search cancel

Check if port is open when communication fails for Symantec products

book

Article ID: 171121

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Communication fails between clients and servers for Symantec Data Loss Prevention (DLP) or other Symantec products. Learn how to determine if a server is listening on a specific port in this scenario. This can also be used to troubleshoot when endpoint agent intermittent connectivity issues occur.

Resolution

Determine if the port has a listener on the server you want to connect to. While on the Endpoint detection server (or any target server) run the following :

netstat -an | find "<port number>"

You should see an online TCP listener for 0.0.0.0 on port 10443; the IP can be 0.0.0.0 or any of the local IP addresses.

After you confirm that the server is listening on the port, go to a client and use one of the following methods to see if the port is open over the network.

Method 1: PowerShell 

This method is recommended because other application like telnet can have their specific type of communication blocked rather than just their port.

We will use the Test-NetConnection powershell command. The first parameter is the destination and then we specify the port by including the -port switch.

For example:

Test-NetConnection 10.243.101.82 -port 10443

This will ping the remote server 10.243.101.82 and then attempt a TCP connection on port 10443.

 

(Optional) If needed, go to the target machine and use the following PowerShell command to start a listener (only do this if a service is not already listening on the port, verify with 'netstat -an' command): 

The following command can be used on the remote server to start listening on port 80

$Listener = [System.Net.Sockets.TcpListener]80;
$Listener.Start();

Once the test is complete run the following command to stop the listener:

$Listener.Stop();

Method 2: Telnet Client

Using the telnet client can be used if PowerShell is not available or telnet is already enabled on the machine. The main drawback of using telnet is that you can get a false negative result because some routers can specifically block telnet traffic even if the port is open.

Follow these steps to test a TCP connection with telnet:

  1. Open a command prompt
  2. Run the following command:

    telnet <Destination IP> <port number>

Example:

telnet 192.168.2.100 10443
  • If the port is open and telnet is attempting to establish a connection, the screen clears and goes dark.
  • If the port is closed, you should see the message: "Could not open connection to the host, on port <port number>: Connect failed."
  • If the port is not enabled, you see an error stating that telnet is not recognized as an internal command.

To enable the telnet client:

  1. In the Windows Control Panel, search for "Turn Windows features on or off".
  2. Check Telnet Server and Telnet Client.
  3. Click OK. The features are installed.
  4. Open a new command prompt and try again.

 

Also note: Source ports on client machines with DLP agent (and most other applications) are dynamic and may need to be factored in when it comes to firewall rules.

Attachments

Powered by Wolken Software