts making contact. Ensure that both hosts are communicating using the same protocol and encryption levels. Always use the 'secadmin' utility for making any changes to the secure file.  
    This error can also be caused when Shavlik is running on the remote host, which is known to use port 4750, the same port that the RSCD agent uses. Try the following: Restart the RSCD agent, stop Shavlik, or reconfigure Shavlik to use a port other than 4750.  
    Another cause of this issue can be when network configurations on the application server are configured incorrectly. Ensure that your app server's TCP/IP settings are configured correctly, along with your DHCP server settings.  
      "I/O Error"
    In 6.3.x, this sometimes is shown in place of "No authorization to access host" errors. Use the same methods for resolving this issue. It is also seen when the secure files on each host are different.  
      "Remote host is unknown" or    "No such device or address"
    This error will happen when either the application server can't resolve the host, or your client can't resolve the host. Sometimes this is the case when you run a custom command and receive blank/no output. Ensure you can ping the remote host and the server is correctly configured in DNS.  
      "Connection timed out"
    You might see this error when the server is listed in DNS but is down or the agent is not running. 
      The error may also occur randomly in relation to a defect fixed in and 8.0 SP9 (QM001673306). This related to DNS queries which take took long to return to the agent.  
    There is 'timeout' parameter which can be defined in the secure file. This defines maximum number of seconds that a client waits when first contacting a remote server before giving up. The default value is 30 seconds.  
    For eg:  
 is the list containing all the options for secure file.  
      "Connection refused"
    Generally this error will show up when the remote host is down and/or the agent is not running. It can also happen when there is a mismatch between the port the agent communicates over (configured in the secure file) and the port configured on the agent from the originating connection. 
    Related Products:  
    1. BMC BladeLogic Server Automation Suite


    Article Number:


    Article Type:

    Solutions to a Product Problem

      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles