Why do all endpoints appear as disconnected in the ESM Console?
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Why do all endpoints appear as disconnected in the ESM Console?
Symptom
The Health page of the
ESM Console reports that all endpoints are disconnected even when
the endpoint can reach the ESM Server.
Possible Causes
- The ESM Server does not meet the prerequisites.
- The Endpoint Security Manager Core service stops and must be restarted. This occurs if you wait more than one hour to install the license key after initially installing the ESM Console software.
- Inbound traffic is not allowed on the port associated with the ESM Server (default is 2125).
Solution
After
each step in the following procedure, verify if Traps can connect
to the ESM Server by selecting Check In Now.
If Traps still can’t connect to the server proceed to each subsequent
step until the issue is resolved.
- Verify that the server meets the prerequisites.
- Verify that the Traps service is running on the endpoint.
- Open the Services Manager:
- Windows XP: From the Start Menu, select Control PanelAdministrative ToolsServices.
- Windows Vista and later: From the Start Menu, select Control PanelSystem and SecurityAdministrative ToolsServices.
- Locate the Traps service (called CyveraService in older versions of Traps) and verify that the service status is Started.
- If the service status is Stopped, double-click the service, then select Start. Click Close.
- Open the Services Manager:
- Verify that the Endpoint Security Manager core service
is running on the ESM Server.
- Open the Services Manager:
- Windows Server 2008: From the Start Menu, select Control PanelAdministrative ToolsServices.
- Windows Server 2012: From the Start Menu, select Control PanelSystem and SecurityAdministrative ToolsServices.
- Locate the Endpoint Security Manager core service (called CyveraServer in older versions of the Endpoint Security Manager) and verify that the service status is Started (Windows Server 2008) or Running (Windows Server 2012).
- If the service status is Stopped or Paused, double-click the service, then select Start. Click Close.
- Open the Services Manager:
- Verify that the port for the ESM Server is open on the
Windows Firewall (default is 2125).
- To check port access from the endpoint:
- Open a command prompt as an administrator.
- Enter the following command to telnet to port 2125 on the ESM Server:
C:\> telnet <esmServerName> 2125
where <esmServerName> is the hostname or IP address of the ESM Server.
- If you are unable to telnet to port 2125, create an
inbound rule to open that port:
- Open the Windows Firewall advanced settings:
- Windows Server 2008: From the Start Menu, select Control PanelWindows FirewallAdvanced Settings.
- Windows Server 2012: From the Start Menu, select Control PanelSystem and SecurityWindows FirewallAdvanced Settings.
- Select Inbound Rules.
- Create a new rule to allow Traps to communicate with the Endpoint Security Manager on port 2125 by selecting the New Rule wizard and following the guided instructions.
- Verify that you can now telnet to port 2125 on the ESM Server from the endpoint.
- To check port access from the endpoint:
- Temporarily disable Windows Firewall.
- Open the Change Action Center settings:
- Windows Server 2008: From the Start Menu, select Control Panel. Double-click Action Center and select Change Action Center settings.
- Windows Server 2012: From the Start Menu, select Control PanelSystem and Security. Double-click Action Center and select Change Action Center settings.
- Deselect the Network firewall option.
- Click OK.
- Open the Change Action Center settings:
- Verify that connectivity is restored between Traps and
the ESM Server.From the Traps Console, click Check In Now. If the connectivity is established, the connection status appears as Successful. If the problems persists, contact Palo Alto Networks support.