How to troubleshoot DLP Agent status not reporting as expected on Enforce

Basic network connectivity

Verify the Agent machine can ping the Endpoint server by name or IP address.

Check both Agent and Aggregator logs for errors.

Within the agent logs, look for the lines following CurlTransportLayer and ServerCommunicatorService. You may notice certificate errors such as handshake failures.

Within the aggregator logs, any communication errors should result in a severe error that describes the problem.

Performance Tuning

There are many settings that relate to performance and convenience within various properties files and the advanced agent settings.

Advanced Agent settings:

ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int

This setting controls how often an agent checks in with the Endpoint Server. This should generally be left at the default of 15 minutes (900 seconds). If this has been decreased, it should not be decreased below 1 minute per every 1000 agents.

CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS.int

This setting controls when the agent will close the connection if no traffic or hearbeat has been received from the server.  Under normal circumstances, this setting should not come into play. Agents should transfer all data and be disconnected by the server well before this time is reached. This should be left at the default of 300 seconds.

EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int

This setting controls when the server will send a heartbeat to the agent to detect if it is still connected. This setting is only used if the agent idle timeout is disabled. The normal, expected, behavior is for traffic to cease for 30 seconds, thus causing the server to disconnect the agent after CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS This should be left at the default of 270 seconds.

EndpointCommunications.IDLE_TIMEOUT_IN_SECONDS.int

This setting controls when the server will disconnect the agent. When an agent checks in during its normal polling interval, after it has transferred all data, and then remain idle. After 30 seconds of this idle connection, the server will initiate a disconnect on the agent.  This is considered normal and default behavior. This should be left at the default of 30 seconds.

Enforce General Settings

Not reporting time

When navigating to System -> Settings -> General within Enforce, there is a setting labeled ‘Show Agent as “Not Reporting” after’.  This setting controls how long Endpoint Server will wait before it reports to Enforce that the agent has stopped reporting. The default is 18 hours. This setting can be raised or lowered depending on preferences, however it cannot be made lower than ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int.

Server Properties files

MaxQueueSize

Both MonitorController.properties and Aggregator.properties on the endpoint server have a setting of MaxQueueSize. This setting controls how many tasks can be queued on each of the respective servers. The default value is 5000. It is recommended that this value be increased. On Aggregator.properties we should use a value of 2x the number of agents that regularly connect to that server. On MonitorController.properties this should be increased to 10,000.

Triggering an update

Often times, it is assumed that ‘Last Update Time’ refers to the last time the agent checked in. This is false. The ‘Last Update Time’ is only updated when agents’ attributes or statuses receive a new update in the oracle database.

In order to force an update of ‘last update time’, we can modify the description of the agent configuration applied to that agent. This will force an update that will update the agent’s last update time. See Article 162207 for more details.

Load Balancers.

When agents are connected to their endpoint servers. A couple of considerations are needed.

• • • SSL Session Persistence. This refers to whether or not an agent will reuse the same session ID on consecutive handshakes with the server. This should not directly impact agent reporting status
    • Server Affinity. This refers to what server a load balancer will decide to connect an agent to when they check in. In general an agent should check into the same server as it did previously whenever possible. This is because of the strong relationship between ‘Connect_Polling_Interval’ in the advanced agent settings and ‘Not Reporting Time’ in the Enforce General Settings.

Since the entity responsible for signaling to Enforce that an agent is not reporting is an Endpoint server, this occurs as soon as its ‘Not Reporting Time’(18 hours by default) has been reached. If an agent checks in with different servers on each polling interval, then the chance that it will not connect to a server for 18 straight hours is highly likely. At this point, the endpoint server will report the agent as ‘Not Reporting’ despite the agent being successfully connected to another endpoint server.

Cache Deletion 14.0 – 15.0

In some scenarios, the agent may be communicating with a different Endpoint Server than expected, causing the status of the agent to remain unchanged in Enforce. Deleting the Endpoint Server may resolve this issue.

1. 1. Start by forcing an agent to directly connect to a single endpoint server.
   2. Shut down the SymantecDLPDetectionServerService on the Endpoint Server
   3. Delete any files found in SymantecDLP/Protect/agentupdates and SymantecDLP/Protect/agentatttributes.
   4. Restart SymantecDLPDetectionServerControllerService on Enforce.
   5. Start SymantecDLPDetectionServerService on the Endpoint Server.
   6. Update the agent’s configuration to force an update.

Cache Deletion 15.1+ instructions

1. Ensure that the endpoint agent is communicating directly to an endpoint server. If its load balanced we want to force traffic to a specific endpoint server.
2. On the Detection server shut down Symantec DLP Detection Server service.
3. On that same Detection server navigate to the following directory and delete any files present.
   • (15.1) C:ProgramDataSymantecData Loss PreventionDetectionServer15.1agentattributes
   • (15.5) C:ProgramDataSymantecData Loss PreventionDetectionServer15.5agentattributes
4.  Restart Symantec DLP Detection Server Controller on the Enforce Server.
5. Start Symantec DLP Detection Server Service on the Endpoint Detection Server.
6. On Enforce, navigate to: System ->Agents-> Agent Configuration -> <Name of Config>
   1. Select or deselect a monitoring option.
   2. Save the agent configuration.
   3. Publish the agent configuration to the agent group to force the update.