MeshCentral
MeshCentral copied to clipboard
Ylianst
Duplicate CIRA Connected Systems
Running 0.9.66 on Ubuntu 18.04 without a reverse proxy. CIRA connected devices appear with the hostname of the reverse IP lookup of the external IP. The details tab is empty except for the AMT status, but since none of the "normal" systems show CIRA any longer, I believe they are duplicates and not orphan CIRA connections of un-agented systems.
Reddit Thread: https://www.reddit.com/r/MeshCentral/comments/ryqj3v/cira_showing_as_external_ip_instead_of_system_name/
I also verified that I don't see this behavior with CIRA connected devices on my server running 0.9.28
When MeshCentral gets a CIRA connection, it gets the Intel AMT unique identifier (UUID) and uses that as the identifier to show the connection on the web site. Normally, the Intel AMT UUID should not change and should be unique for each device. However, I have seen rare cases where this is not the case.
You can get the Intel AMT UUID using meshcmd.exe amtuuid or by typing amt in the agent console.
I should have put the identifier in the "details" tab too so it's easy to see.
My question is, does this identifier change each time you get a duplicate CIRA connection? If so, I would first suggest to update your firmware (BIOS) on the remote computer. If that does not fix it, that will be a problem since I use that identifier to route the connection.
In my case, all my CIRA connected systems became two (one normal software agent system that works and one CIRA system that only displays a little bit of info and doesn't let you connect) after I upgraded the software. On my two servers I upgraded recently to 0.9.66 I have no systems that have both the software agent and CIRA. I do not have a console tab on the duplicate CIRA systems:
Looking at the websocket traffic, I can see the nodes lookup return both the regular agent and the CIRA stuff with identical UUIDs. I've cut out a matching pair from my group, but could provide more info if necessary:
[ { "_id": "node//$Gql9Sy$wk3A7I8tMeavH2ZgrSSM94lS36Tgzv3EH4tbuVPGOjVqXKbJaK3E12f@", "type": "node", "mtype": "2", "icon": 1, "name": "ClusterB4", "rname": "ClusterB4", "domain": "", "agent": { "ver": 0, "id": 4, "caps": 31, "root": true, "core": "Jan 7 2022, 4100352894" }, "host": "ClusterB4.production.mydomain.local", "ip": "50.202.0.0", "osdesc": "Microsoft Windows 10 Enterprise LTSC - 17763", "av": [ { "product": "Windows Defender", "updated": true, "enabled": true } ], "users": [ "CLUSTERB4\\user" ], "intelamt": { "host": "ClusterB4.production.mydomain.local", "state": 2, "flags": 2, "ver": "11.8.77", "user": "admin", "pass": 1, "realm": "Digest:13C30000000000000000000000000000", "tls": 1, "hash": "56c90fb0dd50c69c2ac6b30bbebc01f09327e411", "mpspass": 1, "sku": 16392, "uuid": "63b65363-c061-4e83-99a8-d45ddf1a2551", "warn": 0 }, "wsc": { "firewall": "OK", "antiVirus": "OK", "autoUpdate": "OK" }, "conn": 1, "pwr": 1, "agct": 1641944598772, "sessions": { "app": { "undefined": 1 } } }, { "_id": "node//Y7ZTY8BhToOZqNRd3xolUWO2U2PAYU6DmajUXd8aJVFjtlNjwGFOg5mo1F3fGiVR", "type": "node", "mtype": 2, "name": "50-202-0-0-reverse.hfc.comcastbusiness.net", "icon": 1, "host": "50-202-0-0-reverse.hfc.comcastbusiness.net", "domain": "", "agent": { "ver": 0, "id": 0, "caps": 0 }, "intelamt": { "uuid": "63b65363-c061-4e83-99a8-d45ddf1a2551", "user": "", "pass": 1, "tls": 0, "state": 2 }, "conn": 2, "pwr": 7, "cict": 1641838319714 } ]
I'm seeing the same thing as sourcex on my install. In past versions Intel AMT and CIRA were working properly. It broke sometime after version 0.9.28. Any device that uses CIRA is now showing up as that reverse IP named entry but with no functionality. The actual device is still showing up under the MeshAgent (and with the correct device name) but no IntelAMT features are present at all. Not sure how else to describe it.
Since the UUIDs are identical for the software agent device and the phantom CIRA device, is there other troubleshooting I should be digging into? I think my two affected installs are fairly basic, but it is hard to tell if people aren't using CIRA much or if this is just a smaller scale issue.
Downgrading to the latest stable (0.9.52) shows the same behavior. The two systems with identical UUIDs aren't combined in the interface.
Does anyone have this problem running with a mongodb version newer than 3.6.3? My affected servers are fairly old installations.
I'm having this issue as well. I'm running MeshCentral version 1.0.85 in WAN mode. I have some computers that show both the agent and the CIRA connection under one entry, as expected. I have other computers that list two entries. One for CIRA and the other for the agent. But it is only one computer.
For example, computer 0269 shows both CIRA and agent.
Computer number 0187 shows as two separate devices. One is controlled by the agent and the other is connected by CIRA.
This is the same computer, but listed with the CIRA only
Is there anything I should be looking for to troubleshoot this? The UUID in AMT changing was mentioned. I can find the UUID in AMT. Where do I find the UUID in the MeshCentral data? Is there anything else to look for?
One thing I just noticed was the Intel ME version for the computers with the problem all seem to be running 9.0.2 whereas the computers that are working properly are running 9.1.42 or newer.
