We've been encountering RPC unavailable and ping failed scanning errors for assets that are scanned remotely, whereas locally, everything is working fine. This issue seems to be related to our use of GlobalProtect as a VPN. Specifically, the problem arises when machines are on the VPN.
We're actively seeking a solution to resolve this issue. If anyone has insights or recommendations on how to address this problem, please feel free to share.
We use AnyConnect as well and leverage LSAgent for our remote devices. I also have a very frequent scan hitting our VPN subnet. LSAgent only updates, at a minimum, of every four hours. Leveraging the IP Scan of the Subnet increases the visibility to an extent of at least allowing us to know that a PC on the Domain is connected, and ties the results to the existing asset.
Unless my understanding is wrong and I'm just wasting resources lol
The RPC and Ping failures could be due to Firewall Rules within the Router(s) or on the Device itself. There is a script out there that can adjust the firewall to permit your scan server. This can be used in conjunction with the LSAgent. If you haven't integrated Classic with Cloud, definitely consider doing so as the Cloud Relay is very beneficial for when assets are disconnected from the local network as the Sync Server will pull the stored results, hourly.
The below is an excerpt from the Lansweeper KB. You would want to adjust line 26 with your scan server IP. I dunno if the DNS name would work as I haven't tried and am not familiar.
' Lansweeper settings script ' Enable dcom Set Myshell = WScript.CreateObject("WScript.Shell") On Error Resume Next Err.Clear Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM","Y","REG_SZ" if Err.Number <> 0 then msgbox "Error: " & Err.Number & vbCrLf & Err.Description & vbCrLf & vbCrLf & "--> Make sure you are running this script elevated with administrative credentials!!",16,"Script error" end if Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel",2,"REG_DWORD" Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel",3,"REG_DWORD" ' Set dcom default permissions Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission" Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\MachineAccessRestriction" Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction" ' Set windows firewall Myshell.run "netsh firewall set service RemoteAdmin enable" Myshell.run "netsh firewall add portopening protocol=tcp port=135 name=LanSweeper_DCOM_TCP135" Myshell.run "netsh advfirewall firewall set rule name=LanSweeper_DCOM_TCP135 new remoteip=ScAnSeRvEr_Ip" Myshell.run "netsh advfirewall firewall set rule name=LanSweeper_DCOM_TCP135 new profile=domain" ' Disable simple file sharing Myshell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest","0","REG_DWORD" ' Set LocalAccountTokenFilterPolicy Myshell.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy","1","REG_DWORD" ' Enable WMI Service and start it Myshell.run "sc config winmgmt start= auto" Myshell.run "net start winmgmt"
It will not be possible to update in real time. The only time the information is updated for an asset is when it is scanned. I have our VPN IP range to scan hourly since we have assets that can be potentially going on off line throughout the day.
What I gather from your response is the suggestion to include all IP ranges used for GlobalProtect in the scanning target. However, a question arises here: when assets are scanned through IP ranges and agents, will this result in separate identifiers or uniqueness? We are concerned about the potential scenario where the same asset might generate two identifiers, which could impact our license consumption.
First make sure that your VPN address range is being scanned. This range will need to be scanned when the laptops are online.
Also make sure that scanning of your VPN is allowed through your Paloalto firewall.
You can also install the Lansweeper agent on the laptop and set up agent scanning in Lansweeper under the scanning menu. This will also need to be allowed through your firewall.
I appreciate your prompt response. Yes, the IP ranges are already whitelisted in the firewall. However, it seems that the issue we're experiencing might be related to the fact that the scan is not updating the real-time IP information of assets properly.
To elaborate, when the previously stored IP in the Lansweeper inventory differs from the current IP, it triggers the "ping fail" and "RPC unavailable" scan errors. Conversely, when the IP information matches, no errors occur.
I'm seeking suggestions on how we can streamline this process and ensure that IP information is updated accurately in real-time. Any insights or recommendations would be greatly appreciated.
I agree with Brandon... you will always have issues in some sort of fashion when scanning windows assets that are on VPN... when an agentless scan is used, it checks DNS first... so for VPN users, the leases can change frequently, and likely the scan server is using cached results from previous lookups, or, the dns record hasn't updated. Another issue that happens is windows returning the primary NIC as the VPN virtual NIC... and also the asset returning the local IP/subnet of the remote user since that's the primary IP.
I usually put the agent on them, and make a report to show the VPN virtual NIC and ip address, and schedule scans or initiate manual scans from that report... or, like Brandon suggested, throw the IP range in there hehe. There should not be duplicate assets because the ip address and mac address are not part of the unique identifiers. I'd link an article to the identifiers but I'm on my mobile 🙂