Environment
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
Objective
How to collect logs to troubleshoot a disconnected Windows Agent
Resolution
- On the disconnected endpoint, open an elevated Command Prompt as Administrator
- Run commands and copy the output:
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password <Global CLI Password>
dascli disconnect
dascli debuglevel 6
dascli nettrace 1
dascli connect
dascli status
tracert <AppCServerName>
netstat -ano | findstr "41002" > servernetstatresult.txt
nslookup <AppCServerName>
ping <AppCServerName>
netsh winhttp show proxy
(for XP/Server 2003 use: proxycfg)
with Powershell:
Test-NetConnection -ComputerName <AppCServerName> -Port 41002 -InformationLevel "Detailed"
Test-NetConnection -ComputerName <AppCServerName> -Port 443 -InformationLevel "Detailed"
dascli password <CLI Password>
dascli debuglevel 0
dascli nettrace 0
dascli capture "c:\temp\%ComputerName%.zip"
- Provide the following to Carbon Black Support team:
- Screenshot or text results of the network commands in step 2
- Zip file from step 2
- Files can be uploaded to: https://community.carbonblack.com/groups/cb-vault
- Once the upload completes, please comment in your case the data is available for review.
Additional Notes
In the process of troubleshooting a disconnected agent Carbon Black support may request CAPI2 logging, and a Wireshark capture. Providing those upfront can reduce the number of log requests you may receive from the support group.
- Start CAPI2 logging:
- Start collecting a Wireshark capture:
- If results from netstat -ano | findstr "41002" show 'TIME_WAIT' instead of 'ESTABLISHED', then there is likely an issue with the TLS Protocols and/or Cipher Suites
- Optionally if Telnet if available, you can check connectivity with:
telnet <AppCServerName> 41002
Related Content