Troubleshooting the Agent

This section list troubleshooting procedures for the Agent, a list of Agent error messages with resolutions, and instructions for creating a diagnostic support bundle for Tripwire Support.

Troubleshooting Procedures

If you encounter difficulties with an Agent, complete the following steps:

To confirm that the collection binaries are running, run the appropriate command on the Agent host system:

Linux: ps -ef

Windows: tasklist

Table 24. List of Agent executables
Executable name	On Linux Agents?	On Windows Agents?	Description
twagent	Y	Y	Agent service
twexec	Y	Y	Command collector
twfim	Y	Y	File and Registry collector
twrsop		Y	Windows policy collector
twsupport	Y	Y	Support bundle collector
twtail	Y	Y	Advanced file collector
twwel		Y	Advanced Windows collector

Note	Plugins will not be listed if they are not currently in use.

To confirm that the Agent has an open connection to the Bridge on the TLC Manager (using port 5670, the default), run the appropriate command on the Agent host system:

Linux: netstat -an | grep 5670

Windows: netstat -an | findstr 5670

Open the Agent log file (twagent.log):

Linux: /var/log/tripwire/twagent.log

Windows: %PROGRAMDATA%\Tripwire\agent\log\twagent.log

To interpret the messages in the Agent log file, see Agent Error Messages.

To confirm that the Bridge is listening for Agents (using port 5670, the default port), run the appropriate command on the TLC Manager:

Linux: netstat -an | grep 5670

Windows: netstat -an | findstr 5670

Agent Error Messages

Table 25 lists error messages that you may encounter when configuring and using the Agent. You can find these error messages in the Agent log files:

Linux:

/var/log/tripwire/twagent.log

Windows:

%PROGRAMDATA%\Tripwire\agent\log\twagent.log

Table 25. Agent error messages
Error message: WARN twagent.bridge BridgeTLSConnector::connect_() - No bridge endpoints to connect to. Rescanning... Cause: The Agent is unable to determine the Bridge to connect to. Resolution: 1) Check the bridge.host setting in the Agent's twagent.conf file. 2) Check the Bridge system's DNS and DNS SRV record.
Error messages (Windows): ERROR twagent.bridge BridgeTLSConnector::handleConnectTimeOut() - Connect Timeout reached secs:[20], state=Connector::Failed twagent.bridge BridgeTLSConnector::handleConnect() - Failed, error:[system:121\|The semaphore timeout period has expired] Error messages (Linux): ERROR twagent.bridge BridgeTLSConnector::handleAnonymousHandshake() - Failed Connecting to host.example.com:5670, Error: [system: 104 \| Connection reset by peer] ERROR twagent.bridge BridgeTLSConnector::handleConnect() - Failed, error:[system:111\|Connection refused] Cause: The Agent is unable to connect with the Bridge. Resolution: Check your firewalls and network routing configuration.
Error message: ERROR twagent.bridge BridgeTLSConnector::handleAgentRegistrationResponse_() - Registration error, status value:[ERROR_INCORRECT_KEY], message: "The registration pre-shared key is incorrect.", Disconnecting... Cause: The registration pre-shared key on the Bridge does not match the key that Agents are using to authenticate and request certificates. Resolution: Verify that the registration pre-shared key configured on the Bridge matches the pre-shared key in the registration_pre_shared_key.txt file that the Agent is attempting to authenticate with.
Error messages: WARN twagent ssl::sslInfoCallback() - TLSv1.2 write alert: fatal:unknown CA ERROR twagent.bridge BridgeTLSConnector::handleHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336134278 \| certificate verify failed] Cause: The certificate being used by the Bridge and an Agent have different CA’s. This can happen when Agents are moved between different Bridges. Resolution: Follow the process in Other Agent Procedures to re-authenticate the Agent with this Bridge.
Error message: ERROR twagent.bridge BridgeTLSConnector::handleHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336151574 \| sslv3 alert certificate unknown] Cause: The certificate for an Agent has been revoked on the Bridge. Resolution: Follow the process in Other Agent Procedures to re-authenticate the Agent with this Bridge.
Error message: ERROR twagent.bridge BridgeTLSConnector::handleAnonymousHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336130315 \| wrong version number] Cause: The Bridge and the Agent do not have a TLS version in common. Resolution: Follow the process in Configuring TLS Versions and Cipher Suites to configure a common TLS version on the Bridge and Agents.
Error messages: ERROR twagent.bridge BridgeTLSConnector::handleAnonymousHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336151568 \| sslv3 alert handshake failure] ERROR twagent.bridge BridgeTLSConnector::handleAnonymousHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336081077 \| no ciphers available] Cause: The Bridge and the Agent do not have a TLS cipher suite in common. Resolution: Follow the process in Configuring TLS Versions and Cipher Suites to configure one or more common TLS cipher suites on the Bridge and Agents.

Creating a Support Bundle

To create a support bundle for analysis by Tripwire Support, run the appropriate command on the Agent host system.

Linux:

/opt/tripwire/agent/plugins/twsupport/twsupport --generate.bundle=<zip_file>

Windows:

“<Program_Files>\Tripwire\Agent\plugins\twsupport\twsupport”
--generate.bundle=<zip_file>

where <zip_file> is the support bundle zip file to be created.