Landing page: DLP cloud detectors disconnected

book

Article ID: 197864

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Package

Issue/Introduction

This is the most common issue reported for customers setting up the DLP Cloud Service. Please see the workflow herein for suggestions on moving through the problem, and follow the steps in the linked articles to resolve as needed.

Cause

Various

Environment

DLP Cloud Service

DLP Cloud Detector

DLP Cloud Connector

Resolution

  1. New install, no other Cloud Detectors enrolled prior to this – check for error codes:
    1. Has 4201 Event code (error requesting client certificate from Symantec Managed PKI Service): This is the most common issue, and is always network-related (i.e., the Network team for Enforce server environment needs to update any Proxy and/or Firewall rules to allow Enforce to connect to the Cloud Service Gateway): DLP Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service (broadcom.com)
    2. Does NOT have 4201 Event code, instead has 4200 Event (client certificate successfully obtained from Symantec Managed PKI Service). Check the Enforce Tomcat logs for either of the following errors:
      1. Unable to write key store file” in Tomcat (localhost) log:  Unable to write key store file "enforce_keystore.jks" when registering new Cloud Detection Server (broadcom.com)
      2. bouncycastle” in Tomcat (localhost) log: Cloud detector showing “disconnected” after bundle upload to Enforce (broadcom.com)
    3. No errors per se. Might show as "Unknown".
      1. Try recycling the Enforce DetectionServerController service (aka the MonitorController service).
      2. FYI: the Cloud Service presents additional requirements for MonitorController service. For details and recommended levels, see Monitor Controller performance issues after adding new Detection Servers (broadcom.com)
  2. Not a new install – was previously connected, but now is NOT:
    1. Firstly, as of December 2020, the DLP Cloud Services have started a phased-migration to the Google Cloud Platform. For more information about the GCP Migration, see this Product Advisory.
    2. Regarding the migration:
      1. Enforce server should be on version 15.1 MP1 or higher. If it is NOT - replace the Enforce Truststore, as per Replacing the Cloud Services Enforce Truststore prior to migration of DLP Cloud Service to Google Cloud Platform (broadcom.com).
      2. Any proxy and firewall rules must be updated to allow the Enforce server continued access to the URLs in the first KB link above (legacyId=TECH236383). 
      3. If the truststore is NOT replaced, this article describes the error which can result: Cloud Detector Disconnect - authentication issue with the validity of the certificate (broadcom.com)
      4. For up-to-date info on the timeline of the migration, see the IP Cloud Service Status page.
    3. Secondly, by design, the Cloud Service will “disconnect” every 24 hours. See Cloud Detection Servers show as disconnected periodically (broadcom.com).
    4. Thirdly, also by design, Cloud Certificates expire 3 years after enrollment.
      1. Check the expiration date for the "Cloud Certficiate", found at the System > Settings > General page in Enforce.
      2. Renew expiring Cert KB: Renew expiring cloud certificates (broadcom.com).
    5. More than one Detector is involved – usually this appears in relation to some kind of “account issue”:
      1. Error 1: "Cloud Service unreachable due to an account issue":
        1. Recycling as per 160263 above allows Detector to reconnect; if this recurs frequently, there is a fix in 15.7 MP1: Error after adding new Cloud Detector "Cloud Service unreachable due to an account issue" and status remains "Disconnected" (broadcom.com).
        2. Recycling does NOT resolve it. If this happened after moving a Cloud Detector from one Enforce server to another, verify if the second Enforce was clone of the first one: Please contact Support for assistance on this issue.
      2. Error 2: “Cloud Service is not available because of an account issue”. Usually because of TRIAL Detector, or some kind of error in provisioning, where there are two separate Accounts in one Enforce database: Please contact Support for assistance on this issue.
    6. [Rare]: "The bundle refers to a Gateway different than the one that has already been configured." If you have a Detector provisioned in the EU region and have subsequently added a second Detector that was setup in the US region (or vice versa): Please contact Support for assistance on this issue.
    7. If you have upgraded the Enforce "ServerJRE" to 1.8.0.211 or higher – and all Cloud Detectors have gone into a disconnected state: Please contact Support for assistance on this issue.