EDR: Sensors Upload Data to Minions but Fail Check-in with Primary Server
search cancel

EDR: Sensors Upload Data to Minions but Fail Check-in with Primary Server

book

Article ID: 287628

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Sensors fail certificate check on the Primary server, yet the sensors successfully upload data to the minions using the same certificate.
  • The IP stack designated in the /var/cb/nginx/vhosts/<newservercert>.conf does not match the IP stack designated in /etc/cb/nginx/conf.d/includes/cb.conf.
  • Primary server /var/log/cb/nginx/startup.log messages: 
    [emerg] ipv6only is not supported on addr "0.0.0.0:443", ignored in /etc/cb/nginx/conf.d/cb.conf

Environment

  • EDR: Server: 7.5.0 and Higher

Cause

Nginx vhost stack configuration does not match the nginx stack configuration.The Primary server's vhost information was bonded to the IPv4 address instead of the the IPv4-mapped IPv6 addresses used in a dual-stack default configuration.

Resolution

On the Primary server, modify the conf file (cb.conf or cb.multihome.conf) used in /etc/cb/nginx/conf.d/.  The designated stack needs to match /var/cb/nginx/vhost/<name>.conf 
listen *:443 ssl ipv6only=off; 
to 
listen [::]:443 ssl ipv6only=off;

Additional Information

  • Sensors use SNI (server name indication) extension in the TLS handshake. 
  • The nginx vhost name can bind to the IPv4 address, IPv4 mapped IPv6 address or the IPv6 address depending on the defined stack.  
Powered by Wolken Software