Troubleshooting klnagent connection issues by analyzing klnagchk log+openssl verification of TLS traffic [KSC for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Klnagchk.exe is usually used to check if the connection between server and NAgent is OK.

The expected result is the following:

Attempting to connect to Administration Server...OK

Attempting to connect to Network Agent...OK
Network Agent is running.

• In case of problem with klnagent service, Kaspersky Network Agent should be re-installed and trace collected. 
• If there is a problem with connection to Administration server, this should be investigated as a network issue. In case klnagent fails to connect to KSC Server over the ssl port 13000 (default), the following command can be used to switch to non-ssl port (run as admin): klmover -address administrationserveraddressorIP -pn 14000 -nossl. It is worth checking beforehand that ports 13000 and 14000 are available from the affected managed device with telnet or akconnect tool.
• In case of the "Transport level error while connecting to KSCServername: SSL connection error, possibly a non-SSL port was used", it is recommended to use openssl tool to check whether TLS connection can be stablished:

openssl s_client -connect KSCServername:13000 -tls1 > tls1check.txt

example of openssl output when there is a problem with TLSv1 traffic

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

CONNECTED(000001F4) write:errno=10054 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 137 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:     Protocol  : TLSv1     Cipher    : 0000     Session-ID:     Session-ID-ctx:     Master-Key:     PSK identity: None     PSK identity hint: None     SRP username: None     Start Time: 1694581538     Timeout   : 7200 (sec)     Verify return code: 0 (ok)     Extended master secret: no

openssl s_client -connect KSCServername:13000 -tls1_2 >tls1_2check.txt

example of openssl output when there is a problem with TLSv1.2 traffic

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

CONNECTED(000001F4) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 227 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:     Protocol  : TLSv1.2     Cipher    : 0000     Session-ID:     Session-ID-ctx:     Master-Key:     PSK identity: None     PSK identity hint: None     SRP username: None     Start Time: 1694581395     Timeout   : 7200 (sec)     Verify return code: 0 (ok)     Extended master secret: no

This means that TLS traffic is blocked by some software/hardware in the network. It is not possible to connect managed hosts over the SSL to KSC Server until the problem is fixed by your network infrastructure team. 

There is a common misconception about Network Agent statistical data section and how to read it, though.

klnagchk.log excerpt

1 2 3 4 5 6 7

... Network Agent statistical data: Total number of synchronization requests: 184 The number of successful synchronization requests: 184 Total number of synchronizations: 1 The number of successful synchronizations: 1  ...

• Lines 3 and 4 show how many heartbeats were sent from the nagent service start.
• Lines 5 and 6 show how many non-group synchronizations took place.

When analyzing connection between KSC and NAgent, usually only numbers on lines 3 and 4 matter. In other words, no synchronization of policy is performed if the policy is not changed. The policy is synchronized when KSC administrator makes some changes to the policy settings. To be noted that Total number of synchronizations counter is increased when the administrator opens the properties of a managed host→all tasks and forces the synchronization. 

Linux NAgent output:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

Starting klnagchk utility Checking command-line arguments...OK Initializing basic libraries...OK Current host is 'kesl11.ksc' Network agent version is '11.0.0.29'     Reading settings...OK Checking settings...OK Administration Agent settings: Server address: '10.67.152.24' Use SSL: 1 Compress traffic: 1 Server SSL ports: '13000' Server ports: '14000' Use proxy: 0 Certificate: present Open UDP port: 1 UDP ports: '15000'   Ping period, minutes: 15 Conn timeout, s: 30 RW timeout, s: 180 HostId: bb8e4bdf-0483-490c-a9fd-3654a319e259     Connecting to server...OK   Connecting to the Administration Agent...OK Administration Agent is running Acquire Administration Agent statistics...OK Administration Agent statistics: Ping count: 1 Succ. pings: 1 Sync count: 1 Succ. syncs: 1 Last ping:04/16/2021 11:03:28 AM GMT (04/16/2021 02:03:28 PM)     Deinitializing basic libraries...OK

 

 

macOS NAgent output:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

Starting klnagchk utility Checking command-line arguments...OK Initializing basic libraries...OK Current host is 'kesmac-bigsur-11.0.shared' Network agent version is '12.0.0.77'     Reading settings...OK Checking settings...OK Administration Agent settings: Server address: '10.211.55.34' Use SSL: 1 Compress traffic: 1 Server SSL ports: '13000' Server ports: '14000' Use proxy: 0 Certificate: present Open UDP port: 1 UDP ports: '15000'   Ping period, minutes: 15 Conn timeout, s: 30 RW timeout, s: 180 HostId: 6c795a48-5217-4af7-9656-3e7d6d93ca3a     Connecting to server...OK   Connecting to the Administration Agent...OK Administration Agent is running Acquire Administration Agent statistics...OK Administration Agent statistics: Ping count: 0 Succ. pings: 0 Sync count: 0 Succ. syncs: 0 Last ping:04/06/21 08:41:24 GMT (04/06/21 11:41:24)     Deinitializing basic libraries...OK