Jump to content

Recommended Posts

Posted

 

Hello, I am the admin for Kaspersky for Business antivirus. I have encountered an issue where, after installing the antivirus agent and running the klmover.exe command to change the console server, the server changes, but the connection does not establish. When I use the "send heartbeat" option in the klcsngtgui.exe program, it doesn’t connect to the server and shows error #1259.

 

Upon checking the agent log, I see a message saying "administration server certificate: not installed," even though I have verified the network connection, and TCP port 13000 is open. Both the console and agent versions are 14.2, and I have also tested with different agent versions like 13 and 13.2, but the agent still doesn’t connect to the console.

 

It’s worth mentioning that this issue only occurs on some devices, mostly Windows 10 and Windows 7 32-bit. However, in other places with the same console, we have devices with similar configurations where the agent connects successfully.

IMG_20241105_213637_211.jpg

Renan Corassa
Posted

Can the device reach port 13000 of the Administration Server?
e.g. telnet?

What command is used in klmover?

What is the version of Network Agent?

  • Thanks 1
Posted (edited)

 

23 minutes ago, Renan Corassa said:

Can the device reach port 13000 of the Administration Server?
e.g. telnet?

What command is used in klmover?

What is the version of Network Agent?

Yes i have telnet to ksc on 13000 tcp

 

And the klmover command used correctly

 

I said the version is 14.2

Edited by Reyou
Renan Corassa
Posted

Can you please tell me the command?

Posted
6 hours ago, Renan Corassa said:

Can you please tell me the command?

Klmover.exe -address server-ip

  • Like 1
Renan Corassa
Posted (edited)

I know it may seem reductive, but try:
klmover.exe -address server_IP -ps 13000

Edited by Renan Corassa
JL - KL DACH
Posted

Hello Reyou,

klmover will only work when a connection was possible already. If there are problems connecting recreate the Network Agent Installation package on the new KSC server and deploy it.

If it is a problem only on a few clients the fastest solution is to copy "klserver.cer" from KSC Server folder
C:\ProgramData\KasperskyLab\adminkit\1093\cert 
to the following folder on client
C:\ProgramData\KasperskyLab\adminkit\1103

Be aware this is just a workaround!

I hope I have been able to help you and remain

with Best Regards

 

  • Like 1
Posted (edited)

Hello @Reyou

It sounds like a certificate-related issue is preventing the Network Agent from establishing a secure connection with the Administration Server. Here are steps you can take to troubleshoot and potentially resolve this:

  1. Verify Server Certificate Installation:

    • If the message indicates "administration server certificate: not installed," it suggests that the certificate required for secure communication may not be correctly installed on the client device. You can try re-importing the certificate from the Administration Server. On the affected client:
      • Export the server’s SSL certificate (usually found in the cert folder on the Administration Server) and then manually import it into the client’s Network Agent configuration.
  2. Certificate Synchronization:

    • When switching servers with the klmover tool, the certificate chain sometimes doesn’t synchronize correctly. After using klmover, try to force a certificate re-synchronization:
      • You can do this by going to klcsngtgui.exe on the client device and triggering a “Get policy” to see if it initiates the correct exchange with the server. If it still fails, try re-installing the Network Agent with the certificate imported directly from the Administration Server.
  3. Firewall and Port Checks:

    • While you’ve confirmed that TCP port 13000 is open, check if UDP port 15000 is also accessible, as some connections might depend on this.
    • Ensure there are no local firewalls or antivirus components blocking communication, particularly on Windows 7 and 10 devices, as they might have more restrictive network settings.
  4. Compare Working and Non-Working Client Configurations:

    • Since other devices connect without issue, compare the Network Agent settings, policies, and certificate configurations on working and non-working devices. Sometimes, specific settings or policies can differ on certain client groups or OS-specific configurations.
  5. Try a Full Agent Uninstall/Reinstall:

    • On affected devices, perform a clean uninstallation of the Network Agent, then reinstall it with the correct certificate and policies.

If these steps don’t resolve the issue, it could be useful to escalate to Kaspersky Technical support, as error #1259 often relates to certificate mismatches or deeper configuration issues between the server and agent on older or customized operating systems.

Thank you

Edited by KarDip
spellcheck

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...