Enabled HTTP/2 causes "Product communication error" when deploying Apex One Vulnerability Protection policy from Apex Central

Product / Version includes:

Apex CentralAll , Apex OneAll

Last updated: 2021/08/28

Solution ID: KA-0010442

Category: Troubleshoot

Summary

When deploying policies from Apex Central to Apex One Vulnerability Protection, the following error details can be seen

Policy Error ID 5 (Vulnerability Protection Service: Product communication error).
Apex One: Deployed
Endpoint Sensor Service: Deployed
Application Control Service: Deployed
Vulnerability Protection Service: Product communication error.

Root Cause Analysis

This issue is occurs because Apex Central was not able to send request to Apex One Vulnerability Protection server because of the wrong setting of "HTTP/2".

The error can be seen in the diagnostic.log file of Apex Central, located under ...\Control Manager\WebUI\WebApp\widget\repository\log\:

2020-01-15 17:24:12,144,DEBUG,null,null,[modOSCE IVPProxy][send_policy]In.

2020-01-15 17:24:12,144,DEBUG,null,null,[modOSCE IVPProxy][send_policy]iVP socket timeout: 700

2020-01-15 17:24:12,144,DEBUG,null,null,[modOSCE IVPProxy][send_policy]URL = 
https://<FQDN of Apex One Server>/officescan_ivp/command

2020-01-15 17:24:12,144,DEBUG,null,null,[modOSCE IVPProxy][send_policy]param = 
    {"name":"UpdateClientSettings","clientUIDs":["168a7096-6d25-4d55-9dae-7fa5a7fe953e"],
    "policyGUID":"6f0fbbd0-9546-4792-9173-7eee4762fa8b","policyVersion":"2020-01-15 19:24:06","clientSettings":
    {"vulnerabilityShieldState":0,"fixedSizePatternMode":1,"ipsRules":{"disabledList":[],
    "enabledList":[]},"networkEngineSettings":{"settings.configuration.networkDriverMode":"0",
    "settings.configuration.packet.driver.timeoutEstab":"3","settings.configuration.packet.driver.timeoutLastAck":"30",
    "settings.configuration.packet.driver.timeoutColdStart":"300","settings.configuration.packet.driver.timeoutUdp":"10",
    "settings.configuration.packet.driver.maxConnectionsUdp":"1000000",
    "settings.configuration.packet.driver.maxConnectionsTcp":"1000000","settings.configuration.packet.driver.ignorestatus0":"0",
    "settings.configuration.packet.driver.ignorestatus1":"0","settings.configuration.packet.driver.ignorestatus2":"0",
    "settings.configuration.packet.driver.logRules":"-1"}}}

2020-01-15 17:24:12,144,DEBUG,null,null,[HTTPTALK]Failed error code:92

2020-01-15 17:24:12,144,DEBUG,null,null,[HTTPTALK]Failed reason:HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)

2020-01-15 17:24:12,144,DEBUG,null,null,[modOSCE IVPProxy][send_policy]Send() failed, 
    error message = HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)

2020-01-15 17:24:12,144,DEBUG,null,null,[modOSCE IVPProxy][send_policy]Out.

2020-01-15 17:24:12,144,DEBUG,null,null,[modOSCE IVPProxy][proxy_exec]return code = 2

2020-01-15 17:24:12,144,DEBUG,null,null,[modOSCE IVPProxy][proxy_exec]resultDeploy = , 
    errCode = 421, errMessage = Connecting to server failed

To fix the issue:

Install Apex Central Hotfix 4363.

Since the hotfix is not yet available publicly, you can file a Technical Support case to request for this specific hotfix.
If issue persists or if installing a newer hotfix is not an option, you can manually disable HTTP/2:
1. Open the Windows Registry Editor.
2. Navigate to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Add the following as REG_DWORD values to this registry key:
  - EnableHttp2Tls
  - EnableHttp2Cleartext
4. Set the value of both Registry Keys to 0.
5. Reboot the Apex One server.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Enabled HTTP/2 causes "Product communication error" when deploying Apex One Vulnerability Protection policy from Apex Central

Enabled HTTP/2 causes "Product communication error" when deploying Apex One Vulnerability Protection policy from Apex Central

Product / Version includes:

Summary