EndpointServer subservice is stuck in Starting state on a DLP Endpoint Prevent detection server
search cancel

EndpointServer subservice is stuck in Starting state on a DLP Endpoint Prevent detection server

book

Article ID: 386042

calendar_today

Updated On:

Products

Data Loss Prevention Core Package Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite

Issue/Introduction

After a recycle of DLP services on an Endpoint Prevent detection server, the EndpointServer (also named Aggregator) subservice is seen in the Enforce console as stuck in the Starting state. All other subservices are able to complete startup.

Aggregator logs will show the following or similar startup exception:

com.vontu.aggregator.Aggregator main
SEVERE: Aggregator failed to start.
java.lang.NullPointerException
    at com.vontu.incidenthandler.endpointincident.EndpointIncidentWriter.initialize(EndpointIncidentWriter.java:98)
    at com.vontu.incidenthandler.endpointincident.EndpointIncidentWriter.makeEndpointIncidentWriter(EndpointIncidentWriter.java:64)
    at com.vontu.aggregator.Aggregator.initializeReplicatorCommLayerBootstrap(Aggregator.java:481)
    at com.vontu.aggregator.Aggregator.<init>(Aggregator.java:382)
    at com.vontu.aggregator.Aggregator.initializeAggregator(Aggregator.java:301)
    at com.vontu.aggregator.Aggregator.main(Aggregator.java:217)

Cause

This may be caused by an issue with Aggregator's temporary folder aggregator_temp_incident_data, which is normally created under the temp path on the detection server. On a detector, the path is defined by the following variable which you can find in the Protect.properties configuration folder (build number will be different for each DLP version):

# path for the blobs and zip directory.
vontu.temp.dir = C:/ProgramData/Symantec/DataLossPrevention/DetectionServer/<version>/temp

In some environments, this can be a non-default, customized path. 

An example issue with the folder may be that it is corrupted and inaccessible. This can be verified by trying to access the folder manually in File Explorer under Windows. You may see an error similar to the below when trying to access the folder:

Error text:

Location is not available

<drive>:\DetectionData\DetectionServer\<version>\temp\aggregator_temp_incident_data is not accessible. 

The file or directory is corrupted and unreadable

Resolution

  1. Recreate the folder manually by deleting it from the disk and then creating it again.
  2. Assign Full Control permissions to the folder for the Windows account which is running the DLP services. This is important as the DLP service needs to be able to successfully read from and write to the directory.
  3. Recycle the DLP service on the Endpoint Prevent detector.
  4. Check whether EndpointServer subservice is now able to start. 
Powered by Wolken Software