- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- DeploymentClient - Unable to send handshake messag...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DeploymentClient - Unable to send handshake message
Hello.
I just installed the Universal Forwarder on a Windows 2K server. As part of that installation process, I also set up DeploymentClient.conf to point to the Deployment Server, as follows:
[target-broker:deploymentServer]
targetUri = <FQDN of Deployment Server>:<tcp port to use>
But, when I start up Splunk, the log includes the following message:
DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
I have captured packets during Splunk Start execution on the Universal Forwarder, and I do see that the Universal Forwarder machine successfully creates a TCP connection to the Deployment Server, on the designated port, and they converse briefly. The connection lasts a few tenths of a second, and then the Universal Forwarder machine closes the connection.
Can anyone suggest why I'm getting the "Unable to send handshake" Warning, and how to resolve it?
thx,
mfeeny1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my case, serverclass was correct but the app was not present in the repository. corrected that issue and restarted splunk on deployment server.
while the app was missing, clients were getting the handshake error noted above every 60 seconds. my phoneHomeInterval is set to 4 hours but the handShakeRetry (undefined) was recurring every 60 seconds. With thousands of deployment clients, the constant retries were overrunning our deployment server.
eventually, I got the message "DeploymentClient has been asked to redo-handshake. Resetting to initial state." after that, the app downloaded and I didn't get the handshake error any more.
lessons learned? don't forget to put app in in repository. don't assume that handShakeRetry tracks with customized phoneHomeIntervalInSecs value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same issue on 2 different networks running Splunk 5.0.1
the first issue was resolved but adding the following to the inputs.conf file on my indexer:
[splunktcp://9997]
connection_host = none
Also make sure you are not blacklisting anything in your serverclass.conf
All frowarders
[serverClass:all_forwarder]
whitelist.0 = *
The second issue was a network config issue on my ACLs.
Hope one of these helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was there a solution for this problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had to create the app to deploy, which I missed in my first try. So in my serverclass.conf I had to put in:
[serverClass:windows_default]
machineTypesFilter = Windows*,windows*
[serverClass:windows_default:app:windows_default] <-- the app to deploy to the clients.
stateOnClient=enabled
restartSplunkd=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the same problem, but only on a heavy forwarder that is acting as a gateway between our DMZ and internal network. All of the servers using the deployment client that are internal are fine.
I've opened firewall port 8089 between the gateway and internal indexer, but am still receiving: Unable to send handshake message to deployment server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeing the same thing - unfortunately this is my first time trying out the deployment server. So far I'm pretty unimpressed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue on 4.3. Everything was working for a few days but now, only the main server is working. All the other forwarders look to be locked out with this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know why, but now that my question, above, is on this web site, there is a scroll bar where a line of text used to be.
So I will re-enter the text...
Hello.
I just installed the Universal Forwarder on a Windows 2K server. As part of that installation process, I also set up DeploymentClient.conf to point to the Deployment Server, as follows:
[target-broker:deploymentServer]
targetUri = <FQDN of Deployment Server>:<tcp port to use>
But, when I start up Splunk, the log includes the following message:
DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
I have captured packets during Splunk Start execution on the Universal Forwarder, and I do see that the Universal Forwarder machine successfully creates a TCP connection to the Deployment Server, on the designated port, and they converse briefly. The connection lasts a few tenths of a second, and then the Universal Forwarder machine closes the connection.
Can anyone suggest why I'm getting the "Unable to send handshake" Warning, and how to resolve it?
Thx,
mfeeny1
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
