A child activity failed: SOAP security negotiation with

Dan_Meier · 15 March 2017 17:54

We are getting a A child activity failed: SOAP security negotiation with<agent/packages url> for target failed. See inner exception for more details.

This last worked for this server 2/24/2017, it failed on 3/10/2017 and subsequent retries.

I found one discussion that indicated a time sync issue so I checked that and the tentacle was 45 seconds fast. I forced a resync of the time and they are now within a second of each other, but still no go.
I thought I saw a message before about the thumbprint but can’t see that message anywhere.

For this particular environment the four web servers have bad health checks but the other 7 servers are fine.

This is the health status:
2017-03-15 15:44:30 ERROR System.ServiceModel.EndpointNotFoundException: Unable to communicate with the remote tentacle ‘http://server01:10933/’ . This happens when either the tentacle is offline, or when firewalls are preventing communication to the service. Please verify that TCP port 10933 is open on both the Windows Firewall and any other hardware/software firewalls between the machines, and that the Tentacle Windows Service is running on the remote machine. You can test the connection by browsing to ‘http://server01:10933/’ in a web browser from the Octopus server. The error message given was: There was no endpoint listening at http://server01:10933/ that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
at Octopus.Server.Proxies.ClientBroker1.CallOneWay(MachineEndpoint endpoint, Action1 callback) in c:\w\e6923628be6eaf72\source\Octopus.Server\Proxies\ClientBroker.cs:line 118
at Octopus.Server.Proxies.ClientBroker1.Call[TResult](MachineEndpoint endpoint, Func2 callback) in c:\w\e6923628be6eaf72\source\Octopus.Server\Proxies\ClientBroker.cs:line 30
at Octopus.Server.Tasks.Health.CheckTentacleHealthActivity.<>c__DisplayClass2.b__0() in c:\w\e6923628be6eaf72\source\Octopus.Server\Tasks\Health\CheckTentacleHealthActivity.cs:line 29

Obviously I tried browsing to that url; it was successful.

Here’s the server stack trace from the deployment.
Upload to machine http://server01:10933/
2017-03-11 02:05:47 DEBUG Uploading package Service.Web.Host 2.0.1041-Dev to tentacle http:/server01:10933/
2017-03-11 02:05:47 ERROR System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with ‘http://server01:10933/Packages/’ for target ‘http://server01:10933/Packages/’ failed. See inner exception for more details. —> System.ComponentModel.Win32Exception: One or more of the parameters passed to the function was invalid
at System.ServiceModel.Security.TlsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
at System.ServiceModel.Security.IssuanceTokenProviderBase1.GetNextOutgoingMessage(Message incomingMessage, T negotiationState) at System.ServiceModel.Security.IssuanceTokenProviderBase1.DoNegotiation(TimeSpan timeout)
— End of inner exception stack trace —

Server stack trace:
at System.ServiceModel.Security.IssuanceTokenProviderBase1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory1.ClientSecurityChannel1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ReliableChannelBinder1.ChannelSynchronizer.SyncWaiter.TryGetChannel() at System.ServiceModel.Channels.ReliableChannelBinder1.ChannelSynchronizer.SyncWaiter.TryWait(TChannel& channel)
at System.ServiceModel.Channels.ReliableChannelBinder1.ChannelSynchronizer.TryGetChannel(Boolean canGetChannel, Boolean canCauseFault, TimeSpan timeout, MaskingMode maskingMode, TChannel& channel) at System.ServiceModel.Channels.ClientReliableChannelBinder1.Request(Message message, TimeSpan timeout, MaskingMode maskingMode)
at System.ServiceModel.Channels.RequestReliableRequestor.OnRequest(Message request, TimeSpan timeout, Boolean last)
at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout)
at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ReliableRequestSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Octopus.Shared.Contracts.IPackageService.BeginUpload(PackageMetadata metadata)
at Octopus.Server.Tasks.Deploy.PackagePusher.<>c__DisplayClass1.b__0(IPackageService service) in c:\w\e6923628be6eaf72\source\Octopus.Server\Tasks\Deploy\PackagePusher.cs:line 33
at Octopus.Server.Proxies.ClientBroker1.CallOneWay(MachineEndpoint endpoint, Action1 callback) in c:\w\e6923628be6eaf72\source\Octopus.Server\Proxies\ClientBroker.cs:line 118
at Octopus.Server.Tasks.Deploy.UploadPackageActivity.<>c__DisplayClass1.b__0() in c:\w\e6923628be6eaf72\source\Octopus.Server\Tasks\Deploy\UploadPackageActivity.cs:line 26
at Octopus.Shared.Activities.Activity`1.StartNewThread.Execute() in c:\w\e6923628be6eaf72\source\Octopus.Shared\Activities\Activity.cs:line 43

Shane_Gill · 16 March 2017 03:04

Hi Dan,

Thanks for getting in touch.

Can I ask what version of Octopus Server and Tentacles you are running?

What operating system are the 4 web servers on? Are they different to the 7 servers that are healthy?

Cheers,
Shane

Dan_Meier · 16 March 2017 16:41

That’s the embarrassing part…
Octopus Server: Windows 2008 R2 – Octopus Version according to the license is 1.0 according to the only installer I have it’s 3.3.6

Web Tentacles: Windows 2008 – Tentacle version according to the folder path is version 1.6.3.1.1723_1

Non-Web Tentacles: Windows 2008 R2 – 1.6.3.1.1723_1

Upgrading at this time is out of the question. Although we are interested if we can upgrade.
Actually we want to do a release today…

Shane_Gill · 16 March 2017 22:26

Hi Dan,

You guys are old school.

In your log I can see an exception coming from: TlsSspiNegotiation.

I wonder if your Octopus Server box has been configured for TLS 1.1 or 1.2 which are not supported on Windows 2008 (but are on 2008 R2).

You might want to read: https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/ and check what has been configured on your Octopus Server.

You can upgrade, if you are on version 1 you will need to upgrade to version 2 and then you can go the latest version 3. You would need a license that is valid at the time the version you upgrade to was released.

Cheers,
Shane

Dan_Meier · 28 March 2017 17:29

They appear to be on the same protocol version.

I’m going to try a full uninstall of the Tentacle and a reinstall.

Shane_Gill · 31 March 2017 05:31

Good luck Dan, let me know how it goes.

Dan_Meier · 31 March 2017 15:08

It didn’t help.

I tried setting up the SSL 2.0 protocol registry the same as the 2008 R2’s that are working (essentially adding a Server value to go along with the Client value). After a reboot and health check that didn’t resolve the issue.

I then manually uninstalled the Tentacle and reinstalled it. Then created a new agent in the server with the new agent’s thumbprint. Then did a health check but it failed.

I reverted back to a VM Snapshot I took before starting these changes.

Shane_Gill · 3 April 2017 22:25

Hi Dan,

Could you try a trace with wireshark (https://www.wireshark.org) on your Octopus Server to see if that gives any clues? If you could send a trace of a health check and the raw health check log (https://octopus.com/docs/how-to/get-the-raw-output-from-a-task) it might help determine what is going wrong.

Thanks
Shane