7600 views

Troubleshooting the Exploration Phase in Discovery  

 

Video Tutorial: Troubleshooting a failed Discovery: Exploration Phase


 

 

 

Details


This article pertains to Discovery with probes and sensors (not patterns).

CI Classification triggers the initial probes that are launched during the exploration phase. All exploration probes that meet the following conditions are triggered after the identification probe:
  1. Phase = Exploration
  2. Active = True
  3. Condition script is empty or evaluates to true
Additional exploration probes can also be triggered via the Process Classification or within the script of a sensor.

During exploration, most probes use the same credentials used during classification and identification, however there are probes that have additional requirements.
  1. VMware vCenter and ESX/ESXi
    • While discovering a Windows Server, if an active process is classified as vCenter, the VMware - vCenter probe is launched. The credential used for this probe is of type=VMware.
    • During the processing of the results from the VMware - vCenter probe, for each ESX server that is found, a CIM - ESX Chassis Serial Number probe is launched. This probe uses the credential type=CIM
    • For addition details, see Discovery for VMware vCenter.
  2. Microsoft SQL
    • While discovering a Windows Server, if an active process is classified as Microsoft SQL Server, the Windows - MSSQL probe is triggered. The requirements for this probe are outlined in our document MSSQL server discovery.
  3. SSH commands that require sudo:

Troubleshooting

The same commands within Discovery probes can be executed outside of the ServiceNow instance on the MID Server host. Typically this is the best way to troubleshoot.

WMI

  • Use the command line tool wmic to target WMI Objects and registry paths.
  • Use the command line tool cscript to run javascript against a remote machine.

Powershell

  • Within Powershell, use gwmi to target Managed Objects and registry paths.

SSHCommand 

  • Use an SSH client and connect to the target machine with the same credential that Discovery should be using.
  • Once connected, execute the same command or script.

SNMP

  • Use a command line tool like snmpwalk to target OIDs on a remote device.
  • Use Wireshark or tcpdump to capture packets between the MID server host and the device to verify whether packets are being transmitted.

 Watch Out For


 A credential that is successful during the Classification and Identification does not imply that it is successful during Exploration. 

  • Be wary of the order of credentials. Multiple credentials may have access to the same target, each with different privileges.
  • Probes have a timeout. A probe may return incomplete information or display a timeout error. This may imply that the data is too large to return in the given time or the MID Server is too far from the target. It is possible to extend the timeout of a probe.


Common Exploration Phase Errors

Below is a list of common exploration phase issues as well as suggestions on how to resolve them.

  • WMI and Powershell
    • The impersonation of the user failed.
    • Ensure that the domain is specified, along with the username in the credentials.
  • Connection failed to WMI service and other common Windows (WMI/Powershell) error messages:

    Error: The remote server machine does not exist or is unavailable

    Failed to access target system. Please check credentials and firewall settings on the target system to ensure accessibility: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

    Failed to access target system. Please check credentials and firewall settings on the target system to ensure accessibility: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

    • WMI, does the mid server service account have access to the targeted machine? What if a domain admin account is used as the mid server service account?
    • From the command prompt on the mid server host, execute for runner_type=WMI

      wmic /node:"<target>" /user:"<user>" /password:"<password>" path win32_operatingsystem
       
    • From within a Powershell console on the mid server host, execute for runner_type=Powershell

      gwmi win32_operatingsystem -computer <ip> -credential '<username>'
       
    • It is possible that probe is timing out while waiting for a response. If the command is successful from a command prompt, try extending the wmi_timeout value of the probe.
       
  • vCenter Discovery
    • Unable to establish connection to https://10.249.17.207/sdk
    • No VMWare type credential is stored in the credential table.
    • The user name being used is a domain account and needs to be prefixed with a domain.
       
  • CIM_RegisteredProfile{{RegisteredName='Base Server'}}.CIM_ElementConformsToProfile{{ResultClass:'CIM_ComputerSystem'}}.CIM_ComputerSystemPackage{{ResultClass:'CIM_Chassis',PackageType='3'}}.* - CIM_RegisteredProfile - Authentication failed.
  •  com.vmware.vim25.NoPermission errors
    • Need to have a credential of type=VMware within the Credentials table. If the user is part of the domain, it needs to be explicitly defined, username=domain\user.
    • Within ecc_agent_jar, vijava.jar there needs to be an attached and readable (downloadable) jar file. The MID server needs to be able to download this jar.
       
  • MSSQL
    • Cannot find type [Microsoft.SqlServer.Management.Smo.Server]: make sure the assembly containing this type is loaded
    • You need to install Microsoft SQL Server management library (SMO): MSSQL server discovery.

Article Information

Last Updated:2018-05-29 06:36:00
Published:2018-05-29