Steps to troubleshoot Disconnected Agents or otherwise test network connectivity when

• Endpoints are showing as Disconnected in the Console under Assets > Computers.
• Endpoints are not showing in the Console under Assets > Computers.
• Endpoints are experiencing general communication issues with the App Control Server.
• Agents have stopped checking in with the App Control Server.

• App Control Agent: All Supported Versions
• App Control Server: All Supported Versions
• Apple macOS: All Supported Versions
• Linux: All Supported Versions
• Microsoft Windows: All Supported Versions

All Platforms:

1. Log in to the Console and navigate to Settings > System Configuration > General.
   • Note the Server Address listed.
2. Click the Security tab and verify the Current Server Certificate Details:
   • Common Name should match the Server Address from the General tab.
   • Expiration Date is in the future.
   • If the Server Address was changed previously, verify the Subject Alternative Name is valid.
   • Matching Certificate is listed in the Trusted Communication Certificates and Trusted.
   • If necessary: Replace the Server Certificate
   • If Certificate Verification is enabled the Agent Communication Certificate may need to be imported on the endpoint(s).
3. Verify the Agent does not show in Duplicate Computers.
4. If using Active Directory Policy Mapping, verify Slow Lookups are not contributing to the issue.
5. Verify the endpoint and application server hosting the Console have matching Cipher Suites & Protocols.
6. Manually restart the Agent via the command line/terminal to be sure it is fully running.
7. Verify all Antivirus Agent Exclusions are added to any other security product(s) on the endpoint.

Windows

1. If Windows XP or Server 2003 Agents, follow the steps to connect XP or Server 2003 Agents to the Console first.
2. Use a command prompt to issue the following commands:

   cd "C:\Program Files (x86)\Bit9\Parity Agent\
   dascli server
   
   Example Output:
   Current server: appcontrol.domain.com:41002

3. If the Current Server returned does not match the Server Address in the Console, either:
   • Update the Server Address on the Agent (if limited number of Agents)
   • Replace the Server Certificate with one that contains a valid Subject Alternative Name (all/large number of Agents)
4. Verify the endpoint can resolve the Server Address returned, example commands:

   nslookup appcontrol.domain.com
   ping appcontrol.domain.com
   tracert appcontrol.domain.com

5. Check to see if the Agent has ESTABLISHED a connection to the Server Address on the port:

   netstat -ano | findstr "41002"

6. If a Proxy is in use, verify the 32-bit netsh is configured with a Bypass for the Server Address:

   C:\Windows\SysWOW64\netsh.exe winhttp show proxy
   (for XP/Server 2003 use: proxycfg)

7. Use PowerShell to issue the following commands:

   Test-NetConnection -ComputerName appcontrol.domain.com -Port 41002 -InformationLevel "Detailed"
   Test-NetConnection -ComputerName appcontrol.domain.com -Port 443 -InformationLevel "Detailed"

Linux

1. Verify the Agent and Linux OS/kernel combination being used is supported.
2. Use Terminal to issue the following commands:

   cd /opt/bit9/bin
   ./b9cli --server
   
   Example Output:
   ServerAddress[appcontrol.domain.com]
   Port[41002]

   1. If no Server Address is returned, the install was missing the server.conf file and will require reinstall using the Uninstall Disconnected Linux Agent method.
   2. If the Server Address does not match the Server Address in the Console, either:
      • Update the Server Address on the Agent (if limited number of Agents)
      • Replace the Server Certificate with one that contains a valid Subject Alternative Name (all/large number of Agents)
3. Verify the endpoint resolves the resulting Server Address

   ping appcontrol.domain.com
   nslookup appcontrol.domain.com
   telnet appcontrol.domain.com 41002

macOS

1. Verify the Agent and macOS combination being used is supported.
2. Verify the Agent Kernel Extensions are loaded and the Agent is fully running.
3. Verify Full Disk Access (FDA) was granted to the Agent:

   System Preferences > Security & Privacy > Privacy > Full Disk Access > appc-es-extension

4. Use Terminal to issue the following commands:

   cd /Applications/Bit9/Tools/
   ./b9cli --status

5. If the current Server Address returned does not match the Server Address in the Console, either:
   • Update the Server Address on the Agent (if limited number of Agents)
   • Replace the Server Certificate with one that contains a valid Subject Alternative Name (all/large number of Agents)
6. Verify the endpoint resolves the resulting Server Address

   ping <SERVERADDRESS>
   nslookup <SERVERADDRESS>
   nc -vz <SERVERADDRESS> 41002
   nc -vz <SERVERADDRESS> 443

If the connectivity tests pass, but the issue persists collect the Disconnected Agent Logs and open a case with Support.

• The output of the PowerShell command should indicate that the name resolves to an IP and the TcpTest is "True"

  RemoteAddress            : 10.1.2.3
  TcpTestSucceeded         : True

  • If Remote address did not return the correct IP address then the DNS must be fixed
  • If the TcpTest is "False" then port 41002 is not accessible on the server
• The output of netstat -ano | findstr "41002", should be 'ESTABLISHED'
  • This is necessary in order for comms to succeed between agent and server.
  • If there is anything other than 'ESTABLISHED' (including No output), then this generally indicates some issue or other with Firewall or proxy settings, and will likely need the Infra/IT Team to help determine why Port 41002 connection was not 'ESTABLISHED'
  • This is not something the Agent has control of, as it relies on the connection settings in order to make the 2 way communication.
• If ICMP response is disabled in the environment, ping may not be successful
• Optionally if Telnet is available, you can check connectivity with:

  telnet ServerAddress 41002

  • See also the Microsoft Learn site for more information on Telnet.