Protection engine 8.x unable to enroll scanner or Scanner is not communicating with the Central Console

book

Article ID: 172637

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS Cloud Workload Protection for Storage

Issue/Introduction

Issues with being able to enroll Symantec Protection Engine(SPE) 8.0 with the Central Console. 

The SPE 8.0 is not successful uploading log information and status to Central Console

Failed to Enroll Scanner

If the scanner is being registered for the first time, it will not count towards the number of scanners on the dashboard, and it will not appear on the list of scanners.

If the scanner was registered previously and not unenrolled, it will count towards the number of scanners on the dashboard, but be colored red to indicate it is offline. In the List of scanners, the status of the scanner will be "Offline".

Resolution

How to enable debug logging of the Common Agent Framework (CAF) service.

 

Windows:

  1. Take the backup of the cafagent.log and delete the same from the location “C:\Program Files\Symantec\Common Agent Framework\Log”.
  2. Go to the location “C:\Program Files\Symantec\Common Agent Framework
  3. Open a file “cafservicemain.properties”.
  4. Go to the end of file and change the logging level of the “logging.loggers.root.level”  parameter from information to debug like logging.loggers.root.level= debug
  5. Save the file.
  6. Restart the Protection Engine service by running the following commands:
    net stop "Symantec CAF Service"
    net start "Symantec CAF Service"
  7. Run the enroll.bat to duplicate the issue.
  8. Gather and attach to the case, the cafagent.log file located in “C:\Program Files\Symantec\Common Agent Framework\Log” and SPE log located in "\Program Files\Symantec\scan engine\logs"

 

Linux:

  1. Take the backup of the cafagent.log and delete the same from the location “/var/log/sdcss-caflog/”.
  2. Go to the location “/opt/Symantec/cafagent/bin
  3. Open a file “cafservicemain.properties”.
  4. Go to the end of file and change the logging level of the “logging.loggers.root.level”  parameter from information to debug like logging.loggers.root.level= debug
  5. Save the file.
  6. Run the following command to restart the service:
    service cafagent restart
  7. Run enroll.sh to duplicate the issue.
  8. Gather and attach to the case, the cafagent.log file located in “/var/log/sdcss-caflog/” and SPE logs located in "/opt/SYMCScan/logs".

Additional Information

Commonly seen errors:

  • The certificate chain was issued by an authority that is not trusted.
    Fixed in SPE 8.2.2. See 202820 - Protection Engine Enrollment fails due to an untrusted certificate

  • Unknown error 336134278
    Fixed in latest CFT for CWP for Storage. See 232336 - CWP Controller fails to enroll with CAF agent, "Unknown error 336134278"

  • Bridge with stack name '[REMOVED_BY_AUTHOR]' is already exist in given region.
    Use troubleshooting steps above to delete scanner [REMOVED_BY_AUTHOR] from CWP for Storage central console and try again. Note the CWP for Storage only supports one (1) Controller Unit per region per AWS account. See 232603 for more on troubleshooting rollbacks for CWP for Storage installation.

  • The parameter is incorrect.
    Seen on SPE 8.2.1 installed on AWS EC2 instance. Resolved by upgrade to SPE 8.2.2. See 231653


  • A security error occurred
    The os failed to advertise one of the cryptographic cipher suites supported by the Central console. See 173733