Issue
We are attempting to install the CrowdStrike sensor on our endpoints but it keeps failing. The installation process stops after some time and the installer eventually indicates that there was a connection issue.
Environment
CrowdStrike
Resolution
Complete the recommended CrowdStrike troubleshooting process and implement the steps that apply to your environment. These instructions can be found in CrowdStrike by clicking the Support and Resources icon on the top right-side of the dashboard.
Click Docs, then click Falcon Sensor for Windows. From there you will need to review the section titled "Installation fails".
The troubleshooting steps for this issue are as follows.
1) Ensure the correct CrowdStrike URLs and IP addresses have been allowed in your network.
- Term servers
The Falcon sensor on your hosts uses fully qualified domain names
(FQDN) to communicate with the CrowdStrike cloud over the standard 443 port for everyday operation. If your organization blocks these network communications then add the required FQDNs or IP addresses to your allowlists.
NOTE: Ping the FQDNs or IP addresses addresses from the affected endpoint(s) to make sure it can establish a connection.- Public Domain Name System (DNS): ts01-gyr-maverick.cloudsink.net
- IPs:
- 100.20.76.137
- 35.162.239.174
- 35.162.224.228
- LFO download
The Falcon sensor on your hosts uses FQDNs to retrieve dynamic content. This includes updates to policy and configuration settings from the CrowdStrike cloud. If your organization blocks these network communications then add the required FQDNs or IP addresses to your allowlists.- Public DNS: lfodown01-gyr-maverick.cloudsink.net
- IPs:
- 34.209.79.111
- 52.10.219.156
- 34.210.186.129
- Key-based APIs
Query APIs- Public DNS: https://falconapi.us-2.crowdstrike.com
- IPs:
- 54.218.244.79
- 54.200.109.111
- 100.20.109.43
- Streaming API
- Public DNS: https://firehose.us-2.crowdstrike.com
- IPs:
- 44.225.216.237
- 44.227.134.78
- 44.224.200.221
2) Verify that the following Windows Services are enabled and running.
- The endpoint's LAN Manager Host (LMHost) service
- The LMHosts may be inactive if you've disabled the Transmission Control Protocol (TCP) or IP NetBIOS Helper on your endpoint
- Network Store Interface (NSI)
- Windows Base Filtering Engine (BFE)
- Windows Power Service (sometimes labeled Power)
3) Verify that the affected endpoint trusts the CrowdStrike Certificate Authority. Check whether the certs are already present and download and import the certs if needed.
- Follow the Microsoft documentation for the Microsoft Management Console (MMC) to enable the Certificates snap-in per the "How to: View certificates with the MMC snap-in" article.
- In the MMC, click Certificates (Local Computer), then click Trusted Root Certification Authorities and Certificates.
- Verify that both required certs are present.
If either certificate is not present, complete these steps.
- Download the missing certificate from DigiCertHighAssurance and DigiCertAssuredID.
- Import a certificate by right-clicking Certificates and clicking All Tasks and Import. Choose your local machine, click Next, and browse to the downloaded cert. Complete the import.
- Import the another certificate if needed.
4) Confirm that you are using a supported sensor version. CrowdStrike recommends using the latest sensor version.
5) You can try using the following command line install method to increase the install timeout to 1 hour.
- Hosts must remain connected to the CrowdStrike cloud throughout installation. This process can take up to 10 minutes. If a host is unable to reach and retain a connection to the cloud within 10 minutes it will roll back the installation and then exit the installer. If your host requires more time to connect, you can override this by using the ProvWaitTime parameter in the command line to increase the timeout to one hour (the default is 20 minutes).
- <installer_filename> /install /norestart CID=<your CID> ProvWaitTime=3600000
- In this example, replace <installer_filename> with the name of the install file you downloaded and <CID> with your Customer ID (CID).
6) If you are utilizing a Proxy in your network you may want to try including the web proxy details in the installation command line parameters.
- Example: <installer_filename> /install /norestart CID=<your CID> APP_PROXYNAME=<Proxy server hostname or IP address> APP_PROXYPORT=<Proxy server port> ProvWaitTime=3600000
Cause
This issue can occur for various reasons and they may not all have to do with a network connection problem.