Disconnected Agent Due To WinHTTP Communication Error 12175
Article ID: 286464
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- Agent shows as Disconnected in the Console.
- Disconnected Agent Logs generates a Trace.bt9 file which includes:
Server Communication: WinHTTPCommunication Error: 12175
Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
Cause
Microsoft defines the WinHttpSendRequest Error[12175] as:
ERROR_WINHTTP_SECURE_FAILURE: 12175 One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.
Resolution
- Confirm the Server Certificate in Settings > System Configuration > Security is not expired, and formatted correctly.
- Common Name shown should match Server Address from the General tab.
- Expiration Date should be in the future.
- A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
- If necessary, Replace the Server Certificate.
- Confirm whether Certificate Verification has been enabled:
- If necessary, either disable Certificate Verification or import the certificate on the disconnected endpoint(s).
- Confirm the Agent's current Server Address matches the Common Name on the Server Certificate:
- Use dascli status or b9cli --status accordingly:
Windows:
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli status
Linux:
cd /opt/bit9/bin
./b9cli --status
macOS:
cd /Applications/Bit9/Tools/
./b9cli --status - In the returned output, locate: Server Information > Server and note the address.
- Compare against the Common Name of the Server Certificate.
- If there is a mismatch, either update the Server Address on the Agent or use a Subject Alternative Name on the Server Certificate.
- Use dascli status or b9cli --status accordingly:
- Confirm the endpoint and application server posses a matching Cipher Suite & Protocol.
If the issue persists, open a case with Support and provide the Disconnected Agent Logs.
Additional Information
- If using a certificate issued by a Certificate Authority: Confirm the Agents have the Root or Intermediate Certificate in Local Computer > Trusted Root Certification Authorities > Certificates.
- For Windows 2012 machines, the Agent will not connect to the Console if the 'P521 curve ciphers' are not enabled on the App Control Server. Otherwise, the 'P521 curve ciphers' need to be disabled on Windows 2012 machines
Feedback
Yes
No
Powered by
