How to troubleshoot Endpoint Detection and Response connection issues
Technical Articles ID:
KB93645
Last Modified: 2023-06-30 10:58:01 Etc/GMT
Last Modified: 2023-06-30 10:58:01 Etc/GMT
Environment
Endpoint Detection and Response (EDR)
Problem
You see one or more of the following issues:
/var/McAfee/dxlbroker/logs/IPE.log :
\%programdata%\mcafee\Mar\data\Mar.log , or the Linux or MAC client, /var/McAfee/Mar/data/mar.log , you see the error below:
<ePO install dir>\Server\logs\orion log :
\ProgramData\McAfee\Data_Exchange_Layer\dxl_service.log or /var/McAfee/dxl/DXL_service.log lists one or more of the errors below:
- Content isn't displayed in the EDR Monitoring Workspace Page.
- Real-time searches don't respond.
- A triggered threat doesn't populate the dashboard.
- There are no servers listed in
https://ui.soc.trellix.com/support (or your geo logon)
NOTE: Remember thathttps://ui.soc.mcafee.com isn't multigeo aware. You must log on to your geo manager to see the connected servers.
403 Forbidden Below minimum threshold 502 Bad Gateway
Could not send traces to cloud.
vpc URL from DXL cloud databus is empty Expected URL scheme 'http' Error trying to connect with vpc Failed to provision with IAM
DxlMQTTConnection: waitForConnection: error = 10060 : A connection attempt failed An existing connection is forcibly closed by the remote host
Solution
- Verify that you have the correct extensions installed and that they're up to date:
- Open the ePO manager and click Menu, Software, Extensions.
- You must have the latest versions of the following extensions installed. Install and update the extensions as needed:
- EDR Client Extension
- EDR Endpoint Snapshot tool
- EDR Extension
- Verify that your DXL fabric shows as Connected:
- Click Menu. Under System, click Data Exchange Layer Fabric.
- View the Fabric status.
- If the Fabric status shows
Connected , continue to the next step. - If the Fabric status shows
no brokers connected or other connection issues , see the "Troubleshooting the installation" section in the DXL Installation Guide.
- If the Fabric status shows
- EDR clients communicate through your DXL Broker to EDR. DXL Brokers must connect to the
IAM/EDR back-end properly for communication to work.
For each of your DXL Brokers, confirm the DXL fabric for errors:
- Click the Broker in the middle of the screen.
- Select the Extension tab on the right side of the screen.
- See if there are any error messages.
Recent error messages show issues with client communication or alerts:- Resolve any connectivity issues and then continue to the next step.
- If you see "
error while sending http request: UnknownHostException, " check whether your DXL Broker DNS can resolve the API URL to IP address (API URL from step 4c).
Example: "nslookup api.soc.trellix.com <DNSSERVERIP> "
-
If you encounter issues during troubleshooting, open a Service Request.
-
Check endpoint connectivity, specifically the DXL connection status:
-
Click System Tree, Select Client, Actions, DXL, Look up in DXL.
-
View the pop-up message.
The correct status isConnection state = Connected .
-
-
If you see a status of
Connection state = Connected :
Go to step 6 - Verify the MVISION Cloud bridge (server settings).
-
If you see a status of
Connection state = Not Connected -
Check your DXL logs for errors:
See the "Troubleshooting the Installation" section of the DXL Installation Guide. -
If you can't resolve the error in DXL logs, you must collect data before you open a Service Request. For details, see KB92052 - Data needed for Data Exchange Layer (Client-side) issues.
-
-
- Verify and set your DXL Cloud Databus (server settings), URL, and Proxy to your appropriate data center.
- Open the ePO manager.
- Click Menu, Server Settings, DXL Cloud Databus.
- Verify that your data center is populated with the correct location information as listed below, and correct any mistakes as needed:
- Confirm that your firewalls and proxy server allow access to the URLs and ports listed in the EDR Installation Guide.
Configure your firewalls and proxies to allow all traffic listed in this guide through.
- Verify whether the MVISION Cloud bridge (server settings) is linked using the proper username and password:
- Click Menu, Server Settings, MVISION Cloud Bridge.
- The expected Status is
This server is linked
If you don't see the above as the status, relink the account:- Remove the following Extensions:
- EDR Extension
- MVISION Cloud Bridge
- Reinstall the EDR Extension.
NOTE: This action installs the MVISION Cloud bridge.
- Link the account with the correct username and password.
- Remove the following Extensions:
- View the Linked Account and make sure that it's using the correct username for your account.
If the account is incorrect, edit the current MVISION Cloud Bridge settings and insert the new or correct username and password.
- Verify whether the MVSION EDR (server settings) shows a status of
Connection Successful .- Click Menu, Server Settings, MVISION EDR Settings.
- View the MVISION EDR Cloud services.
The expected status is:
Connection status = Connection Successful
Monitoring Status = true
If you don't see these settings, view theorion.log for errors and search the Knowledge Base for solutions to those errors. Otherwise, continue troubleshooting.
- Verify whether the NTP settings between EPO and DXL broker are set and there's no lag between the current time clock.
Configure the clocks on each server to match the same time with no difference between them.
- Verify whether at least one or more EDR clients are deployed with the trace plug-in enabled:
- Select the system tree with EDR installed.
- View System details, Products for MVISION EDR.
- On the Product tab, click MVISION EDR.
- Under plug-ins, confirm whether
TraceScanner is reporting as Enabled. - Under EDR Properties, verify that Last Trace communication is current (less than one hour).
- If you see Errors, or there are no traces reporting:
Enable debug logging (see the "Related information" section), reproduce the issues, and check your client'smar.log file for issues.
- If you don't see errors and the status is Green:
Continue to step 10.
- If you don't see errors and the status is Red:
Make sure that your settings are enabled for tracing.
For information, see the "Trace Policy Configuration" section in the EDR Product Guide.
- If you see Errors, or there are no traces reporting:
- Check whether your ePO server is listed in the EDR Manager Support page:
- US West data center
- US East data center
- Frankfurt data center
- Sydney data center
- Canada data center
- If you see errors or the server isn't listed:
Check theorion.log andIPE.log for errors and search the Knowledge Base for solutions to those errors.
- If you see ePO Connected to the Support page, but traces still don't reach the cloud:
- Open a command-line session on the Broker running IPE.
- Verify that all communication to the API is opened properly from the DXL Broker:
- If you're behind a proxy:
Typecurl -x proxy:port -v -X POST -H "Content-Type:application/json; charset=utf-8" <URL from API section above depending on your region (step 4c)> and press Enter. - If you aren't behind a proxy server:
Typecurl -v -X POST -H "Content-Type:application/json; charset=utf-8" <URL from API section above depending on your region (step 4c)> and press Enter.
- If you're behind a proxy:
- View the output from the above command. A correct lookup contains the following:
CONNECT api.soc.eu-central-1.trellix.com:443 HTTP/1.1
Host: api.soc.eu-central-1.trellix.com:443
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
Content-Type:application/json; charset=utf-8
HTTP/1.0 200 Connection established
Proxy replied OK to CONNECT request
Successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; postalCode=97006; ST=OR; L=BEAVERTON; street=SUITE 100; street=20460 NW VON NEUMANN DRIVE; O=McAfee, Inc.; OU=Engineering; OU=Hosted by Trellix Inc.; OU=Multi-Domain SSL; CN=ui.soc.trellix.com
* start date: 2019-05-22 00:00:00 GMT
* expire date: 2021-05-21 23:59:59 GMT
* subjectAltName: api.soc.eu-central-1.trellix.com matched
* issuer: C=US; ST=CA; L=Santa Clara; O=McAfee, Inc.; CN=McAfee OV SSL CA 2
* SSL certificate verify ok.
POST /cloudproxy/databus/produce HTTP/1.1
User-Agent: curl/7.29.0
Host: api.soc.eu-central-1.trellix.com
Accept: */*
Content-Type:application/json; charset=utf-8
- If you see errors or the server isn't listed:
- If you see a different response or
Invalid Connection error:
Verify whether SSL inspection is enabled (you might need to involve your network team to verify).
NOTE: SSL inspection isn't supported for EDR.
- If you see the above output, the issue is resolved.
- If you're still facing issues, open a Service Request.
Related Information
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Default log locations:
- Active Response log (EDR Client)
C:\ProgramData\McAfee\MAR\data\Mar.log
- Orion log (EPO Server):
<epo install dir>\server\logs\orion.log
- DXL Broker logs (DXL Broker):
/var/McAfee/dxlbroker/logs/dxlbroker.log
- DXL Service Logs (DXL Broker):
var/McAfee/dxl/DXL_service.log
- IPE Logs (DXL Broker):
/var/McAfee/dxlbroker/logs/ipe.logs
How to enable EDR Debug logging:
- Open your EDR Policy.
- Click the General tab and deselect the option
Enable data folder protection . - Click the Trace tab and set Log Level to Debug.
- Click the Logger tab:
- Set Level to Debug.
- Set Buffer Size to 1
- Set Maximum size of the log file to 50(MB)
- Apply Policy to your client and verify in the
mar.log that you see [D] (for Debug) reporting in the log. - Reproduce the issue or perform your troubleshooting.
- Set your policy back to defaults when debugging is completed.
- Open your EDR Policy.
- Click the General tab and select the option Enable data folder protection
- Click the Trace tab and set Log Level to Info.
- Click the Logger tab:
- Set Level to Info
- Set Buffer Size to 20
- Set Maximum size of the log file to 10(MB)
- Apply the Policy to your client.
- Collect the logs as directed by Technical Support.
To collect MERs from the ePO server and DXL Broker that you're troubleshooting, see the following resources:
- ePO server: KB92065 - ePO-MER Walkthrough Guide
- DXL Broker: KB82851 - How to use the Data Exchange Layer server MER tool for Linux or UN
For product documents, go to the Product Documentation portal.
Affected Products
Languages:
This article is available in the following languages: