cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure ATP Sensor connection issues

BerndW
Copper Contributor

‎Aug 07 2020 03:01 AM

‎Aug 07 2020 03:01 AM

Azure ATP Sensor connection issues

Hi there,

we have some problems with our ATP sensors. We have the following setup:

 

Forest with two domains (peer domains)

VMWare - Cluster with 7 DCs (6 ESX Hosts).

3 Standalone Sensor VMs tied to 2-3 DCs on the same host so that port mirroring works.

We have configured this in Azure ATP portal so it matches the host to sensor assignment.

 

From time to time we get communication issues in Azure ATP portal. (Some domain controllers are unreachable by a Sensor)

 

The error message changes often so it is not always the same DC that can't be reached.

 

I've checked that TSO offloding is disabled on all sensor VMs. Also I manually checked the communication from sensor VMs to the DCs.

 

I can see the following error message in Tri.Sensor-Errors.log at the time of the error in Azure ATP Portal:

Error GroupPolicyHelper GetKerberosPolicy failed [domainDnsName=domain.local defaultDomainPolicyIniFilePath=\\domain.local\sysvol\domain.local\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf]

 

Maybe someone has an idea what could be wrong.

 

Best regards,

Bernd

1,920 Views
0 Likes
1 Reply
Reply
1 Reply
Eli Ofek

‎Aug 07 2020 03:06 AM

‎Aug 07 2020 03:06 AM

Re: Azure ATP Sensor connection issues

Tso offloading is not related to DC communication. It's related to network capturing.
The error with the unc path might be related if there are really network issues between the sensors and the specified DCs.
I suggest to open a support case so the support engineer can review the entire set of logs.
0 Likes
Reply