EDR: Sensors Upload Data to Minions but Fail Check-in with Primary Server
book
Article ID: 287628
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Sensors fail certificate check on the Primary server, yet the sensors successfully upload data to the minions using the same certificate.
The IP stack designated in the /var/cb/nginx/vhosts/<newservercert>.conf does not match the IP stack designated in /etc/cb/nginx/conf.d/includes/cb.conf.
Primary server /var/log/cb/nginx/startup.log messages:
[emerg] ipv6only is not supported on addr "0.0.0.0:443", ignored in /etc/cb/nginx/conf.d/cb.conf
Environment
EDR: Server: 7.5.0 and Higher
Cause
Nginx vhost stack configuration does not match the nginx stack configuration.The Primary server's vhost information was bonded to the IPv4 address instead of the the IPv4-mapped IPv6 addresses used in a dual-stack default configuration.
Resolution
On the Primary server, modify the conf file (cb.conf or cb.multihome.conf) used in /etc/cb/nginx/conf.d/. The designated stack needs to match /var/cb/nginx/vhost/<name>.conf
listen *:443 ssl ipv6only=off;
to
listen [::]:443 ssl ipv6only=off;
Additional Information
Sensors use SNI (server name indication) extension in the TLS handshake.
The nginx vhost name can bind to the IPv4 address, IPv4 mapped IPv6 address or the IPv6 address depending on the defined stack.