How to troubleshoot Endpoint Detection and Response connection issues
Technical Articles ID:
KB93645
Last Modified: 9/7/2021
Last Modified: 9/7/2021
Environment
McAfee MVISION Endpoint Detection and Response (EDR) 3.x
Problem
You see one or more of the following issues:
/var/McAfee/dxlbroker/logs/IPE.log :
In the Windows client,\%programdata%\mcafee\Mar\data\Mar.log , or the Linux or MAC client, /var/McAfee/Mar/data/mar.log , you see the error:
<ePO install dir>\Server\logs\orion log :
\ProgramData\McAfee\Data_Exchange_Layer\dxl_service.log or /var/McAfee/dxl/DXL_service.log list one or more of the errors:
- Content isn’t displayed in the EDR Monitoring Workspace Page.
- Real-time searches don’t respond.
- A triggered threat doesn’t populate the dashboard.
- There are no servers listed in:
https://ui.soc.mcafee.com/support (or your geo logon)
NOTE: Remember thathttps://ui.soc.mcafee.com isn’t multigeo aware. You must log on to your geo manager to see the connected servers.
403 Forbidden Below minimum threshold 502 Bad Gateway
In the Windows client,
Could not send traces to cloud.
vpc URL from DXL cloud databus is empty Expected URL scheme 'http' Error trying to connect with vpc Failed to provision with IAM
\ProgramData\McAfee\Data_Exchange_Layer\dxl_service.log or /var/McAfee/dxl/DXL_service.log list one or more of the errors:
DxlMQTTConnection: waitForConnection: error = 10060 : A connection attempt failed An existing connection was forcibly closed by the remote host
Solution
- Verify that you have the correct extensions installed and that they’re up to date:
- Open the ePO manager and click Menu, Software, Extensions.
- You must have the latest versions of the following extensions installed. Install and update the extensions as needed:
- MVISION EDR Client Extension
- MVISION EDR Endpoint Snapshot tool
- MVISION EDR Extension
- Verify that your DXL fabric shows Connected:
- Click Menu. Under System click Data Exchange Layer Fabric.
- View the Fabric status.
- If the Fabric status shows Connected, continue to the next step.
- If the Fabric status shows no brokers connected or other connection issues, see the section "Troubleshooting the installation" in the DXL installation guide.
- EDR clients communicate through your DXL broker to EDR. DXL brokers must connect to the IAM/EDR back-end properly for communication to work.
- For each of your DXL brokers, confirm the DXL Fabric for errors:
- Click the Broker in middle of the screen.
- Select the Extension tab on the right side of the screen.
- See if there are any error messages.
Recent error messages show issues with client communication or alerts:- Resolve any connectivity issues and then continue to the next step.
- If you see
"error while sending http request: UnknownHostException "- Check that your DXL Broker DNS can resolve the API URL to IP address (API URL from step 4c):
- For each of your DXL brokers, confirm the DXL Fabric for errors:
Example: "nslookup api.soc.mcafee.com <DNSSERVERIP> "
- If you encounter issues troubleshooting, open a Service Request.
- Check endpoint connectivity, specifically the DXL Connection status:
- Click System Tree, Select Client, Actions, DXL, Look up in DXL.
- View the pop-up message.
The correct status is Connection state = Connected.- If you see a status of Connection state = Connected:
Go to step 6 - Verify the MVISION Cloud bridge (server settings).
- If you see a status of Connection state = Not Connected
- Check your DXL logs for errors:
See the "Troubleshooting the Installation" section of the Data Exchange Layer installation guide. - If you can't resolve the error in DXL logs, you must collect data before you open a Service Request. For details, see: KB92052 - Data needed for Data Exchange Layer (Client-side) issues.
- Check your DXL logs for errors:
- If you see a status of Connection state = Connected:
- Check endpoint connectivity, specifically the DXL Connection status:
- Verify and set your DXL Cloud Databus (server settings), URL and Proxy to your appropriate data center.
- Open the ePO manager.
- Click Menu, Server Settings, DXL Cloud Databus.
- Verify that your data center is populated with the correct location info as listed below, correct any mistakes as needed:
- U.S. West data center — https://api.soc.mcafee.com/cloudproxy/databus/produce
- U.S East data center — https://api.soc.us-east-1.mcafee.com/cloudproxy/databus/produce
- Frankfurt data center — https://api.soc.eu-central-1.mcafee.com/cloudproxy/databus/produce
- Sydney data center — https://api.soc.ap-southeast-2.mcafee.com/cloudproxy/databus/produce
- Canada data center — https://api.soc.ca-central-1.mcafee.com/cloudproxy/databus/produce
- Confirm that your firewalls and proxy server allow access to the URLs and ports listed in the EDR installation guide.
Configure your firewalls and proxies to allow all traffic listed in this guide through.
- Verify the MVISION Cloud bridge (server settings) is linked using the proper user name and password:
- Click Menu, Server Settings, MVISION Cloud Bridge.
- The expected Status is:
This server is linked
If you don't see the above as the status, relink the account:- Remove the following Extensions:
- MVISION EDR Extension
- MVISION Cloud Bridge
- Reinstall the MVISION EDR Extension.
NOTE: This action installs the MVISION Cloud bridge.
- Link the account with the correct user and password.
- Remove the following Extensions:
- View the Linked Account and make sure it is using the correct user name for your account.
If the account is incorrect, edit the current MVISION Cloud Bridge settings and insert the new or correct user name and password.
- Verify the MVSION EDR (server settings) shows a status of Connection Successful.
- Click Menu, Server Settings, MVISION EDR Settings.
- View the MVISION EDR Cloud services.
The expected status is:
Connection status = Connection Successful
Monitoring Status = true
If you don't see these settings, view theorion.log for errors and search the Knowledge Base for solutions to those errors. Otherwise, continue troubleshooting.
- Verify NTP settings between EPO and DXL broker are set and there is no lag between the current time clock.
Configure the clocks on each server match the same time with no difference between them.
- Verify at least one or more EDR clients are deployed with the trace plug-in enabled:
- Select the system tree with EDR installed.
- View System details, Products for MVISION EDR.
- On the Product tab, click MVISION EDR.
- Under plug-ins, confirm TraceScanner is reporting as Enabled.
- Under EDR Properties, verify that Last Trace communication is current (less than one hour).
- If you see Errors, or there are no traces reporting:
Enable debug logging (see Related information), reproduce the issues, and check your clientsmar.log file for issues.
- If you don't see errors and the status is Green:
Continue to step 10.
- If you don't see errors and the status is Red:
Make sure that your settings are enabled for tracing.
For information, see the "Trace Policy Configuration" section in the EDR product guide.
- If you see Errors, or there are no traces reporting:
- Check that your ePO server is listed in the EDR manager Support page:
- U.S. West data center
- U.S East data center
- Frankfurt data center
- Sydney data center
- Canada data center
- If you see errors or the server isn’t listed:
Check theorion.log andIPE.log for errors and search the Knowledge Base for solutions to those errors.
- If you see ePO Connected to the support page, but traces still don’t reach the cloud:
- Open a command-line session on the Broker running IPE.
- Verify that all communication to the API is opened properly from the dxl broker:
- If you are behind a proxy:
Typecurl -x proxy:port -v -X POST -H "Content-Type:application/json; charset=utf-8" <URL from API section above depending on your region (step 4c)> and press Enter. - If you aren’t behind a proxy server:
Typecurl -v -X POST -H "Content-Type:application/json; charset=utf-8" <URL from API section above depending on your region (step 4c)> and press Enter.
- If you are behind a proxy:
- View the output from the above command. A correct lookup contains the following:
CONNECT api.soc.eu-central-1.mcafee.com:443 HTTP/1.1
Host: api.soc.eu-central-1.mcafee.com:443
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
Content-Type:application/json; charset=utf-8
HTTP/1.0 200 Connection established
Proxy replied OK to CONNECT request
Successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; postalCode=97006; ST=OR; L=BEAVERTON; street=SUITE 100; street=20460 NW VON NEUMANN DRIVE; O=McAfee, Inc.; OU=Engineering; OU=Hosted by McAfee Inc.; OU=Multi-Domain SSL; CN=ui.soc.mcafee.com
* start date: 2019-05-22 00:00:00 GMT
* expire date: 2021-05-21 23:59:59 GMT
* subjectAltName: api.soc.eu-central-1.mcafee.com matched
* issuer: C=US; ST=CA; L=Santa Clara; O=McAfee, Inc.; CN=McAfee OV SSL CA 2
* SSL certificate verify ok.
POST /cloudproxy/databus/produce HTTP/1.1
User-Agent: curl/7.29.0
Host: api.soc.eu-central-1.mcafee.com
Accept: */*
Content-Type:application/json; charset=utf-8
- If you see errors or the server isn’t listed:
- If you see a different response or Invalid Connection error:
Verify whether SSL inspection is enabled (you might need to involve your network team to verify).
NOTE: SSL inspection isn’t supported for EDR. - If you see the above output, the issue is resolved.
- If you’re still having issues, open a Service Request.
Related Information
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Default log locations:
- MAR log (EDR Client)
C:\ProgramData\McAfee\MAR\data\Mar.log
- Orion log (EPO Server):
<epo install dir>\server\logs\orion.log
- DXL Broker logs (DXL Broker):
/var/McAfee/dxlbroker/logs/dxlbroker.log
- DXL Service Logs (DXL Broker):
var/McAfee/dxl/DXL_service.log
- IPE Logs (DXL Broker):
/var/McAfee/dxlbroker/logs/ipe.logs
How to enable EDR Debug logging:
- Open your MVISION EDR Policy.
- Click the General tab and deselect the checkbox Enable data folder protection.
- Click the Trace tab and set Log Level to Debug.
- Click the Logger tab:
- Set Level to Debug.
- Set Buffer Size to 1
- Set Maximum size of the log file to 50(MB)
- Apply Policy to your client and verify in the
mar.log that you see [D] (for Debug) reporting in the log. - Reproduce the issue or perform your troubleshooting.
- Set your policy back to defaults when debugging is completed.
- Open your MVISION EDR Policy.
- Click the General tab and select the checkbox for Enable data folder protection
- Click the Trace tab and set Log Level to Info.
- Click the Logger tab:
- Set Level to Info
- Set Buffer Size to 20
- Set Maximum size of the log file to 10(MB)
- Apply the Policy to your client.
- Collect the logs as directed by Technical Support.
To collect MERs from the ePO server, DXL broker, and EDR Client that you’re troubleshooting, see the following resources:
- ePO server: KB92065 - ePO-MER Walkthrough Guide.
- DXL broker: KB82851 - How to use the Data Exchange Layer server MER tool for Linux or UNIX.
- EDR Client: KB59385 - How to use MER tools with supported McAfee products.
For product documents, go to the Product Documentation portal.
Affected Products
Languages:
This article is available in the following languages:
English United StatesSpanish Spain
French
Italian
Portuguese Brasileiro
