Endpoint shown as 'Connection Lost' - cannot reach

cancel
Showing results for 
Search instead for 
Did you mean: 

Endpoint shown as 'Connection Lost' - cannot reach

L0 Member

I have a user (my boss) who is one of several endpoints with a status of 'Connection Lost'. I'm not actually able to ping him from the DNS server when he is plugged in to the network at work; the XDR portal reports two IP addresses which are probably from his domestic wifi.

Running the msi to install isn't possible because tamper protection is enabled so I am not sure how I can get Cortex XDR running properly again.

I am guessing that this and other 'Connection Lost' issues are down to IP changes but... how can I clean up the portal and re-establish broken connections.

8 REPLIES 8

L1 Bithead

'Connection Lost' means that your endpoint has not communicated with Cortex Console for more than 30 days.

 

You should investigate locally the machine to find out what's the problem.  Probably a network issue or some kind of block (firewall, app, ETC) preventing the Agent from communicating with Cortex Servers.

 

This has nothing to do with the number of IP address you can see in Cortex Console.

 

btw, you can disable the Anti Tempering with the command:  cytool.exe protect disable

 

 

Martin Cimone

Thanks. I have got advice to remove the client and re-install and there is a utility for doing this for Windows... is there a Mac utility too, as one of these is a Mac.

 

One of the disconnected Windows agents, on a server, couldn't have been due to a network issue - or if it was the connection was not re-made when whatever happened was over. So I had to remove the agent and reinstall.

 

Tim

L0 Member

we have the same problem but in my case have a many of agent whit "Connection Lost" 

i try to unistall the agent but the "Agent Tampering Protection" block the process. i try too resolve this desible protection whit the command "cytool protect disable file" but it asks me for supervisor password and i dont know what it is becasue i try whit my user pass  

The supervisor password is actually the uninstall password that is defined within your agent profile.  If you do not know the password, please reach out to Support.  They can assist you with removing the agent.  


David Falcon 
Solutions Architect, Cortex
Palo Alto Networks® 

Also, if your supervisor password does not work, just try to hit "ENTER" on the password prompt.

 

If your policies were never applied correctly, the supervisor password is probably empty.

Martin Cimone

i tried that but it didn´t work 

I've never heard of a blank password.  You are prompted to set an uninstall password during initial configuration.  There is a default password in the event you never establish connectivity that may be helpful.  


Check step 2 in this link:  https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/custo...


David Falcon 
Solutions Architect, Cortex
Palo Alto Networks® 

L4 Transporter

Hi @TimGowen 

 

There are scenarios when the XDR agent installation package gets deleted by mistake from the Cortex tenant resulting in agents going into the "Connection Lost" status. Have you tried reaching out to Support to see if they could confirm if this is causing your problem? If they can determine that this is the case, there is a chance that they will be able to restore the installation package, and ultimately, the connectivity to your endpoints.

--gjenkins
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!