Endpoint shown as 'Connection Lost' - cannot reach

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Endpoint shown as 'Connection Lost' - cannot reach

L1 Bithead

I have a user (my boss) who is one of several endpoints with a status of 'Connection Lost'. I'm not actually able to ping him from the DNS server when he is plugged in to the network at work; the XDR portal reports two IP addresses which are probably from his domestic wifi.

Running the msi to install isn't possible because tamper protection is enabled so I am not sure how I can get Cortex XDR running properly again.

I am guessing that this and other 'Connection Lost' issues are down to IP changes but... how can I clean up the portal and re-establish broken connections.

8 REPLIES 8

L1 Bithead

'Connection Lost' means that your endpoint has not communicated with Cortex Console for more than 30 days.

 

You should investigate locally the machine to find out what's the problem.  Probably a network issue or some kind of block (firewall, app, ETC) preventing the Agent from communicating with Cortex Servers.

 

This has nothing to do with the number of IP address you can see in Cortex Console.

 

btw, you can disable the Anti Tempering with the command:  cytool.exe protect disable

 

 

Martin Cimone

Thanks. I have got advice to remove the client and re-install and there is a utility for doing this for Windows... is there a Mac utility too, as one of these is a Mac.

 

One of the disconnected Windows agents, on a server, couldn't have been due to a network issue - or if it was the connection was not re-made when whatever happened was over. So I had to remove the agent and reinstall.

 

Tim

L0 Member

we have the same problem but in my case have a many of agent whit "Connection Lost" 

i try to unistall the agent but the "Agent Tampering Protection" block the process. i try too resolve this desible protection whit the command "cytool protect disable file" but it asks me for supervisor password and i dont know what it is becasue i try whit my user pass  

The supervisor password is actually the uninstall password that is defined within your agent profile.  If you do not know the password, please reach out to Support.  They can assist you with removing the agent.  


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Also, if your supervisor password does not work, just try to hit "ENTER" on the password prompt.

 

If your policies were never applied correctly, the supervisor password is probably empty.

Martin Cimone

i tried that but it didn´t work 

I've never heard of a blank password.  You are prompted to set an uninstall password during initial configuration.  There is a default password in the event you never establish connectivity that may be helpful.  


Check step 2 in this link:  https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/custo...


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

L4 Transporter

Hi @TimGowen 

 

There are scenarios when the XDR agent installation package gets deleted by mistake from the Cortex tenant resulting in agents going into the "Connection Lost" status. Have you tried reaching out to Support to see if they could confirm if this is causing your problem? If they can determine that this is the case, there is a chance that they will be able to restore the installation package, and ultimately, the connectivity to your endpoints.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw
  • 13780 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!