Detection Server is unknown after upgrading to 16.1
search cancel

Detection Server is unknown after upgrading to 16.1

book

Article ID: 391746

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Detection Server is unknown after upgrading to 16.1.

Confirm the correct version of JRE was selected for Linux or Windows, and the path entered correctly before moving on. 

Cause

There is tight security calls on communication and if those are modified by any SSL intercept of any kind, DLP will reject those calls and cause communication failures between Enforce and the Detection server.  

Resolution

Resolution is to make sure no traffic is being SSL intercepted between the Enforce server and the Detection server.  This will cause a disconnect to occur.

Additional Information

 

On a unsuccessful connection you will see something like the following:

MonitorController0.log from Enforce server.  In the below section you can see it first goes to create a handshake for the connection and then it see's a disconnect right away.

com.vontu.monitor.controller.replicatorcommlayer.applications.connection.GatewayConnector initiateConnect
INFO: Creating a new connection for ConnectionIdentifierId [hostName=<ip or hostname>, port=8100]

3:58:47 PM com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
INFO: Creating handshaker for dataconnection C-1

com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
FINER: Creating Handshaker for the data connection with connection number: 1

com.symantec.dlp.services.csgconnection.ConnectionStateManager onDisconnected
INFO: Connection to ConnectionIdentifierId [hostName=<ip or hostname>, port=8100] is terminated.

com.vontu.monitor.controller.replicatorcommlayer.applications.connection.LegacyConnectionStatusObserver hasSuccessfulLegacyConnection
INFO: Successful Legacy connection does NOT exist for <ip or hostname>:8100

com.vontu.monitor.controller.replicatorcommlayer.applications.connection.LegacyConnectionStatusObserver onConnectionDown
WARNING: Unable to retrieve Information monitor by hostname: <ip or hostname>. Gateway connector will not connect to UDS.

 

SymantecDLPEnforceConnector0.log: Here we see the same thing regarding the handshaker and then a disconnect right away.

com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
INFO: Creating handshaker for dataconnection C-10

com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
FINER: Creating Handshaker for the data connection with connection number: 10
Feb 18, 2025 3:58:47 PM com.symantec.dlp.enforceconnector.applications.connection.EnforceConnectorConnectionStatusWriter onDisconnected
INFO: EnforceConnector disconnected from MonitorController

com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
INFO: Creating handshaker for dataconnection C-100

com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
FINER: Creating Handshaker for the data connection with connection number: 100

com.symantec.dlp.enforceconnector.applications.connection.EnforceConnectorConnectionStatusWriter onDisconnected
INFO: EnforceConnector disconnected from MonitorController

This is an indication that communication is failing right away and is a cause of SSL Interception or traffic modification while it was in transit.

 

Working Example:

MonitorController0.log - On Enforce.

com.vontu.monitor.controller.replicatorcommlayer.applications.connection.GatewayConnector initiateConnect
INFO: Creating a new connection for ConnectionIdentifierId [hostName= <ipaddress or dns name>, port=8100]

com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
INFO: Creating handshaker for dataconnection C-1

com.vontu.monitor.controller.replicatorcommlayer.applicationcommunicatorlayer.ApplicationCommunicatorsForEnforceToUDSConnections versionValid
INFO: Comparing version compatibility current Enforce version 16.1.00000.60313 and Peer Software version 16.1.0.60313

com.vontu.monitor.controller.replicatorcommlayer.applicationcommunicatorlayer.ApplicationCommunicatorsForEnforceToUDSConnections versionValid
INFO: Comparing Major and Minor Peer version 16.1.0.60313 is equal or greater than Enforce version. Allow connection.

Above we can see right after the handshaker we see it comparing versions of Enforce and Detection Server.  This is very important as it shows traffic was not modified and DLP is accepting the traffic.


SymantecDLPEnforceConnector0.log - On Detection Server

com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
INFO: Creating handshaker for dataconnection C-10

com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onCreateHandshaker
FINER: Creating Handshaker for the data connection with connection number: 10

com.symantec.dlp.communications.aclayer.impl.TwoWayHandshaker onReceivedHandshakeMessage
FINE: Handshaker received a message from the remote peer for the connection with connection number : 10

com.symantec.dlp.communications.aclayer.impl.TwoWayHandshaker readRemotePeerAttributes
FINER: peer attributes received = [com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.GuidEnforceIdPeerAttribute@2a9c169d, com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.ReplicationCapabilityIdSetPeerAttribute@641e8ab5, com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.ReplicationCapabilityIdSetPeerAttribute@1ea47fa0, com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.UDSCurrentTimePeerAttribute@2bcba4c] for the connection with connection number : 10

com.symantec.dlp.communications.aclayer.impl.TwoWayHandshaker getPeerAttributesToBeSent
FINER: peerAttributes to be sent = [com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.ReplicationCapabilityIdSetPeerAttribute@30b2c622, com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.GuidDetectionServerIdPeerAttribute@58851ce4, com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.ReplicationCapabilityIdSetPeerAttribute@6876da32, com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.DetectionServerSoftwareVersionIdPeerAttribute@485e6c78] for the connection with connection number : 10

com.symantec.dlp.communications.aclayer.impl.TwoWayHandshaker getPeerAttributesToBeSent
FINER: peerAttributes to be sent = [com.symantec.dlp.communications.aclayer.impl.peerattributes.specificattributes.HandshakeResultPeerAttribute@68c50e27] for the connection with connection number : 10

com.symantec.dlp.enforceconnector.applicationcommunicator.ApplicationCommunicatorsForUDSToEnforceConnections versionValid
INFO: Comparing version compatibility current Enforce version 16.1.0.60313 and UDS version 16.1.00000.60313

com.symantec.dlp.enforceconnector.applicationcommunicator.ApplicationCommunicatorsForUDSToEnforceConnections versionValid
INFO: Comparing Major and Minor - Enforce version 16.1.0.60313 is equal or lesser than this UDS version. Allow connection.

Again above we can see it getting details right after the handshaker and then we see the versions being matched.  This is what we expect should happen.  Again any network security software that is modifying this communication in any way will cause a disconnection to happen.  Communication should be whitelisted between Enforce and all Detection Servers.

To see the above logging, enable the following logging levels to help diagnose the issue:

Enforce

 

File: MonitorControllerLogging.properties

 

Add the following line at the bottom of the file.

com.symantec.dlp.level = FINEST

com.vontu.monitor.controller.replicatorcommlayer.level = FINEST

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_PROCESS_DISCONNECTED.logAtLevel= INFO

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_HANDSHAKE_FAILED.logAtLevel = INFO

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_HANDSHAKE_COMPLETED_SUCCESSFULLY.logAtLevel = INFO

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_TC_SSL_HANDSHAKE_SUCCESSFUL.logAtLevel = INFO

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_TC_SSL_HANDSHAKE_FAILED.logAtLevel = INFO

 

 

modify the following values:

java.util.logging.FileHandler.level = FINEST

java.util.logging.FileHandler.count = 20

 

Detection

 

File: UDSEnforceConnectorLogging.properties

 

Add the following line at the bottom of the file.

com.symantec.dlp.level = FINEST

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_PROCESS_DISCONNECTED.logAtLevel= INFO

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_HANDSHAKE_FAILED.logAtLevel = INFO

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_HANDSHAKE_COMPLETED_SUCCESSFULLY.logAtLevel = INFO

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_TC_SSL_HANDSHAKE_SUCCESSFUL.logAtLevel = INFO

com.symantec.dlp.communications.common.activitylogging.ConnectionLogger.ON_TC_SSL_HANDSHAKE_FAILED.logAtLevel = INFO

 

modify the following values:

java.util.logging.FileHandler.level = FINEST

java.util.logging.FileHandler.count = 20

 

Save all files and restart the services on the detection server and then restart the Symantec DLP Detection Server Controller Service on Enforce.  After this you should be able to match the log lines seen above.

Powered by Wolken Software