Troubleshoot an Unknown Detection Server status in the DLP Enforce Console
book
Article ID: 173004
calendar_today
Updated On:
Products
Data Loss Prevention Endpoint PreventData Loss Prevention Network MonitorData Loss Prevention Network Prevent for EmailData Loss Prevention EnforceData Loss Prevention Network DiscoverData Loss Prevention Network Protect
Issue/Introduction
Data Loss Prevention (DLP) Enforce
Go to: Enforce > Servers and Detectors > Overview
Detection Server is showing an "Unknown" status.
Environment
DLP Enforce
Cause
This occurs because the Detection Server is unable to communicate with the Enforce Server. There are many different reasons your server may not be able to communicate. The information in this guide will help you identify which issue you may be running into.
Resolution
Ping the Detection Server from the Enforce Server to confirm basic communication between the servers.
Open CMD on the Enforce Server
Run a ping command
ping
Success: This means the servers can see each other and at least communicate on a basic level.
Failure: This means that the servers are unable to see each other at all and there is a basic networking issue causing your problem.
For Example: If your firewall was blocking all traffic to the server your ping may fail. "Please note: ICMP is turned off by default in all newer versions of windows"
Telnet into the Detection Server from the Enforce Server over Port 8100 (this is the default port).
Open CMD on the Enforce Server
Run a telnet command
telnet
Note that a successful "telnet" connection will result in a blank screen (type "exit" to quit telnet).
Success: This means the port is open and we can successfully communicate on both the IP and Port specified (this also confirms the service is up and running as port 8100 would not be listening if it were not running).
Failure: This means the port is not open, likely this means that the service on the Detection Server is not running for some reason.
Confirm the "Symantec DLP Detection Server" service is actually running on the Detection Server.
Confirm the "serverBindName" is set to your Detection Server IP address
Settings File: C:\Program Files\Symantec\Data Loss Prevention\Detection Server\15.x\Protect\config\Communication.properties
Setting: serverBindName =
Check the logs for more specific details about why the service is failing to start or communicate.
If you have made it this far it means that the general communication between the servers is working and we need to gather more information about why the service is failing to start, or why it is unable to successfully communicate. We can do this by checking the logs.
Logs: "C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\logs\"
BoxMonitor0.log
The "BoxMonitor0.log" can be found in the "Debug" folder and is the primary log you will want to check for error messages. This will contain detailed error messages about why the service is failing to start, or why it is unable to communicate with the Enforce Server.
You can generally search for the terms "Error" or "Fail" in order to help you quickly and easily identify problems.
This error message, for example, is seen when the Bind Address is set incorrectly for the Detection Server. Please note that the Bind Address should point to the IP Address of the Detection Server (not the Enforce Server). It is possible to leave this value blank for troubleshooting purposes, but if you have multiple NIC cards this can cause other issues if you are only using a single NIC then leaving this blank should be fine.
Example: javax.net.ssl.SSLHandshakeException: no cipher suites in common
This error was thrown because the "SSLcipherSuites" did not match between the Enforce and Detection Servers.
Alternately you can copy the keystore from an existing, working detection server. Note that in 15.1+ the keystore folders default location is now in C:\ProgramData. For example, in 15.5, the path is: C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\keystore
If you are seeing SSL related errors, be sure to check that the "SSLcipherSuites" setting on both your Detection Server and your Enforce Server match.
Enforce Server: C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\config\MonitorController.properties
Detection Server: C:\Program Files\Symantec\Data Loss Prevention\Detection Server\15.1\Protect\config\Communication.properties
TLS_RSA_WITH_AES_128_CBC_SHA (this is the default value).
Be sure to restart the "Symantec DLP Detection Server" service on the Detection Server and the "Symantec DLP Detection Server Controller" service on the Enforce Server.
New changes are not applied until the services are restarted. If you had to make any changes make sure you restart the service, or if you are having problems, in general, it never hurts to restart the services to make sure everything is fully up and running.
** Please note that it may take the services several minutes to fully come back up, even if they are already showing a "started" state.
Often times restarting Enforce from within the Enforce console (System -> Servers -> Overview -> Enforce -> Restart) will restart SymantecDLPDetectionServerController service and re-establish communication with the Detection Server.
Once you have identified a specific error message check to see if the solution for your issue can be found in the following KB article: DLP Detection servers show "Unknown" status (broadcom.com). That should resolve most "Unknown" Detection Server errors.
If you are unable to identify the error or are unable to find the solution in the linked KB article open up a case via the Broadcom support portal and zip up ALL (Operational, Debug & Trace, and Configuration) of the log files for the last 7 days from your Detection Server for Symantec Technical Support to review.