Troubleshooting Sensor Communication Issues
search cancel

Troubleshooting Sensor Communication Issues

book

Article ID: 284757

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

General troubleshooting guide for Sensor communication issues with Carbon Black Cloud

Environment

  • Carbon Black Cloud Sensor:  All versions
  • Apple macOS: All Supported Versions
  • Linux: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Do the offline sensors all show the last check-in time as the same day/hour?  That points to a potential infrastructure change - usually networking related -  for instance a firewall ACL change, a GPO change, a new proxy or proxy password change, etc.   Another possibility is a newly implemented zero trust solution and the traffic to Carbon Black needs to be bypassed by the solution.
  2. Test network connection to our services by following these docs:
  3. Do all the problem systems belong to the same subnet?  That also points to a likely networking change
  4. Ensure that all firewall and proxy settings are correct.  Make sure that the certificate revocation (CRL) checks to GoDaddy can go through, unless you have disabled CRL checks.  Make sure the target can be resolved in DNS.  Have there been any changes to the system hostfile?
  5.  If the above look good, what do the logs say?
  6. Check the install logs, which detail the sensor registration process, including DNS issues, etc.  Note that if the sensor(s) have previously registered and appear in the console, this may not help much, but can offer some insight as to what previously was set at install.
  7. Is there an in-line SSL inspection device being used, for instance BlueCoat?  Carbon Black services use certificate pinning, so SSL decryption on our traffic cannot be used, or the connection will be rejected
  8. Are the GoDaddy root certificates installed?
  9. Is it possible that there are old records from a re-registered, reimaged, VDI or decommissioned device?
    • If a system is re-registered (repcli reregister) it will get a new unique Device ID, and a new record will be generated for the sensor.  The old record will not be deleted, and will still show "Active" for 30 days.  The old record also has to be marked as deregistered before it will be able to be deleted, either manually or automatically. . This can lead to multiple records in the back-end database.
    • A VDI system needs special setup or you will get duplicate records
    • Devices that are decommissioned need to be removed from the console, unless the sensor is uninstalled and can communicate with our cloud services at the time of uninstall.  During an uninstall, the sensor will attempt to contact our back-end services and de-register itself.  Note that the record will still be in the console and will be listed as deregistered.  The record can then be manually or automatically deleted.
    • If a system is reimaged, and the sensor was not uninstalled before the reimage, the sensor will show as “Active” for 30 days from last communication to our cloud services.  Then they will show as “inactive”.  When a machine is reimaged, the sensor on the new image will get a unique Device ID when it registers. 
  10. Export all your sensors data from the console to a csv, and make a pivot table in Excel to locate any duplicate hostnames.
  11. Is Auto-Delete enabled? Check the policy settings to see if the Auto Delete setting is enabled. Check the Audit log to see if machines were deleted.
  12. If the problem still persists, collect sensor logs and open a case
 
Powered by Wolken Software