Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] How to troubleshoot WinCollect Error code 0x06BA: The RPC server is unavailable

0

0

Article ID: KB29122 KB Last Updated: 02 Feb 2021Version: 2.0
Summary:

This article applies only to WinCollect agents that remotely poll for events from other Windows systems.

Note: If the Local System check box is selected in your log source, this article does not apply to you.

 

Symptoms:

The WinCollect Error code 0x06BA: The RPC server is unavailable message is typically displayed when a monitored remote machine is rebooted or is simply not on the network anymore.

If the WinCollect machine loses its network connection or cannot be discovered via DNS, many RPC server unavailable messages often appear in the error log.

The WinCollect Error code 0x06BA: The RPC server is unavailable message also might appear when the polled host is installed in a virtual environment. This can happen when hibernating virtual machines are set up with the default power management profile and the WinCollect agent cannot connect to them.

If the WinCollect Error code 0x06BA: The RPC server is unavailable message is accompanied by another error which states that an "Interface [is] not found," either the remote machine or the WinCollect machine is rebooting.

 

Cause:

The WinCollect agent fails to open the event log for a remote event source, and the WinCollect Error code 0x06BA: The RPC server is unavailable message appears.

 

Solution:

If the WinCollect agent fails to open the event log for a remote event source and the WinCollect Error code 0x06BA: The RPC server is unavailable message appears, troubleshoot the problem by performing the following procedures:

  • Verify that the log source is configured with the IP address or host name of the remote system.

  • Verify the status of the remote system.

  • Verify that the correct services are enabled on the remote system.

  • Verify that the user in your log source includes the correct user right assignment.

  • Verify that you can open the event viewer on the remote system.

  • Verify that required ports are open on the Windows host and that Remote Event Log Management is allowed.

Verify that the log source is configured with the IP address or host name of the remote system.

Check the Log Source Identifier field.

If the log source is configured with the IP address or host name of the remote system, continue to the next procedure ("Verify status of remote system").

If the log source is not configured with the IP address or host name of the remote system, enter the following in the Log Source Identifier field:

  • The IP address or host name of the remote system you want to poll for events into .

Note:

  • Every log source that you configure on your agent must contain the location of the remote Windows system.

  • The agent must be configured to allow automatic updates so the log source on the remote agent can be updated.

  • The Configuration Polling Interval for the agent determines the frequency with which the agent requests log-source and software updates from the Console.

  • After you save your log-source update to correct the Log Source Identifier field, click Save, then wait for the configuration interval to expire, which will update the remote WinCollect agent.

Verify the status of the remote system.

Check to see if the remote system is powered on, is available on the network, or is hibernating.

Verify that the correct services are enabled on the remote system.

If the WinCollect agent is logging errors, verify that the services required by RPC are enabled on the remote system:

  1. Log into the remote system as administrator.

  2. Select Start > Programs > Administrative Tools, then click Services.

Note:

  • In the Status column, the Remote Procedure Call (RPC) service must display Started.

  • In the Status column, the Remote Registry service must display Started.

Verify that the user in your log source includes the correct user right assignment.

The user defined in your log source must have the ability to manage auditing and the security log.

  1. Log in to the remote system.

  2. Select Start > Programs > Administrative Tools, and then click Local Security Policy.

  3. From the navigation menu, select Local Policies > User Rights Assignment.

  4. Right-click on Manage auditing and security log and select Properties.

  5. From the Local Security Setting tab, click Add User or Group to add your WinCollect user to the local security policy.

  6. Log off the Windows host.

  7. Remotely poll the host for Windows events with your WinCollect log source.

If you cannot collect events for the WinCollect log source: a) Verify that your group policy does not override your local policy, and b) Verify that the local firewall settings on the Windows host allow Remote Event Log Management. Or, update your log source configuration with the Domain administrator credentials to determine if your issue is related to permissions. If Domain administrator credentials are also denied, the issue might be related to the network.

Verify that you can open the event viewer on the remote system.

If you are remotely polling another Windows host for events, remotely open the event viewer from the system running the WinCollect agent.

  1. Log onto the Windows host on which the WinCollect agent is locally installed.

  2. Select Start > Programs > Administrative Tools, and then click Event Viewer.

  3. Click Action > Connect to another computer.

  4. Select the Another computer option and type the IP address or host name of the server that you want to remotely poll for events.

  5. Click the Connect as another user check box.

  6. Click Set User.

  7. In the User name field, type the domain/username for the user you specified in your log source configuration (for example, test.domainname.com\JohnD).

  8. Type the password for the user and click OK.

If you cannot remotely view the event viewer on the remote host, an RPC Server is unavailable message is displayed.

Administrators can execute an nslookup command from the command line (as shown below) on the host name or IP address you specified. The output of the command should provide the host name or FQDN (fully qualified domain name) that you can use to try to remotely connect to the event viewer

  1. Click Start > Run, type cmd and press Enter.

  2. To verify the DNS entry for your computer, type the following command:

    nslookup %computername%
  3. If the results return an unexpected IP address or name, you may have conflicting IP information on your DNS server. If you think this issue is related to the DNS server and the location of the system, you can execute an nslookup command to obtain the name of the Active Directory server: Type nslookup ad or nslookup ad.domain.name and compare the results.

  4. If the DNS server is not in your zone or if the lookup does not resolve correctly, use the Enable Active Directory Lookups check box.

  5. To specify a server to complete an Active Directory Lookup, type an IP address or FQDN of a domain controller in the Override Domain Name Controller field.

  6. To specify a server to complete the DNS Lookup for a host, type an IP address or FQDN of a domain controller in the Override DNS Domain Name field.

If you connect to the event viewer of the remote system, verify that the log source configuration is correct and that the Log Source Identifier field contains the host name or FQDN used to connect to the event viewer of the remote system.

Verify that required ports are open on the Windows host and that Remote Event Log Management is allowed.

All firewalls located between the agent and the system polled for events must allow communication on the following ports:

  • TCP port 135 Microsoft Endpoint Mapper

  • UDP port 137 NetBIOS name service

  • UDP port 138 NetBIOS datagram service

  • TCP port 139 NetBIOS session service

  • TCP port 445 Microsoft Directory Services for file transfers that use a Windows share  

To verify that the Windows Firewall allows Remote Event Log Management:

  1. Log into the remote system.

  2. Select Start > Programs > Administrative Tools, and then click Windows Firewall with Advanced Security.

  3. Click Inbound Rules.

  4. Verify that the Enabled column lists Yes for all of the Remote Event Log Management firewall rules.

Note:

  • If you are using DNS for name resolution, verify that UDP and TCP port 53 are listening. These ports may require firewall exceptions in place on your Windows firewall.

  • To verify that a port is listening, administrators can type the following command:

    netstat -an | find "port#"

 

Modification History:

2021-02-02: Article reviewed for accuracy; article valid and relevant

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search