https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3776924#M173 <P>We are seeing several endpoints not checking in or receiving definition updates after&nbsp;being updated to connector version&nbsp;<SPAN>6.2.3.10814. There is nothing unique about these machines in our environment.</SPAN></P> <P><SPAN>The last 3 events for these machines are as follows:</SPAN></P> <P><SPAN>endpoint started a product update</SPAN></P> <P><SPAN>endpoint is currently unprotected. A reboot is required to finish the update and restore Connector protection.</SPAN></P> <P><SPAN>endpoint requested a reboot</SPAN></P> <P><SPAN>After rebooting, the machines do not check in and the last seen date is when the connector was updated. Subsequent reboots have no effect. Is there a way to force these machines to check in or force an update?</SPAN></P> <P><SPAN>Thanks</SPAN></P> Fri, 21 Feb 2020 05:07:26 GMT phonehome 2020-02-21T05:07:26Z https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3776924#M173 <P>We are seeing several endpoints not checking in or receiving definition updates after&nbsp;being updated to connector version&nbsp;<SPAN>6.2.3.10814. There is nothing unique about these machines in our environment.</SPAN></P> <P><SPAN>The last 3 events for these machines are as follows:</SPAN></P> <P><SPAN>endpoint started a product update</SPAN></P> <P><SPAN>endpoint is currently unprotected. A reboot is required to finish the update and restore Connector protection.</SPAN></P> <P><SPAN>endpoint requested a reboot</SPAN></P> <P><SPAN>After rebooting, the machines do not check in and the last seen date is when the connector was updated. Subsequent reboots have no effect. Is there a way to force these machines to check in or force an update?</SPAN></P> <P><SPAN>Thanks</SPAN></P> Fri, 21 Feb 2020 05:07:26 GMT https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3776924#M173 phonehome 2020-02-21T05:07:26Z https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3776935#M174 <P>Hello&nbsp;<SPAN>&nbsp;</SPAN><SPAN class="UserName lia-user-name lia-user-rank-Beginner lia-component-message-view-widget-author-username"><A id="link_13" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://community.cisco.com/t5/user/viewprofilepage/user-id/398009" target="_self"><SPAN class="">phonehome</SPAN></A></SPAN></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-Beginner lia-component-message-view-widget-author-username"><SPAN class="">After the reboot, does it reflects the latest connector version and is the connector status is still showing as connected or disconnected in the endpoint?A diagnostic support file from any of the endpoint would be helpful to verify the definition update logs to know more about the issue. As per my knowledge there&nbsp;is no force way of updating tetra definitions.&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-Beginner lia-component-message-view-widget-author-username"><SPAN class="">Also, can you verify if there is any connection break towards the tetra definition update server based on the cloud that you have registered with? Based on the server address you can even run a wireshark capture and leave it for a day in any of the endpoint client to see if there is any connection break. You can filter the packet capture and it&nbsp; will help you to confirm if the communication is successful or not.&nbsp;&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html</A></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-Beginner lia-component-message-view-widget-author-username"><SPAN class="">Let me know if you have any queries on same.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-Beginner lia-component-message-view-widget-author-username"><SPAN class="">Regards</SPAN></SPAN></P> <P><SPAN class="UserName lia-user-name lia-user-rank-Beginner lia-component-message-view-widget-author-username"><SPAN class="">Jetsy&nbsp;</SPAN></SPAN></P> Thu, 10 Jan 2019 14:50:07 GMT https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3776935#M174 Jetsy Mathew 2019-01-10T14:50:07Z https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3776944#M175 <P>Hello&nbsp;<A id="link_13" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://community.cisco.com/t5/user/viewprofilepage/user-id/398009" target="_self"><SPAN class="">phonehome</SPAN></A></P> <P>&nbsp;</P> <P>As a quick step to check the successful communication, you can try running the following from any of the endpoint cmd.</P> <P>&nbsp;</P> <P><SPAN style="font-style: inherit !important; font-weight: inherit !important;">C:\Program Files\Cisco\AMP\X.X.X\connectivitytool.exe</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-style: inherit !important; font-weight: inherit !important;">Once you run the script, it will generate a log file which is connectivitytool.exe.log&nbsp;on which you can check the connection status.</SPAN></P> <P><SPAN style="font-style: inherit !important; font-weight: inherit !important;">But this will not help you if the connection break is happening intermittently.</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-style: inherit !important; font-weight: inherit !important;">Regards</SPAN></P> <P><SPAN style="font-style: inherit !important; font-weight: inherit !important;">Jetsy</SPAN></P> Thu, 10 Jan 2019 14:58:00 GMT https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3776944#M175 Jetsy Mathew 2019-01-10T14:58:00Z https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3779384#M176 <P>I've spot checked a few machines and it looks like the AMP service did not start after the update and reboot. The service was set to automatic start up so not sure why this would happen. Any idea?</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 14 Jan 2019 17:26:34 GMT https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3779384#M176 phonehome 2019-01-14T17:26:34Z https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3779391#M177 <P>We haven't seen any instances of the service not starting after the 6.2.3 upgrade.&nbsp; I would recommend opening a TAC case and uploading logs from those endpoints so one of our Techs can take a look at the details.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Matt</P> Mon, 14 Jan 2019 17:30:26 GMT https://community.cisco.com/t5/endpoint-security/amp-outdated-definitions-endpoints-not-checking-in-after/m-p/3779391#M177 Matthew Franks 2019-01-14T17:30:26Z