Agents that are expected to be reporting(green) are in a non-reporting state(red), or vice versa within the agent overview.
Basic network connectivity
Verify the Agent machine can ping the Endpoint server by name or IP address.
Check both Agent and Aggregator logs for errors.
Within the agent logs, look for the lines following CurlTransportLayer and ServerCommunicatorService. You may notice certificate errors such as handshake failures.
Within the aggregator logs, any communication errors should result in a severe error that describes the problem.
There are many settings that relate to performance and convenience within various properties files and the advanced agent settings.
Advanced Agent settings:
This setting controls how often an agent checks in with the Endpoint Server. This should generally be left at the default of 15 minutes (900 seconds). If this has been decreased, it should not be decreased below 1 minute per every 1000 agents.
This setting controls when the agent will close the connection if no traffic or heartbeat has been received from the server. Under normal circumstances, this setting should not come into play. Agents should transfer all data and be disconnected by the server well before this time is reached. This should be left at the default of 300 seconds.
This setting controls when the server will send a heartbeat to the agent to detect if it is still connected. This setting is only used if the agent idle timeout is disabled. The normal, expected, behaviour is for traffic to cease for 30 seconds, thus causing the server to disconnect the agent after CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS This should be left at the default of 270 seconds.
This setting controls when the server will disconnect the agent. When an agent checks in during its normal polling interval, after it has transferred all data, and then remain idle. After 30 seconds of this idle connection, the server will initiate a disconnect on the agent. This is considered normal and default behaviour. This should be left at the default of 30 seconds.
Enforce General Settings
Not reporting time
When navigating to System -> Settings -> General within Enforce, there is a setting labelled ‘Show Agent as "Not Reporting" after’. This setting controls how long Endpoint Server will wait before it reports to Enforce that the agent has stopped reporting. The default is 18 hours. This setting can be raised or lowered depending on preferences, however it cannot be made lower than ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int.
Server Properties files
Both MonitorController.properties and Aggregator.properties on the endpoint server have a setting of MaxQueueSize. This setting controls how many tasks can be queued on each of the respective servers. The default value is 5000. It is recommended that this value be increased. On Aggregator.properties we should use a value of 2x the number of agents that regularly connect to that server. On MonitorController.properties this should be increased to 10,000.
Communication.properties (config file on the Detection Server)
By default the acceptTimeout value is set to 60000, which in many cases is not enough time. Most people will find an improvement in their environment by doubling this value and increasing the acceptTimeout value from 60000 to 120000 allowing more time for commands to be accepted before they timeout.
Triggering an update
Often times, it is assumed that ‘Last Update Time’ refers to the last time the agent checked in. This is false. The ‘Last Update Time’ is only updated when agents' attributes or statuses receive a new update in the oracle database.
In order to force an update of ‘last update time’, we can modify the description of the agent configuration applied to that agent. This will force an update that will update the agent’s last update time. See Article 162207 for more details.
When agents are connected to their endpoint servers. A couple of considerations are needed.
Since the entity responsible for signalling to Enforce that an agent is not reporting is an Endpoint server, this occurs as soon as its ‘Not Reporting Time’(18 hours by default) has been reached. If an agent checks in with different servers on each polling interval, then the chance that it will not connect to a server for 18 straight hours is highly likely. At this point, the endpoint server will report the agent as ‘Not Reporting’ despite the agent being successfully connected to another endpoint server.
In some scenarios, the agent may be communicating with a different Endpoint Server than expected, causing the status of the agent to remain unchanged in Enforce. Deleting the Endpoint Server cached information may resolve this issue.
C:\ProgramData\Symantec\Data Loss Prevention\DetectionServer\<version>\agentattributes