Environment
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
Objective
How to collect logs to troubleshoot a disconnected Windows Agent.
Resolution
- On the disconnected endpoint, open an administrative command prompt and issue the following commands:
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalPassword
dascli disconnect
dascli debuglevel 6
dascli nettrace 1
dascli connect
dascli healthcheck
dascli status
- In the returned output, locate: Server Information > Server and note the address
Example: appserver.domain.com:41002 means the Server Address is appserver.domain.com - Issue the following commands:
netstat -ano | findstr "41002"
nslookup <ServerAddress>
ping <ServerAddress>
tracert <ServerAddress>
netsh winhttp show proxy
(for XP/Server 2003 use: proxycfg)
- Use PowerShell to issue the following commands and save the results to a text file in C:\Temp\
Test-NetConnection -ComputerName <ServerAddress> -Port 41002 -InformationLevel "Detailed" > "C:\Temp\ConnectionTest.txt"
Test-NetConnection -ComputerName <ServerAddress> -Port 443 -InformationLevel "Detailed" >> "C:\Temp\ConnectionTest.txt"
- In the administrative command prompt issue the following commands:
dascli password 'GlobalPassword'
dascli debuglevel 0
dascli nettrace 0
dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"
- Upload the collected logs to the Vault.
- Once the upload has completed, provide an update on the existing Support Case
- (Optional) A Wireshark capture may be requested during troubleshooting. Providing it upfront can reduce the number of log requests.
Additional Notes
When debugging is enabled the file C:\ProgramData\Bit9\Parity Agent\Logs\Trace.bt9 may contain relevant errors (search for Winhttp and SSLerrors and look for non zero codes)
- If results from netstat -ano | findstr "41002" show 'TIME_WAIT' instead of 'ESTABLISHED', then there is likely an issue with the TLS Protocols and/or Cipher Suites
- Optionally if Telnet is available, you can check connectivity with:
telnet <ServerAddress> 41002
Related Content