Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Offline Agents

Created: 01 Feb 2013 | 8 comments

Are there any helpful suggestions or steps to take if some agents are showing offline in the Management Console? I  have had the Agent Collect Info detection policy applied to a few machines in the hopes it would come online in the last week, but they have not come back online. The machines are up and the OS varies from AIX to Solaris to Windows.

Any suggestions on an "Offline Agent Troubleshooting" procedure would be helpful.

 

Thanks & Best Regards,

-Dan

Comments 8 CommentsJump to latest comment

Shulk's picture

Hi Dan,

If the agents are offline from the Console, applying a policy will not work.
I would suggest you to first check the ports 443 and 2222, make sure they are opened and no other application is using them.

From an agent, you could run the following command to check the connection:

sisipsconfig -t

More details here.

What database are you using? If SQL Express, the one that comes along with SCSP, I strongly suggest you to upgrade to a full version either Standard or Enterprise due to the limitation of the Express Edition.

Keep us informed!

Shulk

 

Will V's picture

Hi Dan,

 

+1 to what Shulk said.  Also remember that agent health settings are independent of polling intervals. 

  • Go to assets
  • Select an agent
  • Select Properties from the right-click menu (or the menu bar)
  • Select Configure Health on the General tab

 

Check the admin guide for more details.  Good luck and let us know how things are going.

 

Will

ITS Partners

 

Please mark posts as the solution if they solve your problem!

AMoss's picture

Dan-

I wondered where you landed!  Hope all is well.

 

Agents can go offline for any number of reasons, and, just like SEP, identifying a 'dead' agent vs a 'rogue' agent can be a challenge.  My first suggestion would be to validate the offline agent is not a dead duplicate. Check page 257 on the Admin guide...it outlines options for automatically dealing with duplicate agents.

If it's not a duplicate agent, my next suggestion would be to validate the host is still on the wire...the quick and easy way is through a simple ping (if ICMP is allowed/passed in your environment).

If it's on the wire and it's not talking to the console...the agent is rogue and will require attention at the host level to get it back.  Fortuneately, we haven't found it very common for an agent to go into a rogue state on it's own...it generally has some help from a server admin.

Feel free to ping me if you need anything.

Looking for real-time reporting and data visualization for your Symantec Security solutions?  http://www.trysolve.com

ddemers@cvs's picture

Hi Alex,

Good to hear from you and thanks for the suggestions! I believe we're running into issues because both the Console version and agent versions are very outdated. In most cases, machines will go down due to maintenance and upon coming back up, they never return with an 'online' status in CSP. - It's usually a "hit or miss" scenario. Unfortunately there is no current plan to upgrade to the latest version, however, we found that upgrading to the most recent version we have available (5.2.6.xx) resolves the issue sometimes.

Thanks,

Dan

Chuck Edson's picture

Hey Dan!

Grab a GAI from the agent when you get access to it for a RCA before the reinstall.  Check out the sisipsservice.log in the scsplog folder.

If only for the search features, you should try to move to the 5.2.9x console/Tomcat server - it can still manage the agents you have out there (5.2.9 can manage anything 5.2.x and above).

If a post helps you, please mark it as the solution to your issue.

ddemers@cvs's picture

Thanks, Chuck.

What is the procedure for if some machines change IP Addresses or hostnames? They don't seem to be automatically connecting to the console and I forgot what the process was for this situation. Do the services just need to be restarted on the agent side, or is a reinstall/reboot necessary?

Thanks,

Dan

Chuck Edson's picture

If you use Forcereg to reconnect the agent to the server, be aware that you can end up with duplicate entries in the console -- one will appear offline and one online.

There is a duplicate agent registration check that you can enable in Admin > Settings > System Settings > Agent Settings, and you can choose the criteria that it uses to locate duplicate agents.  This check only occurs at registration, so it will not remove any current duplicate agents from the database.

If a post helps you, please mark it as the solution to your issue.