Troubleshooting an Axon Agent

This section list troubleshooting procedures for Axon Agent, a list of Axon Agent error messages with resolutions, and instructions for creating a diagnostic support bundle for Tripwire Support.

Troubleshooting Procedures

If you encounter difficulties with an Axon Agent, complete the following steps: 

1. To confirm that the collection binaries are running, run the appropriate command on the Agent host system:

Linux: ps -ef

Windows: tasklist

Table 25. List of Axon Agent executables

Executable name

On
Linux
Axon Agents?

On
Windows
Axon Agents?

Description

tw-axon-agent-tlc

Y

Y

Agent service

twexec

Y

Y

Command collector

twfim

Y

Y

File and Registry collector

twrsop

 

Y

Windows policy collector

twsupport

Y

Y

Support bundle collector

twtail

Y

Y

Advanced file collector

twwel

 

Y

Advanced Windows collector

Note 

Plugins will not be listed if they are not currently in use.

2. To confirm that the Axon Agent has an open connection to the Bridge on the TLC Manager (using port 5670, the default), run the appropriate command on the Agent host system:

Linux: netstat -an | grep 5670

Windows: netstat -an | findstr 5670

3. Open the Axon Agent log file (twagent.log):

Linux: /var/log/tripwire-tlc/twagent.log

Windows: %PROGRAMDATA%\Tripwire\agent-tlc\log\twagent.log

To interpret the messages in the Axon Agent log file, see Axon Agent Error Messages.

4. To confirm that the Bridge is listening for Axon Agents (using port 5670, the default port), run the appropriate command on the TLC Manager:

Linux: netstat -an | grep 5670

Windows: netstat -an | findstr 5670

Axon Agent Error Messages

Table 26 lists error messages that you may encounter when configuring and using the Axon Agent. You can find these error messages in the Axon Agent log files:

Linux:

/var/log/tripwire-tlc/twagent.log

Windows:

%PROGRAMDATA%\Tripwire\agent-tlc\log\twagent.log

Table 26. Axon Agent error messages

Error message:
WARN tw-axon-agent-tlc.bridge BridgeTLSConnector::connect_() - No bridge endpoints to connect to. Rescanning...

Cause:
The Axon Agent is unable to determine the Bridge to connect to.

Resolution:
1) Check the bridge.host setting in the Axon Agent's twagent.conf file.

2) Check the Bridge system's DNS and DNS SRV record.

Error messages (Windows):
ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleConnectTimeOut() - Connect Timeout reached secs:[20], state=Connector::Failed

tw-axon-agent-tlc.bridge BridgeTLSConnector::handleConnect() - Failed, error:[system:121|The semaphore timeout period has expired]

Error messages (Linux):
ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleAnonymousHandshake() - Failed Connecting to host.example.com:5670, Error: [system: 104 | Connection reset by peer]

ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleConnect() - Failed, error:[system:111|Connection refused]

Cause:
The Axon Agent is unable to connect with the Bridge.

Resolution:
Check your firewalls and network routing configuration.

Error message:
ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleAgentRegistrationResponse_() - Registration error, status value:[ERROR_INCORRECT_KEY], message: "The registration pre-shared key is incorrect.", Disconnecting...

Cause:
The registration pre-shared key on the Bridge does not match the key that Axon Agents are using to authenticate and request certificates.

Resolution:
Verify that the registration pre-shared key configured on the Bridge matches the pre-shared key in the registration_pre_shared_key.txt file that the Axon Agent is attempting to authenticate with.

Error messages:
WARN tw-axon-agent-tlcssl::sslInfoCallback() - TLSv1.2 write alert: fatal:unknown CA

ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336134278 | certificate verify failed]

Cause:
The certificate being used by the Bridge and an Axon Agent have different CA’s. This can happen when Agents are moved between different Bridges.

Resolution:
Follow the process in Other Axon Agent Procedures to re-authenticate the Axon Agent with this Bridge.

Error message:
ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336151574 | sslv3 alert certificate unknown]

Cause:
The certificate for an Axon Agent has been revoked on the Bridge.

Resolution:
Follow the process in Other Axon Agent Procedures to re-authenticate the Axon Agent with this Bridge.

Error message:
ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleAnonymousHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336130315 | wrong version number]

Cause:
The Bridge and the Axon Agent do not have a TLS version in common.

Resolution:
Follow the process in Configuring TLS Versions and Cipher Suites to configure a common TLS version on the Bridge and Axon Agents.

Error messages:
ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleAnonymousHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336151568 | sslv3 alert handshake failure]

ERROR tw-axon-agent-tlc.bridge BridgeTLSConnector::handleAnonymousHandshake() - Failed Connecting to host.example.com:5670, Error: [asio.ssl: 336081077 | no ciphers available]

Cause:
The Bridge and the Axon Agent do not have a TLS cipher suite in common.

Resolution:
Follow the process in Configuring TLS Versions and Cipher Suites to configure one or more common TLS cipher suites on the Bridge and Axon Agents.

Creating a Support Bundle

To create a support bundle for analysis by Tripwire Support, run the appropriate command on the Axon Agent host system.

Linux:

/opt/tripwire/agent-tlc/plugins/twsupport/twsupport --generate.bundle=<zip_file>

Windows:

“<Program_Files>\Tripwire\Agent-TLC\plugins\twsupport\twsupport”
--generate.bundle=<zip_file>

where <zip_file> is the support bundle zip file to be created.