Troubleshooting ManifestDownloadFailure Alarms
search cancel

Troubleshooting ManifestDownloadFailure Alarms

book

Article ID: 285081

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Received a severity 10 alert stating that sensors are unprotected due to failure connecting to content.carbonblack.io
  • Windows 'Repcli Status' command shows manifestdownload alarms 
    ManifestDownloadFailure: <Number> times, MM/DD/YYYY hh:mm:ss
  • macOS sensoralarms.log shows manifestdownloadfailure alarms 
    <line#>:MM/DD/YY hh:mm:ss [INFO] ... ManifestDownloadFailure, AddDownloadError: Error[Content download failed]
  • Linux log.txt shows ContentDownloadFailure alarms 
    <line#>:[YYYY-MM-DD hh:mm:ss.ssssss]... ReMgr : TAProcessEvent : Added [ContentDownloadFailure] Telemetry event to Telemetry Event Sink.

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions
  • macos: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Linux: All Supported versions

Resolution

  1. Test connection to the Content Management URL (content.carbonblack.io)
  2. Verify that any configured proxy or firewall allows outbound (endpoint to cloud) communication:
    URL Port Direction SSL and Packet Inspection
    content.carbonblack.io TCP/443 Outbound Disabled
  3. Verify at least one of the supported TLS cipher suites is enabled. For Windows this can be done via Powershell:
    1. Check enabled cipher suite by name 
      C:\> Get-TlsCipherSuite -Name <Cipher_Suite_Name>
If nothing is returned the cipher suite is not enabled

Example with TLS 1.2/FIPs compliant cipher suite
C:\> Get-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    2. Check all enabled cipher suites 
      C:\> Get-TlsCipherSuite | foreach {$_.Name}
    3. Enable cipher suites 
      C:\> Enable-TlsCipherSuite -Name <Cipher_Suite_Name>

Example with TLS1.2 and FIPs compliant Cipher Suite
C:\> Enable-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  4. Check status of Manifest downloads to see if the alarm is continuing to trigger after any network changes
  5. If the count of ManifestDownloadFailure alarms continues to increase and/or 'Last Manifest Content Update Time' does not get set or updated, open a Technical Support Case and provide:
    • Org Key
    • Hostname of affected device(s)
    • Verification of access from Step 1
    • Configuration information of firewall/proxy exclusion from step 2
    • Firewall/proxy logs with any errors in communicating with content.carbonblack.io
Powered by Wolken Software