When 'unknown_ca' is observed in Aggregator Logs, agent states cannot be updated.

In the agent log we can see the below information:
 
INFO    | AgentServices.ServerCommunicatorService.ConnectionStrategy | Libcurl Error: '60'. Error Message: Peer certificate cannot be authenticated with given CA certificates. Last Error String: SSL certificate problem: self signed certificate in certificate chain
INFO    | AgentServices.ServerCommunicatorService.ConnectionStrategy | Libcurl Error: '60'. Error Message: Peer certificate cannot be authenticated with given CA certificates. Last Error String: SSL certificate problem: self signed certificate in certificate chain
INFO    | AgentServices.ServerCommunicatorService.ConnectionStrategy | Libcurl Error: '60'. Error Message: Peer certificate cannot be authenticated with given CA certificates. Last Error String: SSL certificate problem: self signed certificate in certificate chain
 
Within the aggregator log, found on the Endpoint Server, we can see the below information:
 
DisconnectReason=FAILURE_TO_CONNECT               
DC - Processing disconnected notification                                       0 DisconnectReason=FAILURE_TO_CONNECT               
TC - SSL handshake failed                                                       0
DC - Received a connection disconnected notification                            0 DisconnectReason=FAILURE_TO_CONNECT               
DC - Processing disconnected notification  
 
 
com.symantec.dlp.communications.common.activitylogging.JavaLoggerImpl log
WARNING:
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
     at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
     at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1587)
     at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1756)
     at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1060)
     at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:884)
     at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
     at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
     at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1061)
     at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:765)

Any one of the following situations will cause the unknown_ca message in the Endpoint Server logs.

Enforce is migrated to separate server.
Enforce is uninstalled and re-installed on a new server, without the Enforce Reinstallation Bundle.
In the process of a disaster recovery, Enforce has created new CA certificate and keystore file.

Option 1: Revert the Server keys to match the clients

Step 1 Prepare for certificate replacement

1. Remove the endpoint server to which the agents reporting status is unknown from Enforce console.
2. Stop the Symantec DLP Detection Server Controller service.
3. Rename the certificate_authority keystore file created by the new Enforce system.
4. Add the original certificates_authority keystore file from old Enforce keystore folder to new Enforce keystore folder.

Step 2 Update the certificate file name reference in the DLP database.

1. Connect to Oracle Database using protect user account. If protect is not used as the schema owner, reference the schema user relevant to the DLP database.
2. Run the following query to determine the current CertificateFileName and CertificateID values.

select * from certificate;

If the value of CertificateFileName is different than the original certificate_authority keystore, proceed to update the database using the following query.
The query below assumes the correct certificate file name is certificate_authority_v1.jks.

update certificate set CERTIFICATEFILENAME='certificate_authority_v1.jks' where CERTIFICATEID=1; commit;

Step 3 Add existing Endpoint Server back into the Enforce console

1. After committing the change to the DLP database, Start the Symantec DLP Detection Server Controller service.
2. Once the service is up and running, add the old Endpoint Server to Enforce by name, ip, or FQDN, matching how it existed previously.

Option 2: Reinstall affected agents with a new agent package created by the new Enforce server.

1. Download the latest Public Hotfix Agent
2. Build an Agent install package.
3. Upgrade the existing agents. 

Other known causes for unknown_ca messages, unrelated to DLP Agent certificates:
A connection is created by a machine on the network and presents a certificate that was not issued by the Enforce server. See article 265236 on how to identify the machine IP that is connecting to the Endpoint Server.