Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7790
Views
0
Helpful
4
Replies

AMP - Outdated Definitions, Endpoints not checking in after Connector Update

phonehome
Level 1
Level 1

‎01-10-2019 06:37 AM - edited ‎02-20-2020 09:07 PM

We are seeing several endpoints not checking in or receiving definition updates after being updated to connector version 6.2.3.10814. There is nothing unique about these machines in our environment.

The last 3 events for these machines are as follows:

endpoint started a product update

endpoint is currently unprotected. A reboot is required to finish the update and restore Connector protection.

endpoint requested a reboot

After rebooting, the machines do not check in and the last seen date is when the connector was updated. Subsequent reboots have no effect. Is there a way to force these machines to check in or force an update?

Thanks

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Jetsy Mathew
Cisco Employee
Cisco Employee

‎01-10-2019 06:50 AM

Hello  phonehome

 

After the reboot, does it reflects the latest connector version and is the connector status is still showing as connected or disconnected in the endpoint?A diagnostic support file from any of the endpoint would be helpful to verify the definition update logs to know more about the issue. As per my knowledge there is no force way of updating tetra definitions. 

 

Also, can you verify if there is any connection break towards the tetra definition update server based on the cloud that you have registered with? Based on the server address you can even run a wireshark capture and leave it for a day in any of the endpoint client to see if there is any connection break. You can filter the packet capture and it  will help you to confirm if the communication is successful or not.  

 

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html

 

Let me know if you have any queries on same.

 

Regards

Jetsy 

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to Jetsy Mathew

‎01-10-2019 06:58 AM

Hello phonehome

 

As a quick step to check the successful communication, you can try running the following from any of the endpoint cmd.

 

C:\Program Files\Cisco\AMP\X.X.X\connectivitytool.exe

 

Once you run the script, it will generate a log file which is connectivitytool.exe.log on which you can check the connection status.

But this will not help you if the connection break is happening intermittently.

 

Regards

Jetsy

0 Helpful

phonehome
Level 1
Level 1
In response to Jetsy Mathew

‎01-14-2019 09:26 AM

I've spot checked a few machines and it looks like the AMP service did not start after the update and reboot. The service was set to automatic start up so not sure why this would happen. Any idea?

 

Thanks

0 Helpful

Matthew Franks
Cisco Employee
Cisco Employee
In response to phonehome

‎01-14-2019 09:30 AM

We haven't seen any instances of the service not starting after the 6.2.3 upgrade.  I would recommend opening a TAC case and uploading logs from those endpoints so one of our Techs can take a look at the details.

 

Thanks,

Matt

0 Helpful
Customers Also Viewed These Support Documents