none
SCCM peer cache is not working as intended RRS feed

  • Question

  • Hi,

    I am using SCCM 1902 version and have enabled peer caching for testing in our environment. the peer client is trying to access the peer source which is in the same subnet but couldnt be able to download the content from the peer. Please find the log entries below.

    DataTransferService.log:

    Request to https://hostnameFQDN:8003/SCCM_BranchCache$/Content_60dcda08-7947-481d-8b99-d0d2cbcd3d19 failed with 400 DataTransferService 12/26/2019 12:40:34 PM 12116 (0x2F54)

    Successfully queued event on HTTP/HTTPS failure for server 'hostnameFQDN'. DataTransferService 12/26/2019 12:40:34 PM 12116 (0x2F54)

    Error sending DAV request. HTTP code 400, status 'Bad Request' DataTransferService 12/26/2019 12:40:34 PM 12116 (0x2F54)

    Download timeout has met. DTS job {C8F80AE3-DCFD-4BB6-BA8F-AB8226879621} will quit. DataTransferService 12/26/2019 12:40:34 PM 12116 (0x2F54)

    GetDirectoryList_HTTP('https://hostnameFQDN:8003/SCCM_BranchCache$/Content_60dcda08-7947-481d-8b99-d0d2cbcd3d19') failed with code 0x800705b4. DataTransferService 12/26/2019 12:40:34 PM 12116 (0x2F54)

    Error retrieving manifest (0x800705b4). DataTransferService 12/26/2019 12:40:34 PM 12116 (0x2F54)

    Upon checking the website "https://hostnameFQDN:8003/" I could find that there seems to be certificate issue. The certificate which has been issued by SCCM  is not being trusted by the peer source. Kindly find the screenshot for reference.

    

    Here my question is, May I know where the cerificate for peer cache is getting generated from SCCM? How to resolve this?

    Kindly help me with suggestions. Please let me know if any further details required,

    Monday, January 6, 2020 6:57 PM

All replies

  • Hi,

    A peer cache source must be a member of the current boundary group of the peer cache client. The management point doesn't include peer cache sources from a neighbor boundary group in the list of content sources it provides the client. It only includes distribution points from a neighbor boundary group. For more information, see:

    https://docs.microsoft.com/en-us/configmgr/core/plan-design/hierarchy/client-peer-cache

    Best regards,
    Larry


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 7, 2020 7:39 AM
  • Hi Larry,

    Thanks for the reply. THe peer cache source and peer cache client are in same subnet and in same boundary. And hence I think the peer cache client could contact peer cache source.

    Kindly suggest me any other idea for this issue.

    Warm Regards,

    Vivek V


    Vivek V SCCM Engineer

    Tuesday, January 7, 2020 4:03 PM
  • The certificate is not exclusive to Peer Cache so it's not a Peer Cache certificate. The ConfigMgr client agent always uses a self-signed certificate in absence of a PKI issue client auth certificate. 

    Is your site configured to use HTTPS client communication?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, January 7, 2020 10:23 PM
  • Look at the CAS.log file on the serving peer client. That should tell you why the download request is failing.

    Wednesday, January 8, 2020 2:17 AM
  • Hello Jason,

    Thanks for the reply. Please find the screenshot for client computer configuration in our environment.


    Vivek V SCCM Engineer

    Wednesday, January 8, 2020 1:31 PM
  • Hello Kerwin,

    Thanks for the suggestion. Please find the log information below, May I know if you get any clue from this.

    CAS.log from Peer cache client:

    Location update from CTM for content Content_60dcda08-7947-481d-8b99-d0d2cbcd3d19.1 and request {14A4321D-875C-4DB8-8F49-7A291D5940F1} ContentAccess 1/7/2020 6:57:56 PM 3292 (0x0CDC)
       Matching DP location found 0 - https://hostnameFQDN:8003/sccm_branchcache$/content_60dcda08-7947-481d-8b99-d0d2cbcd3d19 (Locality: SUBNETPEER) ContentAccess 1/7/2020 6:57:56 PM 3292 (0x0CDC)
       Download request only, ignoring location update ContentAccess 1/7/2020 6:57:56 PM 3292 (0x0CDC)
    Location update from CTM for content Content_0c207de0-e287-40bb-bb65-7aadaa113dde.1 and request {C7E2AA1A-EE6E-4904-B959-BDF6915967BF} ContentAccess 1/7/2020 7:57:55 PM 9132 (0x23AC)
       Download request only, ignoring location update ContentAccess 1/7/2020 7:57:55 PM 9132 (0x23AC)
    Location update from CTM for content Content_60dcda08-7947-481d-8b99-d0d2cbcd3d19.1 and request {14A4321D-875C-4DB8-8F49-7A291D5940F1} ContentAccess 1/7/2020 7:57:56 PM 5860 (0x16E4)
       Matching DP location found 0 - https://hostnameFQDN:8003/sccm_branchcache$/content_60dcda08-7947-481d-8b99-d0d2cbcd3d19 (Locality: SUBNETPEER) ContentAccess 1/7/2020 7:57:56 PM 5860 (0x16E4)
       Download request only, ignoring location update ContentAccess 1/7/2020 7:57:56 PM 5860 (0x16E4)
    Location update from CTM for content Content_0c207de0-e287-40bb-bb65-7aadaa113dde.1 and request {C7E2AA1A-EE6E-4904-B959-BDF6915967BF} ContentAccess 1/7/2020 8:57:56 PM 5860 (0x16E4)
       Download request only, ignoring location update ContentAccess 1/7/2020 8:57:56 PM 5860 (0x16E4)
    Location update from CTM for content Content_60dcda08-7947-481d-8b99-d0d2cbcd3d19.1 and request {14A4321D-875C-4DB8-8F49-7A291D5940F1} ContentAccess 1/7/2020 8:57:56 PM 1260 (0x04EC)


    Vivek V SCCM Engineer

    Wednesday, January 8, 2020 1:41 PM
  • That doesn't help really as that simply allows client auth certs to be used. What is actually configured on the clients? My hunch here is that you don't intend to use HTTPS client communication in which case you need to unselect the checkbox that says use PKI client certifciate when available.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, January 8, 2020 10:29 PM
  • Hello Jason,

    Please find the settings in the screens attached. 


    Vivek V SCCM Engineer

    Thursday, January 9, 2020 2:00 PM
  • OK, so the clients are configured to use HTTPS using a PKI client cert but none of the site facing roles are configured to use HTTPS. Thus, your clients are probably using an uncontrolled or unknown set of client auth certs. If your intention is not to use HTTPS client communication, then I'd recommend that you disable the use of PKI certs by your clients as previously noted.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, January 9, 2020 2:49 PM
  • Hi Jason,

    Thanks for the suggestion. Actually this is the issue. I have unchecked the "Use PKI certificate when available" option as you have mentioned in the previous thread and it is working now.

    Now I have one more question, 

     What is the impact when I enable peer cache for the machines which are in Different subnets. Will it be a problem when certain clients roam across boundaries. What would be the impact on this?


    Vivek V SCCM Engineer

    Friday, January 10, 2020 3:01 PM
  • No one can tell you the impact as that's specific to your organization.

    Peer Cache enables content sharing between peers; peers in this case are defined by boundary groups. Thus, if your boundary groups are configured to accurately reflect locations and subnets that are well-connected, I expect no impact. If not, then you may have clients crossing WAN borders. IT's all about how you've configured your boundary groups and what your network looks like.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, January 10, 2020 4:00 PM
  • Just a side note, even though the Client Certificate field shows, "PKI", the client could still be using a self-signed cert. The "PKI" part shows up when there is a cert issued from the CA and stored in the Personal store but not necessarily used for ConfigMan services. One for the UserVoice....

    Systems Engineer

    Wednesday, June 24, 2020 6:07 PM