Environment
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
Objective
How to collect logs to troubleshoot a disconnected Windows Agent
Resolution
- On the disconnected endpoint, open an elevated Command Prompt as Administrator
- Run commands and copy the output:
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password <Global CLI Password>
dascli disconnect
dascli debuglevel 6
dascli nettrace 1
dascli connect
dascli status
tracert <AppCServerName>
netstat -ano | findstr "41002" > "C:\Temp\%ComputerName%-netstat.txt"
nslookup <AppCServerName>
ping <AppCServerName>
netsh winhttp show proxy
(for XP/Server 2003 use: proxycfg)
with Powershell:
Test-NetConnection -ComputerName <AppCServerName> -Port 41002 -InformationLevel "Detailed"
Test-NetConnection -ComputerName <AppCServerName> -Port 443 -InformationLevel "Detailed"
dascli password <CLI Password>
dascli debuglevel 0
dascli nettrace 0
dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"
- Upload the results to the Vault.
- Screenshot or text results of the network commands.
- The files generated in "C:\Temp\"
- Once the upload has completed, provide an update on the existing Support Case.
Additional Notes
When debugging is enabled the file C:\ProgramData\Bit9\Parity Agent\Logs\Trace.bt9 may contain relevant errors (search for winhttp and look for non-0 codes)
In the process of troubleshooting a disconnected agent Carbon Black support may request CAPI2 logging, and a Wireshark capture. Providing those upfront can reduce the number of log requests you may receive from the support group.
- Start CAPI2 logging:
- Start collecting a Wireshark capture:
- If results from netstat -ano | findstr "41002" show 'TIME_WAIT' instead of 'ESTABLISHED', then there is likely an issue with the TLS Protocols and/or Cipher Suites
- Optionally if Telnet is available, you can check connectivity with:
telnet <AppCServerName> 41002
Related Content