Mar 10 2020 08:32 AM - edited Mar 10 2020 08:34 AM
We have the ATP Sensor installed on 2 DCs. Both worked till last week.
Since there just one Sensor is working. On the Other DC it stopped communicating.
When i RDP on the Server i saw the Service was stopped.
Since today i was able restart the service. But today Service restart failed also after server reboot.
I decided to uninstall and reinstall the Sensor but without any lucky.
Always stops with this error:
Attached the Sensor Logs
Server details:
Server 2019 (1809)
Installed on Hyper-V 2016
No Proxy or SSL decryption
Thanks, Philip
Mar 10 2020 03:05 PM
@maple85 The key error in the log says
"failed two way SSL connection to service. The issue can be caused by a proxy with SSL inspection enabled. [_workspaceApplicationSensorApiEndpoint=Unspecified/constantiaindustriessensorapi.atp.azure.com:443 Thumbprint="
So most likely either you do have ssl inspection you are not aware of, os something else is in the middle breaking the TLS session. Hard to say what without having a stable repro.
Mar 12 2020 07:10 AM - edited Mar 12 2020 07:11 AM
Hi,
thanks for your answer!
I saw this with SSL inspection but fact is that I installed the sensor with the same setup 2 month ago.
Also on my 2nd Domain Controller on the same Network everything is fine.
That´s why i can´t understand why it is suddenly not working.
Problem began with automatically stopped service. First restart of the service helped but on one point it doesn´t . So i decided to reinstall the sensor but with no luck.
edit: also auto update on this DC to new version did not work.
on 2nd DC no problem.
Mar 12 2020 09:04 AM
@maple85 try to capture a network trace to see where it fails.
Tip: I saw a case earlier this week where the client had issues with CRL. could it be that this machine does not have updated crl while the other has so it fails ?
If not, a network trace should tell you more, but it has to be something environmental...
Mar 23 2020 03:06 AM
Problem solved.
I tried it again today with live log on our FW.
Found the Azure IP who was decrypted.
Thanks, Philip
May 13 2020 08:24 AM
@maple85, hijacking this conversation as it mentions a CRL:-)
@Eli Ofek
I don't see any mention of ports required for the CRL
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#ports
SSL (*.atp.azure.com) TCP 443 Azure ATP cloud service Outbound
SSL(localhost) TCP 444 localhost Both
Is there more detail available?
Thanks.
Razmi
May 13 2020 01:24 PM
@Razmi Patel , you don't normally need open ports for CRLs as far as I know as long as they are updated correctly .
I am not an SME on this one, but I think those are usually updates by windows updates...
If anyone knows otherwise please feel free to correct me :)
May 18 2020 06:04 AM
Thank you. I'm sure we will find out soon enough:-)
May 20 2020 10:42 AM
@maple85 Did you manage to fix this issue. We are facing the same issue.
We have 4 DCs on Azure infrastructure . 3 DCs worked successfully but in 1 DC we are facing issues
We have the same network configuration , OS , patches on all DC.
Kindly share suggestionsn pls
May 20 2020 12:40 PM
@SathishKumarPatchaiappan , are you sure it's the same issue?
the error code in the UI is very basic and can "split" to many root causes.
in order to know for sure you need to collect the deployment logs...
May 20 2020 12:44 PM
@Eli Ofekbelow is what we see in the log
May 20 2020 02:46 PM
@SathishKumarPatchaiappan I need the full set of logs as described here:
you can share them using a private message or open a support case where you get a support engineer with a secured workspace...
Jul 02 2020 01:54 AM
@maple85 I had similar problems. Logs indicated that the updater service wasn't starting. If this is what's happening during your install, open services and keep bashing refresh. If you see the "Azure Advanced Threat Protection Sensor Updater" starting and then stopping repeatedly then it's probably this.
Bear in mind also that this is running as local system, so your proxy settings may not be correct. You can correct/set proxy settings for this user using: bitsadmin /util /setieproxy localsystem - help available under: bitsadmin /util /?
I was able to amend the proxy settings during the service start attempts and the service went on to install. Don't be too surprised if you break windows update if you change this setting if you aren't using WSUS.
Jul 02 2020 02:24 AM
@JTUKTECH and just for my own notes, this also requires seperately setting: bitsadmin /util /setieproxy localservice for the main sensor service
Jul 02 2020 07:29 AM
Solution@JTUKTECH Proxy was the issue.
I followed these steps https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy#configure-the-prox... and finally it fixed couple of weeks back.
Jul 02 2020 08:15 AM
Jun 16 2022 08:01 AM
Jun 17 2022 12:45 PM