cortex xdr agent connection problem

Land-Salzburg — Wed, 18 May 2022 12:48:00 GMT

hi everybody,

we've installed cortex xdr agent on a terminal-master server which gets cloned for distribution

xdr-agent on master has active connection to cortex-cloud

but cloned servers can't connect...

xdr-log:

2022/05/18T14:32:44.590+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:VerdictService:WfDeferredRequestsTimer:} Calling cloud for 3 WildFire verdicts
2022/05/18T14:32:44.590+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:Communication:WfDeferredRequestsTimer:} No authentication ID - checking if registration is required
2022/05/18T14:32:44.590+02:00 <Notice> LVTS41 [3608:5152 ] {trapsd:Communication:WfDeferredRequestsTimer:} The agent is not registered. Registering with the cloud.
2022/05/18T14:32:44.593+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:AgentIdentification:WfDeferredRequestsTimer:} Stored hardware id is {17300142-0AC2-FECE-D0E6-DEFD980093ED}, calculated hardware id is {17300142-0AC2-FECE-D0E6-DEFD980093ED}
2022/05/18T14:32:44.593+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:AgentIdentification:WfDeferredRequestsTimer:} All checks done, registering
2022/05/18T14:32:44.596+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:AgentIdentification:WfDeferredRequestsTimer:} Registering using agent ID 
2022/05/18T14:32:44.597+02:00 <Warning> LVTS41 [3608:5152 ] {trapsd:AgentIdentification:WfDeferredRequestsTimer:} GetCurrentUserInfo returned with error code 0, continue with registration.
2022/05/18T14:32:44.607+02:00 <Notice> LVTS41 [3608:5152 ] {trapsd:Communication:WfDeferredRequestsTimer:/operations/provision/register:} Communication with server is disabled. Replace distribution ID to reconnect.
2022/05/18T14:32:44.609+02:00 <Warning> LVTS41 [3608:5152 ] {trapsd:Communication:WfDeferredRequestsTimer:} Connectivity Error, error_type = 3
2022/05/18T14:32:44.632+02:00 <Error> LVTS41 [3608:5152 ] {trapsd:AgentIdentification:WfDeferredRequestsTimer:} Error registering with the server, error 4. Error data: 
2022/05/18T14:32:44.651+02:00 <Notice> LVTS41 [3608:5152 ] {trapsd:AgentIdentification:WfDeferredRequestsTimer:} Registration failed, hardware_id='{17300142-0AC2-FECE-D0E6-DEFD980093ED}' distribution_id='520620aa0360410e9e081a9d38886436' trial_count=170 error=4
2022/05/18T14:32:44.666+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:Communication:WfDeferredRequestsTimer:} Unable to obtain authentication ID, aborting request.
2022/05/18T14:32:44.667+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:VerdictService:WfDeferredRequestsTimer:} Failed calling server with error 307 - treating all 3 verdict(s) as NoConnection
2022/05/18T14:32:44.667+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:VerdictService:WfDeferredRequestsTimer:} No server response for hash '1a9e9ddcdec423fe5fe8c24d4a3cdfa5ae63b2e355dfe2e8d3dc1ac9061c1608' - treating as NoConnection
2022/05/18T14:32:44.667+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:VerdictService:WfDeferredRequestsTimer:} No server response for hash '2d177e445025b0d9421ae293274ccda237991b4522cf496dc9b84dd2b00dc3bb' - treating as NoConnection
2022/05/18T14:32:44.667+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:VerdictService:WfDeferredRequestsTimer:} No server response for hash 'e40d261541fb62362a9b17aef1cf5d639a27623f6fb28d7d35e4e69f81850a6f' - treating as NoConnection
2022/05/18T14:33:46.351+02:00 <Info> LVTS41 [3608:7596 ] {trapsd:SecurityEventService:EcEventCollectionPipeline:} Raising security event from component 0x152, status 0xC0400097. Starting event rule matching...
2022/05/18T14:33:46.351+02:00 <Info> LVTS41 [3608:7596 ] {trapsd:SecurityEventService:EcEventCollectionPipeline:} Security event rules matching result: Match, rule name=DPI-1000000002
2022/05/18T14:33:46.351+02:00 <Info> LVTS41 [3608:7596 ] {trapsd:SecurityEventService:EcEventCollectionPipeline:} Ignoring security event by policy
2022/05/18T14:33:55.864+02:00 <Info> LVTS41 [3608:3104 default[#2]:7] {trapsd:Protection:VerifyAgentStatus:} AuthTokens value doesn't exist - returning empty tokens vector
2022/05/18T14:34:00.483+02:00 <Notice> LVTS41 [3608:7292 AgentOperationalStatusReporterThread:5] {trapsd:Telemetry:AgentOperationalStatusReporter:} Current agent operational status {
"antiexploitStatus" : 0,
"antimalwareStatus" : 0,
"dseStatus" : 0,
"edrStatus" : 0,
"generalStatus" : 0,
"hostfirewallStatus" : 0
}
2022/05/18T14:34:00.485+02:00 <Notice> LVTS41 [3608:7292 AgentOperationalStatusReporterThread:5] {trapsd:Telemetry:AgentOperationalStatusReporter:} 
Agent operational status - EDR upload statistics
EDR upload success ratio : 0 %
Last succeeded upload time: N/A
Last failed upload time: 2022-05-18T12:32:25.765Z
2022/05/18T14:34:00.502+02:00 <Info> LVTS41 [3608:7292 AgentOperationalStatusReporterThread:5] {trapsd:Telemetry:AgentOperationalStatusReporter:} Waiting for 300 seconds

what is the problem?

is it only possible to install on running-cloned server?

thx for any help

regards

Re: cortex xdr agent connection problem

BPry — Wed, 18 May 2022 21:44:28 GMT

@Land-Salzburg,

From your logs, the distribution ID error means that the installation package was removed from your tenant. You'll need to go into Endpoint Management -> Agent Installations and regenerate an installer with a new distribution ID. Going forward, don't delete an Agent Installation that you're actively using, it'll remove the association with the distribution ID and cause installations to fail.

Re: cortex xdr agent connection problem

Land-Salzburg — Thu, 19 May 2022 08:48:13 GMT

hi, thx for your info, server-group told me they maybe used new installer, i've generated a newly on and now we are taking another approach

regards

Re: cortex xdr agent connection problem

Land-Salzburg — Thu, 19 May 2022 15:13:18 GMT

problem solved

thx

topic Re: cortex xdr agent connection problem in General Topics

cortex xdr agent connection problem

Re: cortex xdr agent connection problem

Re: cortex xdr agent connection problem

Re: cortex xdr agent connection problem