A windows agent regular disconnects from the JCP. The following messages show up at the time of disconnection in the JCP log:
05 - 20240129/050249.870 - U00003406 Client connection '9(7)' from '[External IP address]:52462' has logged on to the Server.
05 - 20240129/050249.917 - U01002200 Received an invalid message from partner '*CP005#00000009' via connection '[External IP address]:52462'.
05 - 20240129/050249.917 - U01002203 Field 'Length' in message header is invalid.
05 - 20240129/050249.917 - U00009907 Memory view 'Invalid Msg from Connection 9' (Address='00000197DE557F70', Length='85')
05 - 20240129/050249.917 - 00000000 247B6A6E 64693A6C 6461703A 2F2F6C6F >${jndi:ldap://lo<
05 - 20240129/050249.917 - 00000010 67347368 656C6C2D 67656E65 7269632D >g4shell-generic-<
05 - 20240129/050249.917 - 00000020 69613372 3476664A 364C5635 67654C4B >ia3r4vfJ6LV5geLK<
05 - 20240129/050249.917 - 00000030 4A49366E 247B6C6F 7765723A 74656E7D >JI6n${lower:ten}<
05 - 20240129/050249.917 - 00000040 2E772E6E 65737375 732E6F72 672F6E65 >.w.nessus.org/ne<
05 - 20240129/050249.917 - 00000050 73737573 7D >ssus}<
05 - 20240129/050249.933 - U00003407 Client connection '9(6)' from '[External IP address]:52462' has logged off from the Server.
01 - 20240129/050250.292 - 257 U00003449 Output to the TRACE file is finished.
The agent log shows messages like this at the same time:
20240129/050327.244 - U02000097 Connection with partner '[External IP address]:36524' accepted.
20240129/050327.272 - U02000327 Unexpected error on connection '[External IP address]:36524' (socket handle = '3770'), reason '"category: 'asio.ssl', (336130315) wrong version number (SSL routines, ssl3_get_record)"'.
20240129/050352.868 - U02000097 Connection with partner '[External IP address]:53698' accepted.
20240129/050352.961 - U02000327 Unexpected error on connection '[External IP address]:53698' (socket handle = '3771'), reason '"category: 'asio.ssl', (337100999) peer did not return a certificate (SSL routines, tls_process_client_certificate)"'.
Version: 21.0
A Tenable scan causes the agent to disconnect.
The agent disconnects due to a Tenable Nessus scanning service. When the scanning service scans the agent port, the agent tries to authenticate the connection as it requires a TLS handshake on every connection. Since the scanning service is unable to provide a matching keystore/certificate, the agent temporarily disconnects from the JCPs.
Either an exception needs to be put in for this agent's IP and Port so it's not scanned, or the scan should run less often to lower the impacting incidents this scan will cause.