The sensor appears to be functioning, but the endpoints do not check in to the server. Diags show an error code 0x80072F8F error in the sensor.log file.
Tid 2021-04-27 14:40:47 (w): Unable to complete request from HTTP transaction. URL: /sensor/register Tid 2021-04-27 14:40:47 (w): Failed to registerHTTPCode HrError[0x80072F8F] Tid 2021-04-27 14:40:47 (i): failed to register HrError[0x80072F8F] Tid 2021-04-27 14:40:47 (w): Unable to properly synch with server HrError[0x80072F8F]
- Sensor failed to register and does not appear in the UI
- TCP dump shows Handshake Failure
VMware Carbon Black Response
- Check if error code HrError[0x80072F8F] is in sensor.log from sensor diagnostics.
- Take TCP dump on the endpoint using workflow in How to Collect a Wireshark Capture
- Open the dump in wireshark.
- Look for "Client Hello" packet and check for response from the CB Response Server.
- Check if there is "Handshake Failure".
- Click on "Client Hello" packet.
- Expand Under "Transport Layer Security" -->
- Expand"TLSv1.2 Record Layer: Handshake Protocol: Client Hello"
- Expand "Handshake Protocol: Cipher Suites ( 2 )" -- within brackets are number of cipher suites the endpoint supports.
- After expanding, we can see how many cipher suites have been used and verify if there is one with RSA - example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- If RSA cipher suites are missing, please add the following suites, referring to Microsoft Support for instructions:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P384
Microsoft provides instructions for adding cipher suites here:
Unsupported cipher suites are being used on the endpoint.