This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RPC unavailable and Ping Fails

tahir
Engaged Sweeper

‎09-23-2023 12:20 AM - last edited on ‎04-02-2024 09:58 AM by

Hi All,

We've been encountering RPC unavailable and ping failed scanning errors for assets that are scanned remotely, whereas locally, everything is working fine. This issue seems to be related to our use of GlobalProtect as a VPN. Specifically, the problem arises when machines are on the VPN.

We're actively seeking a solution to resolve this issue. If anyone has insights or recommendations on how to address this problem, please feel free to share.

Labels:
0 Kudos
6 REPLIES 6
Brown_Dog_NG
Champion Sweeper

‎09-27-2023 10:07 PM - edited ‎09-27-2023 10:18 PM

We use AnyConnect as well and leverage LSAgent for our remote devices. I also have a very frequent scan hitting our VPN subnet. LSAgent only updates, at a minimum, of every four hours. Leveraging the IP Scan of the Subnet increases the visibility to an extent of at least allowing us to know that a PC on the Domain is connected, and ties the results to the existing asset.

Unless my understanding is wrong and I'm just wasting resources lol

 

The RPC and Ping failures could be due to Firewall Rules within the Router(s) or on the Device itself. There is a script out there that can adjust the firewall to permit your scan server. This can be used in conjunction with the LSAgent. If you haven't integrated Classic with Cloud, definitely consider doing so as the Cloud Relay is very beneficial for when assets are disconnected from the local network as the Sync Server will pull the stored results, hourly.

The below is an excerpt from the Lansweeper KB. You would want to adjust line 26 with your scan server IP. I dunno if the DNS name would work as I haven't tried and am not familiar.

' Lansweeper settings script

' Enable dcom
Set Myshell = WScript.CreateObject("WScript.Shell")

On Error Resume Next
Err.Clear

Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM","Y","REG_SZ"

if  Err.Number <> 0  then
  msgbox  "Error: " & Err.Number & vbCrLf & Err.Description & vbCrLf & vbCrLf & "--> Make sure you are running this script elevated with administrative credentials!!",16,"Script error"
end if

Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel",2,"REG_DWORD"
Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel",3,"REG_DWORD"

' Set dcom default permissions
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission"
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\MachineAccessRestriction"
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction"

' Set windows firewall
Myshell.run "netsh firewall set service RemoteAdmin enable"
Myshell.run "netsh firewall add portopening protocol=tcp port=135 name=LanSweeper_DCOM_TCP135"
Myshell.run "netsh advfirewall firewall set rule name=LanSweeper_DCOM_TCP135 new remoteip=ScAnSeRvEr_Ip"
Myshell.run "netsh advfirewall firewall set rule name=LanSweeper_DCOM_TCP135 new profile=domain"

' Disable simple file sharing
Myshell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest","0","REG_DWORD"

' Set LocalAccountTokenFilterPolicy
Myshell.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy","1","REG_DWORD"

' Enable WMI Service and start it
Myshell.run "sc config winmgmt start= auto"
Myshell.run "net start winmgmt"

 

-Don't forget to hand out Kudos and mark Solutions to replies you receive!-
LS Tech Support Email: Support@lansweeper.com
LS Tech Support KB: https://www.lansweeper.com/contact-support/
0 Kudos
brandon_jones
Champion Sweeper III

‎09-26-2023 03:05 PM

It will not be possible to update in real time. The only time the information is updated for an asset is when it is scanned. I have our VPN IP range to scan hourly since we have assets that can be potentially going on off line throughout the day.

0 Kudos
tahir
Engaged Sweeper
In response to brandon_jones

‎09-27-2023 03:24 AM

What I gather from your response is the suggestion to include all IP ranges used for GlobalProtect in the scanning target. However, a question arises here: when assets are scanned through IP ranges and agents, will this result in separate identifiers or uniqueness? We are concerned about the potential scenario where the same asset might generate two identifiers, which could impact our license consumption.

0 Kudos
brandon_jones
Champion Sweeper III

‎09-24-2023 06:30 PM

First make sure that your VPN address range is being scanned. This range will need to be scanned when the laptops are online. 

Also make sure that scanning of your VPN is allowed through your Paloalto firewall. 

You can also install the Lansweeper agent on the laptop and set up agent scanning in Lansweeper under the  scanning menu. This will also need to be allowed through your firewall. 

tahir
Engaged Sweeper
In response to brandon_jones

‎09-26-2023 12:46 AM


Hi Brandon,

I appreciate your prompt response. Yes, the IP ranges are already whitelisted in the firewall. However, it seems that the issue we're experiencing might be related to the fact that the scan is not updating the real-time IP information of assets properly.

To elaborate, when the previously stored IP in the Lansweeper inventory differs from the current IP, it triggers the "ping fail" and "RPC unavailable" scan errors. Conversely, when the IP information matches, no errors occur.

I'm seeking suggestions on how we can streamline this process and ensure that IP information is updated accurately in real-time. Any insights or recommendations would be greatly appreciated.

0 Kudos
rom
Champion Sweeper III
In response to tahir

‎09-27-2023 07:18 AM

I agree with Brandon... you will always have issues in some sort of fashion when scanning windows assets that are on VPN... when an agentless scan is used, it checks DNS first... so for VPN users, the leases can change frequently, and likely the scan server is using cached results from previous lookups, or, the dns record hasn't updated.  Another issue that happens is windows returning the primary NIC as the VPN virtual NIC...  and also the asset returning the local IP/subnet of the remote user since that's the primary IP.

I usually put the agent on them, and make a report to show the VPN virtual NIC and ip address, and schedule scans or initiate manual scans from that report...  or, like Brandon suggested, throw the IP range in there hehe.  There should not be duplicate assets because the ip address and mac address are not part of the unique identifiers.  I'd link an article to the identifiers but I'm on my mobile 🙂

General Discussions

Find answers to technical questions about Lansweeper.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now