Cortex xdr agent not checking in after install

cancel
Showing results for 
Search instead for 
Did you mean: 

Cortex xdr agent not checking in after install

L2 Linker

Hi all, I have a problem with the agent - I have one agent that is not communicating with the xdr server after installation. The host in question had it's agent uninstalled via the xdr server, and then re-installed by the IT team. However now the host shows an "Uninstalled" status and there's no communication between the host and the server. 

What can be done in this situation?

7 REPLIES 7

L4 Transporter

Hi @Daniel_Itenberg ,

could you please try to reconnect using the following command on the subject endpoint and tell us the output ? 

 

c:\Program Files\Palo Alto Networks\Traps>cytool reconnect force

 

Does it reconnect ? can the checkin be performed ? does it appear as connected in the tenant after the given command ? 

As a good practise try to always use the last agent release 

If this doesnt work, please feel free to open a TAC support ticket

KR,

Luis

 

If the check in fails or does not connect the agent, then use the force command and it should work. I have tried and it worked and it is pretty simple. Once you ran it would ask for admin password. Please try it and it should work.

 

Thank you

Naga

What's the force reconnect command on mac?

The problem is on mac.. is the command the same on mac?

L4 Transporter

Hi @Daniel_Itenberg 

yes, cytool exists in MAC with the same syntax. Under the directory 

/Library/Application Support/PaloAltoNetworks/Traps/bin

Hope that helps, please mark it as a solution if it was, or click on like it

KR,

Luis 

Here's the weird thing - I only have a support folder in the path you mentioned, and in it a logs zip file. I cant seem to find the cytool at all on my machine. I am running the 7.7 agent - maybe Palo changed the path or something like that for the cytool?

Hi @Daniel_Itenberg can you please confirm if the XDR agent is installed in the default path "/Library/Application Support/PaloAltoNetworks/Traps/bin" as stated here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-7/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

Can you please

1. share a directory listing of the path "/Library/Application Support/PaloAltoNetworks/Traps/bin" as a screenshot?

2. confirm if the endpoint shows as Connected in XDR tenant UI?

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!