- If you see errors in the ACC logs indicating connections being closed/aborted/terminated, check if there is any network device in between the ACC and AWCM that would close or terminate idle connections. The outbound connection required for use by ACC must remain open at all times. Check the TCP session timeout on this network device in between and see if this can be increased to a value >2 minutes;
- ACC sends what is known as an IDLE message, by default every 2 minutes. This IDLE message by ACC helps ACC register itself as a listener on AWCM so that AWCM knows that this ACC is ready to take requests;
- If there are any network devices between ACC and AWCM that closes the connection between these components deeming the connection as an idle connection, it could cause issues with this ACC/AWCM connectivity.
401 Errors on ACC
- Check time on ACC and AWCM servers to make sure they are correct and synced to NTP preferably to avoid time synchronization issues.
- Make sure secure channel certificate is installed on the AWCM server
- For any certificate related issues, enable and check CAPI2 logs on ACC and make changes accordingly in certificate stores (adding root/intermediate CA certificates to establish trust)
- CAPI2 Logging (https://social.technet.microsoft.com/wiki/contents/articles/242.windows-pki-troubleshooting-capi2-diagnostics.aspx)
ACC service does not start:
Error log contains error:
System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. <...>
Reason: ESC/ACC service does not start because there is no trust between ESC/ACC and AWCM.
If this error is present after trying to hit Update/Check URL on the console, check the SSL certificate on the console and do the following:
In the .txt file, search for the secure channel and it should match with the secure channel certificate in the console.