Troubleshooting klnagent connection issues by analyzing klnagchk log+openssl verification of TLS traffic [KSC for Windows]
Entry posted by svc_kms in Known Problem
11 views
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Klnagchk.exe is usually used to check if the connection between server and NAgent is OK.
The expected result is the following:
Attempting to connect to Administration Server...OK
Attempting to connect to Network Agent...OK
Network Agent is running.
- In case of problem with klnagent service, Kaspersky Network Agent should be re-installed and trace collected.
- If there is a problem with connection to Administration server, this should be investigated as a network issue. In case klnagent fails to connect to KSC Server over the ssl port 13000 (default), the following command can be used to switch to non-ssl port (run as admin): klmover -address administrationserveraddressorIP -pn 14000 -nossl. It is worth checking beforehand that ports 13000 and 14000 are available from the affected managed device with telnet or akconnect tool.
- In case of the "Transport level error while connecting to KSCServername: SSL connection error, possibly a non-SSL port was used", it is recommended to use openssl tool to check whether TLS connection can be stablished:
openssl s_client -connect KSCServername:13000 -tls1 > tls1check.txt
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
CONNECTED(000001F4)
write:errno=10054
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 137 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1694581538
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
|
openssl s_client -connect KSCServername:13000 -tls1_2 >tls1_2check.txt
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
CONNECTED(000001F4)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 227 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1694581395
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
|
This means that TLS traffic is blocked by some software/hardware in the network. It is not possible to connect managed hosts over the SSL to KSC Server until the problem is fixed by your network infrastructure team.
There is a common misconception about Network Agent statistical data section and how to read it, though.
|
1
2
3
4
5
6
7
|
...
Network Agent statistical data:
Total number of synchronization requests: 184
The number of successful synchronization requests: 184
Total number of synchronizations: 1
The number of successful synchronizations: 1
...
|
- Lines 3 and 4 show how many heartbeats were sent from the nagent service start.
- Lines 5 and 6 show how many non-group synchronizations took place.
When analyzing connection between KSC and NAgent, usually only numbers on lines 3 and 4 matter. In other words, no synchronization of policy is performed if the policy is not changed. The policy is synchronized when KSC administrator makes some changes to the policy settings. To be noted that Total number of synchronizations counter is increased when the administrator opens the properties of a managed host→all tasks and forces the synchronization.
Linux NAgent output:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Starting klnagchk utility
Checking command-line arguments...OK
Initializing basic libraries...OK
Current host is 'kesl11.ksc'
Network agent version is '11.0.0.29'
Reading settings...OK
Checking settings...OK
Administration Agent settings:
Server address: '10.67.152.24'
Use SSL: 1
Compress traffic: 1
Server SSL ports: '13000'
Server ports: '14000'
Use proxy: 0
Certificate: present
Open UDP port: 1
UDP ports: '15000'
Ping period, minutes: 15
Conn timeout, s: 30
RW timeout, s: 180
HostId: bb8e4bdf-0483-490c-a9fd-3654a319e259
Connecting to server...OK
Connecting to the Administration Agent...OK
Administration Agent is running
Acquire Administration Agent statistics...OK
Administration Agent statistics:
Ping count: 1
Succ. pings: 1
Sync count: 1
Succ. syncs: 1
Last ping:04/16/2021 11:03:28 AM GMT (04/16/2021 02:03:28 PM)
Deinitializing basic libraries...OK
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Starting klnagchk utility
Checking command-line arguments...OK
Initializing basic libraries...OK
Current host is 'kesmac-bigsur-11.0.shared'
Network agent version is '12.0.0.77'
Reading settings...OK
Checking settings...OK
Administration Agent settings:
Server address: '10.211.55.34'
Use SSL: 1
Compress traffic: 1
Server SSL ports: '13000'
Server ports: '14000'
Use proxy: 0
Certificate: present
Open UDP port: 1
UDP ports: '15000'
Ping period, minutes: 15
Conn timeout, s: 30
RW timeout, s: 180
HostId: 6c795a48-5217-4af7-9656-3e7d6d93ca3a
Connecting to server...OK
Connecting to the Administration Agent...OK
Administration Agent is running
Acquire Administration Agent statistics...OK
Administration Agent statistics:
Ping count: 0
Succ. pings: 0
Sync count: 0
Succ. syncs: 0
Last ping:04/06/21 08:41:24 GMT (04/06/21 11:41:24)
Deinitializing basic libraries...OK
|
0 Comments
Recommended Comments
There are no comments to display.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now