Skip To Main Content
Support Knowledge Base

Intel® Endpoint Management Assistant (Intel® EMA) Issues Getting CIRA Connected – CIRA Not Connected

Content Type: Troubleshooting   |   Article ID: 000092506   |   Last Reviewed: 01/31/2023

After an install of the Intel® EMA Server, there can be issues getting CIRA Connected on vPro PCs running the EMAAgent.exe service even though they are Provisioning Completed on the Intel® EMA UI. Below is a checklist that helps troubleshoot through several of the most common issues. Note: this list is not meant to be exhaustive.

General flow for identifying CIRA connection issues is:

  1. No docks, no dongles. AMT must connect to the Intel® EMA server through an Intel WLAN or LAN piece of silicon (or a vPro-capable TBT4 Dock)
    1. There is one other exception. Lenovo did produce a pass-through LAN dongle for some specific PC models. This directly connects a LAN port to the RJ45 cable and will route CIRA traffic. The connector is proprietary; it is not a Lenovo USB dongle.
  2. Is the test PC Intel® Standard Manageability? ISM won't CIRA connect. (vPro Essentials will connect with ME 16+)
  3. Double check the CIRA domain for the AMT Endpoint Group is set to a non-resolvable domain.
  4. Install Telnet on the vPro PC (In Turn Windows Features on or off). In a CMD admin prompt on the vPro PC Telnet emaserver.mydomain.com 8080 A black screen is success; timeout is failure. Port 8080 is not open. There is an easier way to do this if you have access to PowerShell. PS>Test-NetConnection myema.mydomain.com -port 8080.
    1. Note: If VPN is on this will succeed for the Windows O/S but fail for the Intel® Management Engine (Intel® ME). The Intel® ME does not route over the O/S VPN.
  5. (WiFi Only) Wireless enabled and profile sync checked in AMT profile.
    1. If the PC is on a Secure network (Radius/NAC/802.1x etc…) there is additional setup required to provide the vPro PC with credentials to join the network.
  6. (WiFi only) If endpoint >=AMT 12 check C:\Windows\SysWOW64\Gms.log for MEProfileSync events.
  7. (WiFi only) Check the WiMan.sys driver is installed. Uninstall any Intel PROSet drivers.
  8. Check endpoint EMA log for name resolution errors (e.g. if the PC is using the Windows C:\Windows\System32\drivers\etc\hosts files to point to the Intel® EMA, CIRA won’t work as the Firmware tries to solve the FQDN directly from the DNS server and not the Windows hosts file)
  9. Is the PC running a recent (<1 year old) Firmware? Ideally the latest OEM Firmware should be installed.
  10. Are the latest OEM drivers/software installed? The OEM pack should be used but for testing purposes the Intel pack can be used. /content/www/us/en/download/682431/intel-management-engine-drivers-for-windows-7-windows-8-1-and-windows-10.html
  11. Is the Intel LMS.exe service running? (Intel® Management and Security Application Local Management Service). If not, the PC should provision AMT, but this service plays a role in synching WiFi profiles with the Intel ME.
  12. Download, install and run the EMAConfigtool https://downloadcenter.intel.com/download/30485/Intel-Endpoint-Management-Assistant-Configuration-Tool-Intel-EMA-Configuration-Tool-
    1. Check CIRA information. Is the CIRA_SERVER the right FQDN? (Note: Is CIRA Server pointing to an incorrect IP address? In one case we added the correct IP address to the Settings/Web Server/Allowed Domains - CIRA connected).
  13. Make sure the PC is not awaiting Windows Update and Restart
  14. Try turning it off and on again! (This is actually a valid option. e.g. If there are Windows upgrades pending, or even if not, this has solved CIRA connection issues, particularly immediately following the first tom the vPro PC is AMT provisioned)
  15. If on LAN – is the cable plugged into the Intel Card (if more than one LAN card)?

  16. Point a browser to https://ema.myserver.com:8080. Look at the Common Name CN. What FQDN was it issued to? Now on the vPro PC in a CMD window, as Administrator, execute EMAAgent.exe -swarmserver. What is the FQDN of the Swarmserver? If this does not match the FQDN of the Cert on Port 8080, CIRA will fail to connect.

  17. Does the Intel® EMA VM allow all the required CipherSuites and Protocols? This is particularly relevant for Intel ME 11.x and below:

    1. Run the following command from the Intel® EMA Server in a PowerShell window as admin: Get-TlsCipherSuite | FT Name

    2. Check if the list of returned cipher suite includes TLS_RSA_WITH_AES_128_GCM_SHA256.
    3. If this cipher suite is not included:
      1. Download and run the IISCrypto tool (https://www.nartac.com/Products/IISCrypto/Download)
      2. Go to the Cipher Suites category
      3. Enable TLS_RSA_WITH_AES_128_GCM_SHA256
      4. Apply and reboot the server

 

Note

EMAAgent is not designed to run on PCs running VMs, even on the Base Hypervisor. The LAN/WLAN cannot interpret multiple IP addresses correctly. No Hypervisor has been written to accommodate AMT

PCs running VPN can successfully complete provisioning but FAIL CIRA Connected. This can happen if EMAAgent.exe provisions while a VPN is running in Windows*.

Related Products

This article applies to 1 products.
Intel® Endpoint Management Assistant (Intel® EMA)

Need more help?

Contact support
Contact support