A.1 Patch Management Issues

Patches are unavailable because of the CDN switch to Akamai for ZENworks Patch Management

Source: ZENworks 11 SP2; Patch Management.
Explanation: In the week of 18 February 2008, the hosting infrastructure for the patch content Web site used by ZENworks 11 SP2 Patch Management was migrated to Akamai as the new host provider. This switch was done through a global DNS change.
Action: Follow the steps below:
  1. Open access to the following Web sites:

  2. Turn off SSL Download on the Configuration page (see Configuring Subscription Download Details).

  3. Test your connectivity to the new hosting provider from your ZENworks Primary Server that the Patch Management feature is currently running on:

    • Ping test:

      Log in to the server console, and launch a command prompt or shell window:

      ping novell.cdn.lumension.com

      If your server is able to connect to the Akamai hosting network without a problem, you see a response similar to the one shown below:

      Pinging a1533.g.akamai.net [12.37.74.25] with 32 bytes of data:                                  Replyfrom 12.37.74.25: bytes=32 time=14ms TTL=55                                       Reply from 12.37.74.25: bytes=32 time=14ms TTL=55                                       Reply from 12.37.74.25: bytes=32 time=14ms TTL=55                                        Reply from 12.37.74.25: bytes=32 time=13ms TTL=55                                          Ping statistics for 12.37.74.25:                 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),                                             Approximate round trip times in milli-seconds: Minimum = 13ms, Maximum = 14ms, Average = 13ms
      

      The ping command shows you the address of the nearest AKAMAI server to your current location.

      If you receive the following message:

      Ping request could not find host novell.cdn.lumension.com. Please check the name and try again.
      

      The firewall administrator needs to open access to the Akamai network for both ping and HTTP (TCP port 80) traffic.

      NOTE:Ping test is a simple way to establish that a server has a route available to reach the server, it is not used by Patch Management in normal operations.

      Ping (ICMP) may be blocked by your corporate firewall, or the server may need to pass through a proxy to reach the hosting provider: In these circumstances the Ping test will fail, so other tests will be needed.

    • Browser test:

      Using a Web browser, type in the following URL:

      http://novell.cdn.lumension.com/novell/pulsar.xml
      

      The browser should display formatted output from the Web site, as shown in the figure below:

      If your browser cannot access the XML file, you experience a browser timeout and receive some kind of error message. If the ping test succeeds and the browser test fails, this indicates that the firewall administrator has limited access to the Akamai network, but that the HTTP (TCP port 80) is blocked.

      The license server is still using the same address as in ZENworks Patch Management 6.4. If you want to enter a serial number to register your Patch Management usage, you need to leave the IP addresses of our old servers in your firewall rules.

      NOTE:The server needs to use a proxy to get to the outside world, and the browser isn't configured for the same proxy, then the test in the mentioned would fail.

    • Firewall information for ZENworks 11 SP2:

      ZENworks 11 SP2 Patch Management license replication goes to the following servers:

      • 206.16.247.2
      • 206.16.45.34
      • Port 443

      ZENworks 11 SP2 Patch Management content replication goes to the following DNS name:

      http://novell.cdn.lumension.com/novell
      

      To find out what IP your specific server is using, ping novell.cdn.lumension.com from several machines and enter the applicable address range into your firewall rules.

No patches are shown in the Patches tab

Source: ZENworks 11 SP2; Patch Management.
Possible Cause: The server has just been installed.
Action: You need to start the patch subscription download, and then wait twenty minutes or more for patches to be downloaded automatically from novell.patchlink.com.

Patches do not seem to be deployed on the target device

Source: ZENworks 11 SP2; Patch Management.
Possible Cause: The ZENworks administrator hasn’t deployed the patches into the applicable devices in the ZENworks server, or the patches have been deployed in the server but the device refresh schedule hasn’t been triggered in the ZENworks adaptive agent.
Actions: Check to see if the Device Refresh Schedule option is set as Manual Refresh or Timed Refresh on the Configuration tab, and wait for the specified interval.

The Cancel button disappears in the Reboot Required dialog box

Source: ZENworks 11 SP2; Patch Management.
Explanation: When two or more patches are deployed, if the Allow User to Cancel option is set as No on the Pre Install Notification Options page and the Notification and Reboot Options page of the server, the Cancel button disappears in the Reboot Required dialog box for all patches of the agent.
Action: None necessary.

Superseded patches are shown as NOT APPLICABLE

Source: ZENworks 11 SP2; Patch Management.
Explanation: In earlier releases of Patch Management, a patch showed its status as PATCHED or NOT PATCHED, regardless of whether the patch was new or outdated. This often caused many more patches to show as NOT PATCHED than were actually necessary for deployment to a given target device. This issue has been addressed in many of the new advanced content patches provided with ZENworks 11 SP2:
  • When a patch is superseded, it is automatically disabled.

  • If the patch is re-enabled and detected, in most cases the patch shows as NOT APPLICABLE because it has been replaced by a more recent patch.

Although this is inconsistent with the behavior of earlier versions of Patch Management, this change is an improvement because only the patches that currently need to be installed are reported or analyzed on each device.

Action: None necessary.

Patch deployment might not start when scheduled

Source: ZENworks 11 SP2; Patch Management.
Possible Cause: If the deployment schedule type includes both the Recurring and Process Immediately If the Device Is Unable to Execute options, when the device becomes active, the deployment of the patch does not start on the first of its scheduled recurring dates. However, the patch is deployed when the next recurring date occurs.
Action: Instead of selecting a recurring schedule, select a date-specific schedule so that the patch is applied when the device becomes active.

Microsoft System Installer (MSI) might need to be updated for some patches

Source: ZENworks 11 SP2; Patch Management.
Explanation: Deployment of certain .NET patches might require that the latest MSI is installed. Otherwise, you might receive errors when deploying those patches.
Action: Prior to deploying .NET patches, verify whether an MSI version is a prerequisite. If necessary, create a bundle to deploy the latest MSI (version 3.1 or later) to your systems. MSIs are available from Microsoft.

Remediation of Linux patches displays an error on the SLES 11 SP1 agent

Source: ZENworks 11 SP2; Patch Management
Explanation: On a SUSE Linux Enterprise Server (SLES) 11 SP1 x86, when you apply some patches, though they get applied successfully, an error is reported in the bundle system.
Possible Cause: This is a reporting error, related to patches that have java dependencies.
Action: In the jexec script installed by the sun/oracle java rpm in the /etc/init.d folder, after the # Required-Start: $local_fs line, add the following line: # Required-Stop.