Troubleshoot an Unknown Detection Server status in the DLP Enforce Console
search cancel

Troubleshoot an Unknown Detection Server status in the DLP Enforce Console

book

Article ID: 173004

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Network Protect

Issue/Introduction

Data Loss Prevention (DLP) Enforce

Go to: Enforce > Servers and Detectors > Overview

Detection Server is showing an "Unknown" status.

Environment

DLP Enforce

Cause

This occurs because the Detection Server is unable to communicate with the Enforce Server. There are many different reasons your server may not be able to communicate. The information in this guide will help you identify which issue you may be running into.

Resolution

  1. Ping the Detection Server from the Enforce Server to confirm basic communication between the servers.
    • Open CMD on the Enforce Server
    • Run a ping command
      • ping
        • Success: This means the servers can see each other and at least communicate on a basic level.
        • Failure: This means that the servers are unable to see each other at all and there is a basic networking issue causing your problem.
          • For Example: If your firewall was blocking all traffic to the server your ping may fail. "Please note: ICMP is turned off by default in all newer versions of windows"
  2. Telnet into the Detection Server from the Enforce Server over Port 8100 (this is the default port).
    • Open CMD on the Enforce Server
    • Run a telnet command
      • telnet
      • Note that a successful "telnet" connection will result in a blank screen (type "exit" to quit telnet).
        • Success: This means the port is open and we can successfully communicate on both the IP and Port specified (this also confirms the service is up and running as port 8100 would not be listening if it were not running).
        • Failure: This means the port is not open, likely this means that the service on the Detection Server is not running for some reason.
  3. Confirm the "Symantec DLP Detection Server" service is actually running on the Detection Server.
  4. Confirm the "serverBindName"  is set to your Detection Server IP address
    • Settings File: C:\Program Files\Symantec\Data Loss Prevention\Detection Server\15.x\Protect\config\Communication.properties
    • Setting: serverBindName =
  5. Check the logs for more specific details about why the service is failing to start or communicate.
    • If you have made it this far it means that the general communication between the servers is working and we need to gather more information about why the service is failing to start, or why it is unable to successfully communicate. We can do this by checking the logs.
    • Logs: "C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\logs\"
      • BoxMonitor0.log
        • The "BoxMonitor0.log" can be found in the "Debug" folder and is the primary log you will want to check for error messages. This will contain detailed error messages about why the service is failing to start, or why it is unable to communicate with the Enforce Server.
        • You can generally search for the terms "Error" or "Fail" in order to help you quickly and easily identify problems.
          • Example: com.vontu.boxmonitor.BoxMonitorException: Monitor Error 4162
            • This error message, for example, is seen when the Bind Address is set incorrectly for the Detection Server. Please note that the Bind Address should point to the IP Address of the Detection Server (not the Enforce Server). It is possible to leave this value blank for troubleshooting purposes, but if you have multiple NIC cards this can cause other issues if you are only using a single NIC then leaving this blank should be fine.
          • Example: javax.net.ssl.SSLHandshakeException: no cipher suites in common
            • This error was thrown because the "SSLcipherSuites" did not match between the Enforce and Detection Servers.
          • Example: com.vontu.communication.transport.exception.TransportException: remote endpoint closed connection.
            • This error is seen if the customer did not create the keystore/certificate for a new Detection Server. Create a new keypair for the new detection server: How to generate and add a new Detection Server certificates using SSLkeytool (broadcom.com)
            • Alternately you can copy the keystore from an existing, working detection server. Note that in 15.1+ the keystore folders default location is now in C:\ProgramData. For example, in 15.5, the path is: C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\keystore
  6. If you are seeing SSL related errors, be sure to check that the "SSLcipherSuites" setting on both your Detection Server and your Enforce Server match.
    • Enforce Server: C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\config\MonitorController.properties
    • Detection Server: C:\Program Files\Symantec\Data Loss Prevention\Detection Server\15.1\Protect\config\Communication.properties
    • Setting: SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA
      • TLS_RSA_WITH_AES_128_CBC_SHA (this is the default value).
  7. Be sure to restart the "Symantec DLP Detection Server" service on the Detection Server and the "Symantec DLP Detection Server Controller" service on the Enforce Server.
    • New changes are not applied until the services are restarted. If you had to make any changes make sure you restart the service, or if you are having problems, in general, it never hurts to restart the services to make sure everything is fully up and running.
    • ** Please note that it may take the services several minutes to fully come back up, even if they are already showing a "started" state.
  8. Often times restarting Enforce from within the Enforce console (System -> Servers -> Overview -> Enforce -> Restart) will restart SymantecDLPDetectionServerController service and re-establish communication with the Detection Server.

Once you have identified a specific error message check to see if the solution for your issue can be found in the following KB article: DLP Detection servers show "Unknown" status (broadcom.com). That should resolve most "Unknown" Detection Server errors.

If you are unable to identify the error or are unable to find the solution in the linked KB article open up a case via the Broadcom support portal and zip up ALL (Operational, Debug & Trace, and Configuration) of the log files for the last 7 days from your Detection Server for Symantec Technical Support to review.

Attachments