Troubleshooting "Unknown" Detection Server status in the DLP Enforce console
search cancel

Troubleshooting "Unknown" Detection Server status in the DLP Enforce console

book

Article ID: 173004

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Network Protect

Issue/Introduction

You need to troubleshoot DLP services not starting or showing an "Unknown" status in the Data Loss Prevention (DLP) Enforce console.

  • Detection Server is showing an "Unknown" status
  • Email Prevent servers are in an "Unknown" status
  • Protect servers are stuck in a starting state
  • DLP services are not starting

This is visible in the Enforce console under Servers and Detectors > Overview.

 

Cause

This occurs because the Detection Server is unable to communicate with the DLP Enforce Server, which may be due to a variety of reasons.

Resolution

Step 1: Ping the Detection Server

Ping the Detection Server from the Enforce Server to confirm basic communication between the servers.

  1. Open CMD on the Enforce Server
  2. Run a ping command

    ping



    • Success: This means the servers can see each other and at least communicate on a basic level.
    • Failure: This means that the servers are unable to see each other at all and there is a basic networking issue causing your problem.

      For example, if your firewall was blocking all traffic to the server, your ping may fail.

      Note: ICMP is turned off by default in all newer versions of Windows.



Step 2: Telnet into the Detection Server

Telnet into the Detection Server from the Enforce Server over Port 8100 (this is the default port).

  1. Open CMD on the Enforce Server
  2. Run a telnet command

    telnet



    Note: A successful "telnet" connection will result in a blank screen (type "exit" to quit telnet).

    • Success: This means that the port is open and we can successfully communicate on both the IP and Port specified. This also confirms that the service is up and running, as port 8100 would not be listening if it were not running.
    • Failure: This means that the port is not open, and it's likely that the service on the Detection Server is not running.

Step 3: Confirm the "Symantec DLP Detection Server" service is running

Confirm that the "DLP Detection Server" service is actually running on the Detection Server.

Step 4: Confirm "serverBindName" is set to your Detection Server IP address

  • Settings File: C:\Program Files\Symantec\DataLossPrevention\DetectionServer\15.X.X\Protect\config\Communication.properties or C:\Program Files\Symantec\DataLossPrevention\DetectionServer\16.X.X\Protect\config\Communication.properties
  • Setting: serverBindName =



Step 5: Check logs to see if communication issues remain

If communication between the servers is working but the service is failing to start or is unable to report the correct status, gather the following logs in C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\logs:

BoxMonitor0.log

The "BoxMonitor0.log" can be found in the "Debug" folder and is the primary log you will want to check for error messages. This will contain detailed error messages about why the service is failing to start, or why it is unable to communicate with the Enforce Server.

You can generally search for the terms "Error" or "Fail" in order to help you quickly and easily identify problems.

  • Example: com.vontu.boxmonitor.BoxMonitorException: Monitor Error 4162
    • This error message, for example, is seen when the Bind Address is set incorrectly for the Detection Server. Please note that the Bind Address should point to the IP Address of the Detection Server (not the Enforce Server). It is possible to leave this value blank for troubleshooting purposes, but if you have multiple NIC cards this can cause other issues if you are only using a single NIC then leaving this blank should be fine.
  • Example: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    • This error was thrown because the "SSLcipherSuites" did not match between the Enforce and Detection Servers.
  • Example: com.vontu.communication.transport.exception.TransportException: remote endpoint closed connection.
    • ‚ÄčIf you see this error, create a keystore/certificate for the new Detection Server.
    • Alternatively you can copy the keystore from an existing, working detection server. Note that in 15.X+/16.X the keystore folders default location is now in C:\ProgramData. For example, in 15.5, the path is: C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.X\keystore or C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\16.X.X\keystore

SSL errors

If you are seeing SSL-related errors, check that the "SSLcipherSuites" settings on your Detection Server and Enforce Server match.

  • Enforce Server: C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.X\Protect\config\MonitorController.properties or C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\16.X\Protect\config\MonitorController.properties
  • Detection Server: C:\Program Files\Symantec\Data Loss Prevention\Detection Server\15.X\Protect\config\Communication.properties or C:\Program Files\Symantec\Data Loss Prevention\Detection Server\16.X\Protect\config\Communication.properties
  • Setting: SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA (this is the default value).

Step 6 - Restart DLP services

Changes are not applied until the DLP services are restarted. If you make any changes or continue having problems, restart the following services to ensure everything is fully up and running.

  • Detection Server: Symantec DLP Detection Server
  • Enforce Server: Symantec DLP Detection Server Controller

Note: It may take the services several minutes to fully come back up, even if they are already showing a "Started" state.

Step 7 - Restart Enforce

Restarting Enforce from within the Enforce console will restart the SymantecDLPDetectionServerController service and re-establish communication with the Detection Server.

Click System > Servers > Overview > Enforce > Restart.

Additional Information

If you have identified a specific error message in the logs, you can find more details in DLP Detection servers show "Unknown" status (broadcom.com). This article should help you resolve most "Unknown" Detection Server errors.

If you are unable to identify the error or find the solution, open a case and zip all of the following log files for the last 7 days from your Detection Server for Support to review.

  • Operational logs
  • Debug & Trace logs
  • Configuration logs