Azure ATP Sensor connection issues

%3CLINGO-SUB%20id%3D%22lingo-sub-1572643%22%20slang%3D%22en-US%22%3EAzure%20ATP%20Sensor%20connection%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1572643%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3Ewe%20have%20some%20problems%20with%20our%20ATP%20sensors.%20We%20have%20the%20following%20setup%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EForest%20with%20two%20domains%20(peer%20domains)%3C%2FP%3E%3CP%3EVMWare%20-%20Cluster%20with%207%20DCs%20(6%20ESX%20Hosts).%3C%2FP%3E%3CP%3E3%20Standalone%20Sensor%20VMs%20tied%20to%202-3%20DCs%20on%20the%20same%20host%20so%20that%20port%20mirroring%20works.%3C%2FP%3E%3CP%3EWe%20have%20configured%20this%20in%20Azure%20ATP%20portal%20so%20it%20matches%20the%20host%20to%20sensor%20assignment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20time%20to%20time%20we%20get%20communication%20issues%20in%20Azure%20ATP%20portal.%20(%3CSPAN%3ESome%20domain%20controllers%20are%20unreachable%20by%20a%20Sensor)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20error%20message%20changes%20often%20so%20it%20is%20not%20always%20the%20same%20DC%20that%20can't%20be%20reached.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20checked%20that%20TSO%20offloding%20is%20disabled%20on%20all%20sensor%20VMs.%20Also%20I%20manually%20checked%20the%20communication%20from%20sensor%20VMs%20to%20the%20DCs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20the%20following%20error%20message%20in%20Tri.Sensor-Errors.log%20at%20the%20time%20of%20the%20error%20in%20Azure%20ATP%20Portal%3A%3C%2FP%3E%3CP%3EError%20GroupPolicyHelper%20GetKerberosPolicy%20failed%20%5BdomainDnsName%3Ddomain.local%20defaultDomainPolicyIniFilePath%3D%5C%5Cdomain.local%5Csysvol%5Cdomain.local%5CPolicies%5C%7BGUID%7D%5CMACHINE%5CMicrosoft%5CWindows%20NT%5CSecEdit%5CGptTmpl.inf%5D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20someone%20has%20an%20idea%20what%20could%20be%20wrong.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EBernd%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1572652%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20connection%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1572652%22%20slang%3D%22en-US%22%3ETso%20offloading%20is%20not%20related%20to%20DC%20communication.%20It's%20related%20to%20network%20capturing.%3CBR%20%2F%3EThe%20error%20with%20the%20unc%20path%20might%20be%20related%20if%20there%20are%20really%20network%20issues%20between%20the%20sensors%20and%20the%20specified%20DCs.%20%3CBR%20%2F%3EI%20suggest%20to%20open%20a%20support%20case%20so%20the%20support%20engineer%20can%20review%20the%20entire%20set%20of%20logs.%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi there,

we have some problems with our ATP sensors. We have the following setup:

 

Forest with two domains (peer domains)

VMWare - Cluster with 7 DCs (6 ESX Hosts).

3 Standalone Sensor VMs tied to 2-3 DCs on the same host so that port mirroring works.

We have configured this in Azure ATP portal so it matches the host to sensor assignment.

 

From time to time we get communication issues in Azure ATP portal. (Some domain controllers are unreachable by a Sensor)

 

The error message changes often so it is not always the same DC that can't be reached.

 

I've checked that TSO offloding is disabled on all sensor VMs. Also I manually checked the communication from sensor VMs to the DCs.

 

I can see the following error message in Tri.Sensor-Errors.log at the time of the error in Azure ATP Portal:

Error GroupPolicyHelper GetKerberosPolicy failed [domainDnsName=domain.local defaultDomainPolicyIniFilePath=\\domain.local\sysvol\domain.local\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf]

 

Maybe someone has an idea what could be wrong.

 

Best regards,

Bernd

1 Reply
Tso offloading is not related to DC communication. It's related to network capturing.
The error with the unc path might be related if there are really network issues between the sensors and the specified DCs.
I suggest to open a support case so the support engineer can review the entire set of logs.