• Disconnected Agent Logs generates a Trace.bt9 file which includes:

  Server Communication: WaitForResponse End: m_bIsSleeping[0] IsSleeping[0] GetHttpStatus[0]  GetWinHttpError[12175]  GetSslError[2147483648]  DataAvailable[0]

• Issuing the dascli status command may include the following SSL Error:

  SSL Error: The application experienced an internal error loading the SSL libraries.

• App Control Agent: All Versions
• Microsoft Windows: All Supported Versions

There is a mismatch of the TLS ciphers elliptic curves configuration between the Agent and the Server systems.

1. Use a tool like IISCrypto to display and modify the Cipher Suites on the system.
2. Open IISCrypto on both the Agent and Server and check if there are any P521 ciphers enabled on one or the other, example.
   • Agent has:

     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
     

   • Server has:

     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

3. Disable any of the P521 ciphers by unchecking them in IISCrypto, so only matching ciphers are enabled
4. Any changes will require a reboot.

If the issue persists, continue with Troubleshooting Disconnected Agents and Testing Network Connectivity.

• If the ciphers reset and the P521 get enabled again after system reboot then the ciphers are enforced by a GPO that needs to be modified
• Using IIS Crypto, compare a connected systems' settings to ensure the non-connected device uses the very same protocols and cipher suites