search cancel

Cannot add SEPM to EDR

book

Article ID: 224470

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Cannot add SEPM to EDR: error message: "Failed to configure SEPM controller connection"

 

 

Cause

In the atpapp.error.log you see

2021-09-20 06:28:30,293 ERROR http-nio-127.0.0.1-8010-exec-2 (CentralManagerServiceImpl.java:validateSepm:5071) Error when trying to connect to SEPM. Exception : name=ERROR_SERVICE_UNAVAILABLE, description=Can't get response from SEPM Server
com.symantec.atp.central_manager.rmi.exception.SepmCommunicationException: name=ERROR_SERVICE_UNAVAILABLE, description=Can't get response from SEPM Server

and communication_manager.log you see

2021-09-20 06:28:30,286 INFO RMI TCP Connection(16714)-127.0.0.1 (SepmRestApi.java:simpleRequest:441) Updating Sepm connection health for request [https://SEPMURL:8446/sepm/api/v1/identity/authenticate]
2021-09-20 06:28:30,287 INFO RMI TCP Connection(16714)-127.0.0.1 (SepmRestApi.java:updateConnectionStatus:500) Update Status for Server : SEPMURL Domain : SEPMDOMAIN with status code: 503
2021-09-20 06:28:30,287 ERROR RMI TCP Connection(16714)-127.0.0.1 (SepmCommunicationMgrImpl.java:validateSepm:2514) Failed to connect to SEPM. Most probably because of bad/invalid certificate
2021-09-20 06:28:30,291 ERROR RMI TCP Connection(16714)-127.0.0.1 (SepmCommunicatorRemoteImpl.java:validateSepm:895) Error when trying to connect to SEPM. Exception : name=ERROR_SERVICE_UNAVAILABLE, description=Can't get response from SEPM Server
2021-09-20 06:28:36,818 INFO RMI TCP Connection(16714)-127.0.0.1 (SepmRestApi.java:updateRequestUrl:331) failed to get resolved address for SEPM controller [0], requestUrl: [https://SEPMURL:8446/sepm/api/v1/version]
2021-09-20 06:28:36,847 INFO RMI TCP Connection(16714)-127.0.0.1 (SepmRestApi.java:updateConnectionStatus:500) Update Status for Server : SEPMURL Domain : SEPMDOMAIN with status code: 200
2021-09-20 06:28:36,850 INFO RMI TCP Connection(16714)-127.0.0.1 (SepmRestApi.java:updateRequestUrl:331) failed to get resolved address for SEPM controller [0], requestUrl: [SEPMURL:8446/sepm/api/v1/identity/authenticate]

http 503 Service unavailable refers to the SEPM response, line 3: "Most probably because of bad/invalid certificate" is spurious in this case.

The SEPM can fail to respond to the EDR when it is too busy or the service has failed.

Environment

SEDR Version: 4.6.5-32

SEPM version: 14.3.4615.2000

Resolution

The SEPM was unable to accept incoming web requests on the API port, preventing the communication with EDR. 

To confirm whether SEPM is up

  1. On the cmd prompt of the machine where SEPM is installed, type: netstat -n | find ":8446"
  2. If "LISTENING" does not appear in the output, start looking at the health of the SEPM service
  3. If "LISTENING" appears, on the admin CLI of EDR appliance, type: tcp_connect -t IP_OF_SEPM -p 8446
  4. If the output from tcp_check -t does not include the keyword "CONNECT", start focusing on network troubleshooting between EDR and SEPM.
  5. If output from tcp_check -t does not appear to connect, to check cryptography for the connection, type: tcp_connect -s IP_OF_SEPM -p 8446 -vvv 

    The resolution depends on the environmental cause, however restarting the services or entire SEPM has resolved this issue in the short term.