Data Loss Prevention Cloud Detection ServiceData Loss Prevention Cloud Detection Service for ICAPData Loss Prevention Cloud Detection Service for RESTData Loss Prevention Cloud Service for EmailData Loss Prevention Cloud PackageData Loss Prevention
Issue/Introduction
The Data Loss Prevention (DLP) Enforce Server shows that one or more DLP cloud detectors are disconnected.
Cause
Various issues related to the use of an Enrollment Bundle, or to the status of the Cloud Service at any time.
Environment
DLP Cloud Service for Email
DLP Cloud Detection Service (for ICAP, or for REST)
DLP Cloud Detector (aka Cloud Connector)
Resolution
This workflow offers suggestions to help you move through the problem.
Without any pre-existing DLP Cloud Detectors installed/enrolled prior, check for the following error codes:
Shows a 4201 Event code (error requesting client certificate from Symantec Managed PKI Service). This is the most common issue, and is always network-related (i.e., the Network team for Enforce Server environment needs to update any proxy and/or firewall rules to allow your Enforce Server to connect to the Cloud Service Gateway). See this KB for steps: DLP Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service (broadcom.com)
Shows a 4200 Event code (client certificate successfully obtained from Symantec Managed PKI Service). Check the Enforce Tomcat logs for either of the following errors:
A DLP Cloud Detector was previously connected, but now is not. Please see which of the following issues may apply.
Firstly, as of February 2021, the DLP Cloud Services have migrated fully to the Google Cloud Platform. For more information about the GCP Migration, see this Product Advisory.
Your Enforce Server cannot connect to the Cloud Service unless it is version 15.1 MP1 or higher:
If recycling does NOT resolve it. If this happened after moving a Cloud Detector from one Enforce server to another, verify if the second Enforce was clone of the first one: Please contact Support for assistance on this issue.
Error 2: “Cloud Service is not available because of an account issue”. Usually because of TRIAL Detector, or some kind of error in provisioning, where there are two separate Accounts in one Enforce database: Please contact Support for assistance on this issue.
If recycling the DetectionServerController resolves the issue but it recurs infrequently, it could be the Enforce Server connection to the Oracle Database is at fault. Please confirm the following recommendation if the Oracle database connection is severred without first stopping the Enforce Server services: Recovering from Symantec Data Loss Prevention database connectivity issues (broadcom.com)
[Rare]: "The bundle refers to a Gateway different than the one that has already been configured." Happens if you have a Detector provisioned in the EU region and have subsequently added a second Detector that was setup in the US region (or vice versa): Please contact Support for assistance on this issue.
If you have upgraded the Enforce "ServerJRE" to 1.8.0.211 or higher – and all Cloud Detectors have gone into a disconnected state: Please contact Support for assistance on this issue.