Symptoms
To diagnose this issue, there are many symptoms that may need to be considered:
- Agent is failing to register and stops at 50%.
- RegistrationLog.txt will show:
Registering agent with host 'https://Host:3121/ST/Console/AgentRegistration/Registration'.
Unable to register agent with host 'https://Host:3121/ST/Console/AgentRegistration/Registration'.
All attempts at registration failed. Cannot register agent. - STAgentManagement.log may show:
Attempting to register with 'https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration'.
2014-10-23T20:52:32.2820836Z 0408 E RegistrationServiceClient.cpp:411 Unable to register agent with host 'https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration'. Error: 'class STServiceModel::Wws::CWebServiceException at RegistrationServiceClient.cpp:401: Unable to register the agent with the provided registration key.
Error detail:
There was an error communicating with the endpoint at 'https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration'.
The connection with the server was terminated abnormally - Results from running the Agent Diagnostic may show the following:
- Unable to register agent with host 'https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration'. Error: 'class STServiceModel::Wws::CWebServiceException at RegistrationServiceClient.cpp:401: Unable to register the agent with the provided registration key.
Agent To Console CommunicationTest test
FAILED - No consoleUri in environment. Unable to complete test.
Cause
There are many reasons the registration could fail, but generally the above symptoms indicate some sort of communication issue with the agent being able to reach the Protect console for registration.
Resolution
Start by first checking that some simple connection tests work from the agent system to the console system:
- Ensure you can ping the console system.
- If you can't ping the console system, either you have no connection from the agent to the console system, or (rarely) you may have ICMP disabled.
- Ensure you are able to successfully resolve the console system by nslookup.
- Make sure the results of both forward and reverse nslookup match. Ensure there is no problem with machine name resolution.
- Can you telnet to the console system over port 3121 successfully?
- Port 3121 is used for agent communication back to the console. This is a port requirement and is not configurable.
- Can you telnet to the target machine over port 4155 successfully?
- Port 4155 is used for the console to communicate to the target machine. This is a port requirement and is not configurable.
- Make sure that TLS 1.0 is enabled or TLS 1.2 is properly configured as is mentioned in this document Disabling TLS 1.0 may causes issues with Protect and Patch for Windows Servers
If the above tests are all successful, continue to the next steps in troubleshooting:
- Ensure that the name, FQDN, or IP the agent is attempting to resolve exists in the Console Alias Editor within the Protect console.
- In many of the log snippets above you can see that the agent attempts to register with https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration
- Test putting the URL from your log into an Internet Explorer window to see if you can successfully navigate to it. (On the agent system)
- If the test is successful you would see a screen displayed stating something along the lines of, "A service was created".
- If this test works the agent should by all means be able to successfully register successfully.
- Follow the steps in this document: Agent - Complete Uninstall then attempt installation again.
- Contact support if it still fails.
- If the test fails with an "Internet Explorer cannot display the webpage" message, continue to the next step.
- If the test is successful you would see a screen displayed stating something along the lines of, "A service was created".
- Test putting the URL from your log into an Internet Explorer window to see if you can successfully navigate to it. (On the agent system)
- Run a test on the agent system to see what security protocols are enabled.
- Qualys SSL Labs - Projects / SSL Client Test is a good site to test with.
- You may not have a security protocol enabled or something is incorrect in the configuration.
- If no protocols are enabled, a secure web connection cannot truly be established, thus causing the agent registration to fail.
- The Microsoft article TLS/SSL Tools and Settings: Logon and Authentication covers how to ensure protocols are enabled or disabled.
- Generally you may need to investigate settings in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Additional Information
If the agent is failing to install at a different percentage mark or when manually installing, you may want to consider reviewing the following documents:
Agent Failing at 67% (Registration Failure)
Manual installation of agent fails on registration.
Affected Product(s)
Shavlik Protect 9.x