Azure ATP Sensors down

%3CLINGO-SUB%20id%3D%22lingo-sub-1648172%22%20slang%3D%22en-US%22%3EAzure%20ATP%20Sensors%20down%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1648172%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20deployed%20ATP%20sensor%20on%20windows%202012%2C2016.%20All%20it%20was%20working%20fine%2C%20suddenly%20it%20stopped%20and%20when%20we%20check%20the%20connectivity%20it%20was%20fine%2C%20we%20dont%20see%20any%20drop%20packets%20in%20firewall%20(i.e%20from%20DC%20to%20Azure%20ATP%20Console).%20We%20manually%20restarted%20the%20ATP%20service%20it%20was%20not%20starting%20and%20found%20the%20atp.azure.com%20cert%20got%20renewed%20on%20the%20same%20day.%20when%20we%20check%20the%20error%20logs%3C%2FP%3E%3CP%3EError%20CommunicationWebClient%2B%3CSENDWITHRETRYASYNC%3Ed__9%601%20Microsoft.Tri.Infrastructure.ExtendedException%3A%20Sanitized%20exception%3A%20%5BType%3DSystem.Net.Http.HttpRequestExceptionMessage%3D7INzM3PVZQKggOiiHcWjqw%3D%3DStackTrace%3D%20at%20async%20Task%3CHTTPRESPONSEMESSAGE%3E%20System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task%3CHTTPRESPONSEMESSAGE%3E%20sendTask%2C%20HttpRequestMessage%20request%2C%20CancellationTokenSource%20cts%2C%20bool%20disposeCts)%3CBR%20%2F%3Eat%20async%20Task%3CTRESPONSE%3E%20Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync%3CTRESPONSE%3E(byte%5B%5D%20requestBytes%2C%20int%20offset%2C%20int%20count)%3CBR%20%2F%3Eat%20async%20Task%3CTRESPONSE%3E%20Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync%3CTRESPONSE%3E(byte%5B%5D%20requestBytes%2C%20int%20offset%2C%20int%20count)InnerException%3DMicrosoft.Tri.Infrastructure.ExtendedException%3A%20Sanitized%20exception%3A%20%5BType%3DSystem.Net.WebExceptionMessage%3DqxPMwGWd5A%2BohATP3KLBtQ%3D%3DStackTrace%3D%20at%20Stream%20System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult%20asyncResult%2C%20out%20TransportContext%20context)%3CBR%20%2F%3Eat%20void%20System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult%20ar)InnerException%3DMicrosoft.Tri.Infrastructure.ExtendedException%3A%20Sanitized%20exception%3A%20%5BType%3DSystem.Security.Authentication.AuthenticationExceptionMessage%3DeWPX0eZRxHvsLJzXHd8Smw%3D%3DStackTrace%3D%20at%20void%20System.Net.TlsStream.EndWrite(IAsyncResult%20asyncResult)%3CBR%20%2F%3Eat%20void%20System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult%20ar)InnerException%3D%5D%5D%5D%3CBR%20%2F%3Eat%20async%20Task%3CTRESPONSE%3E%20Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync%3CTRESPONSE%3E(byte%5B%5D%20requestBytes%2C%20int%20offset%2C%20int%20count)%3CBR%20%2F%3Eat%20async%20Task%3CTRESPONSE%3E%20Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync%3CTRESPONSE%3E(IRequestWithResponse%3CTRESPONSE%3E%20request)%3CBR%20%2F%3Eat%20TResult%20Microsoft.Tri.Infrastructure.TaskExtension.Await%3CTRESULT%3E(Task%3CTRESULT%3E%20task)%3CBR%20%2F%3Eat%20new%20Microsoft.Tri.Sensor.Common.CommonSensorModuleManager()%3CBR%20%2F%3Eat%20new%20Microsoft.Tri.Sensor.Updater.SensorUpdaterModuleManager()%3CBR%20%2F%3Eat%20ModuleManager%20Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()%3CBR%20%2F%3Eat%20async%20Task%20Microsoft.Tri.Infrastructure.Service.OnStartAsync()%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.TaskExtension.Await(Task%20task)%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.Service.OnStart(string%5B%5D%20args)%3C%2FTRESULT%3E%3C%2FTRESULT%3E%3C%2FTRESPONSE%3E%3C%2FTRESPONSE%3E%3C%2FTRESPONSE%3E%3C%2FTRESPONSE%3E%3C%2FTRESPONSE%3E%3C%2FTRESPONSE%3E%3C%2FTRESPONSE%3E%3C%2FTRESPONSE%3E%3C%2FTRESPONSE%3E%3C%2FHTTPRESPONSEMESSAGE%3E%3C%2FHTTPRESPONSEMESSAGE%3E%3C%2FSENDWITHRETRYASYNC%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20help%20me%20with%20the%20error%20message%2C%20what%20will%20be%20issue%20caused%20the%20ATP%20sensor%20to%20down.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1648387%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensors%20down%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1648387%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F787087%22%20target%3D%22_blank%22%3E%40Ponniah%3C%2FA%3E%26nbsp%3BIndeed%20the%20certs%20were%20changed%20%2C%20to%20new%20ones%20with%20a%20new%20Root.%3C%2FP%3E%0A%3CP%3Emost%20likely%20your%20machine%20is%20not%20yet%20trusting%20the%20new%20root%20%22%3CSPAN%3EDigiCert%20Global%20Root%22.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20updated%20the%20docs%20with%20the%20steps%20needed%20to%20fix%20this%2C%20take%20a%20look%20here%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Ftroubleshooting-atp-known-issues%23proxy-authentication-problem-presents-as-a-connection-error%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Ftroubleshooting-atp-known-issues%23proxy-authentication-problem-presents-as-a-connection-error%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

We have deployed ATP sensor on windows 2012,2016. All it was working fine, suddenly it stopped and when we check the connectivity it was fine, we dont see any drop packets in firewall (i.e from DC to Azure ATP Console). We manually restarted the ATP service it was not starting and found the atp.azure.com cert got renewed on the same day. when we check the error logs

Error CommunicationWebClient+<SendWithRetryAsync>d__9`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)
at async Task<TResponse> Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count)
at async Task<TResponse> Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=qxPMwGWd5A+ohATP3KLBtQ==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)
at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Security.Authentication.AuthenticationExceptionMessage=eWPX0eZRxHvsLJzXHd8Smw==StackTrace= at void System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at void System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)InnerException=]]]
at async Task<TResponse> Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)
at async Task<TResponse> Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request)
at TResult Microsoft.Tri.Infrastructure.TaskExtension.Await<TResult>(Task<TResult> task)
at new Microsoft.Tri.Sensor.Common.CommonSensorModuleManager()
at new Microsoft.Tri.Sensor.Updater.SensorUpdaterModuleManager()
at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

Could you please help me with the error message, what will be issue caused the ATP sensor to down. 

1 Reply

@Ponniah Indeed the certs were changed , to new ones with a new Root.

most likely your machine is not yet trusting the new root "DigiCert Global Root".

We updated the docs with the steps needed to fix this, take a look here:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/troubleshooting-atp-known-issues#p...