DLP Agent Connectivity Troubleshooting

book

Article ID: 170904

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Common causes of agent connection problems and where the line of communication may be broken.

Resolution

Agent Health

First, determine if the agent is healthy.

Go over the following agent health checks to verify if the agent is healthy or not

  • Icon in agent overview
    Agents that are not healthy usually have a red X and a connection status of "Not Reporting." Healthy agents have a green check mark and a status of "Reporting."

  • Last update time / Update agent configuration
    The last update time should reflect the last time the agent configuration was updated. To test this, modify the Agent Configuration then update the agent group that the agent belongs to. If it doesn't update within two agent polling intervals then the agent may not be in a healthy state. 

  • Incidents from client
    If the client detects incidents but the console does not show the incidents from the client, there maybe a connectivity issue.

  • Can disable to warning state then enable to a normal state (optional test) 
    Disable the agent by checking the box next to the agent then selecting disable under the troubleshoot drop down. Click ok on the next page. If the agent checks in and goes to a warning state then that means that troubleshooting tasks do work. After that select the agent and enable it again. If the task times out and the agent does not disable there may be a connectivity problem.

If you have confirmed that the agent communication is not in a healthy state then proceed with the troubleshooting below. If the agent does respond to health checks then any issue experienced may be with a policy or configuration somewhere in the product.

To continue troubleshooting the agent communication, read the following items, see which symptoms are similar, then troubleshoot using the respective items. 

Endpoint Detection Server Troubleshooting 

Symptom: System > Server and Detectors > Overview shows a status of something other than "Running" for the endpoint detection server.

If the Overview indicates that there are problems then use the following troubleshooting methods.

Troubleshooting

  • Verify communication on server port both directions

    1. From the Server Overview page click on the Endpoint server.

    2. Click Configure.

    3. Note the port under general. This is the port that Enforce communicates to the server on. Verify the port is open from the Enforce server to the detection server. See KB TECH249446 for details on how to port check.

  • Verify Detection Server Version
    On the Overview page verify that the detection server is the same version as the Enforce Server

  • Verify supported OS for detection server
    Check the System Requirements guide. DLP 14 Guide, DLP 15 Guide. Verify that the exact version of OS that the detection server has running is supported.

  • Add alternate endpoint server
    Add an alternate endpoint server in case the load for the existing endpoint server is too much. See TECH249457 for instructions on how to migrate clients to the new server.

Agent Service Troubleshooting

Symptom: EDPA or WDP services are not running on the client machine

If the DLP agent services are not running this indicates a problem then use the following troubleshooting methods.

Troubleshooting

  • Verify agent version
    Is the agent up-to-date with the Enforce console? Look at the properties of the edpa.exe and compare the version to the Enforce version on the server overview page.

  • Verify architecture type
    Is the correct agent architecture type installed (32bit / 64bit)? If you search the registry on the client machine for "AgentInstall64" this should only show up on machines with the 64-bit agent installed. Does that match the architecture type list under computer properties? 

  • Reboot the System
    Sometimes client machines get in a bad state. Reboot the system to see if the issue clears up.

  • Reinstall Agent
    Agents services may not start due to a partial or corrupt install. Reinstall the agent. See TECH247833 for details.

Other Troubleshooting

If the symptoms listed do not match your current situation look into the following common issues and solutions for agent connectivity. After addressing any of the items below you can test the agent connection by rebooting the client than going through the agent health checks above.

  • Detection server route and resolution
    Can the client ping by the IP address, hostname and FQDN of Endpoint Server? The client needs to be able to communicate to the endpoint server using whichever type of identification specified when the agent install package was built.

  • Check agent communication port
    Can the Client machines connect to the endpoint detection server on the specified port? Check the port that the endpoint server listens on by doing the following:

    1. From the Enforce console go to System > Servers and Detectors > Overview.

    2. Click on the endpoint server.

    3. On the top of the next page click configure.

    4. Note the port listed under the Agent tab (default value is 10443, the screenshot below had webpage alignment problems) 

    5. Verify the port is open from the client machine to the server. See KB TECH249445.

If the client cannot communicate on the port then check local and network firewall settings.

  • Build New Agent Package
    Sometimes there are problems with certificates that were updated after the agent package was built. Building a new agent package then reinstalling the agent will usually address this issue.

  • Check "Not Reporting" timeout
    Go to System > Settings > General. Search for "Not Reporting" timeout. Compare to ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int in the Agent Configuration advanced settings. If the polling period is longer than the "Not Reporting" timeout then agents will be set to inactive before they can check in. Adjust either value as needed.

  • Recycle services on endpoint server
    From the Enforce console go to System > Servers and Detectors > Overview. Click on the endpoint server. Click the recycle button next to the status.

  • Recycle MonitorController service on Enforce
    Note: Make sure the endpoint server is running status first. From the Enforce console go to System > Servers and Detectors > Overview. Click on the Enforce Server. Click on the recycle button next to the MonitorController status.

  • Verify DNS settings
    Run a nslookup command against the hostname and FQDN of the endpoint server and the client machine. Verify that they both resolve correctly. DNS and reverse DNS lookups are a requirement for endpoint agents to function correctly.

  • Load balancer settings
    If there is a load balancer in between the client and endpoint server and there are SSL unknown protocol errors in the agent logs then enable address translation on the load balancer.

  • DLP Endpoint agent requires an IPv4 connection: see DLP Endpoint Agent does not communicate when connected via Microsoft Direct Access (VPN) 

 

If none of the above issues resolve the problem then contact support. Please collect the following information:

  1. Agent log files by first enabling FINEST level logging as described in TECH248581

  2. Reboot the client and collect the logs as described in TECH222092.

  3. Describe the scope of the problem. How many machines this affects? How long has this been happening?

  4. Describe which symptoms from above you checked and what troubleshooting you have done.

  5. Send all logs to support.

Advanced troubleshooting

  1. Install Wireshark on the client machine and the endpoint server.

  2. Enabled FINEST level logging for the aggregator on the endpoint server. KB TECH249449

  3. Stop the agent service using the services_shutdown.exe (Windows) from the agent tools or launchctl (OSX) (See DLP Admin Guide for details). Start a Wireshark capture on the server and the client. Start the edpa service on the client. Wait a few minutes then collect the capture files, the agent logs, and the endpoint server logs.

  4. Send all logs to support.

Attachments