Environment

• App Control Agent: All Versions
• Microsoft Windows: All Supported Versions

Symptoms

• Disconnected Agent
• dascli status shows client information as 'Disconnected (waiting)
• netstat -ano | findstr "41002" returns 'TIME_WAIT' instead of 'ESTABLISHED'
• Windows Event Logs may show the following error "A fatal error occurred while creating a TLS client credential. The internal error state is 10013"
• Trace.bt9 with high debugging enabled may show either or both of the following:

  Server Communication: WaitForResponse End: m_bIsSleeping[0] IsSleeping[0] GetHttpStatus[0]  GetWinHttpError[0]  GetSslError[2147483648]  DataAvailable[0]
  Server Communication: WinHTTP communication error: 12175

Cause

• TLS and/or Cipher Suites Not Enabled on OS

Resolution

1. Use a tool like IISCrypto to display and modify the TLS Protocols & Cipher Suites on the system (https://www.nartac.com/Products/IISCrypto/Download)
2. Using IIS Crypto, compare a connected systems' TLS Protocols & Cipher Suites settings to ensure the non-connected device uses the very same protocols and cipher suites
3. Once a match is confirmed, reboot the device in order for the settings to be applied
4. Once rebooted, confirm if device is now showing as connected in the console, and that the netstat -ano | findstr "41002" returns 'ESTABLISHED'

Additional Notes

• All other connection testing methods seem to show no issues with connection - only the netstat command from above proves to be incomplete/not correct

Related Content