Endpoint shown as 'Connection Lost' - cannot reach

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
TimGowen
L0 Member

Endpoint shown as 'Connection Lost' - cannot reach

I have a user (my boss) who is one of several endpoints with a status of 'Connection Lost'. I'm not actually able to ping him from the DNS server when he is plugged in to the network at work; the XDR portal reports two IP addresses which are probably from his domestic wifi.

Running the msi to install isn't possible because tamper protection is enabled so I am not sure how I can get Cortex XDR running properly again.

I am guessing that this and other 'Connection Lost' issues are down to IP changes but... how can I clean up the portal and re-establish broken connections.

MartinCimone
L1 Bithead

'Connection Lost' means that your endpoint has not communicated with Cortex Console for more than 30 days.

 

You should investigate locally the machine to find out what's the problem.  Probably a network issue or some kind of block (firewall, app, ETC) preventing the Agent from communicating with Cortex Servers.

 

This has nothing to do with the number of IP address you can see in Cortex Console.

 

btw, you can disable the Anti Tempering with the command:  cytool.exe protect disable

 

 

Martin Cimone
TimGowen
L0 Member

Thanks. I have got advice to remove the client and re-install and there is a utility for doing this for Windows... is there a Mac utility too, as one of these is a Mac.

 

One of the disconnected Windows agents, on a server, couldn't have been due to a network issue - or if it was the connection was not re-made when whatever happened was over. So I had to remove the agent and reinstall.

 

Tim

fevargas
L0 Member

we have the same problem but in my case have a many of agent whit "Connection Lost" 

i try to unistall the agent but the "Agent Tampering Protection" block the process. i try too resolve this desible protection whit the command "cytool protect disable file" but it asks me for supervisor password and i dont know what it is becasue i try whit my user pass  

dfalcon
L4 Transporter

The supervisor password is actually the uninstall password that is defined within your agent profile.  If you do not know the password, please reach out to Support.  They can assist you with removing the agent.  


David Falcon 
Solutions Architect, Cortex
Palo Alto Networks® 
Tags (2)
MartinCimone
L1 Bithead

Also, if your supervisor password does not work, just try to hit "ENTER" on the password prompt.

 

If your policies were never applied correctly, the supervisor password is probably empty.

Martin Cimone
fevargas
L0 Member

i tried that but it didn´t work 

dfalcon
L4 Transporter

I've never heard of a blank password.  You are prompted to set an uninstall password during initial configuration.  There is a default password in the event you never establish connectivity that may be helpful.  


Check step 2 in this link:  https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/custo...


David Falcon 
Solutions Architect, Cortex
Palo Alto Networks® 
gjenkins
L4 Transporter

Hi @TimGowen 

 

There are scenarios when the XDR agent installation package gets deleted by mistake from the Cortex tenant resulting in agents going into the "Connection Lost" status. Have you tried reaching out to Support to see if they could confirm if this is causing your problem? If they can determine that this is the case, there is a chance that they will be able to restore the installation package, and ultimately, the connectivity to your endpoints.

--gjenkins
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!