Issue
We noticed that the SentinelOne Agent is reporting that it is offline. How can we fix this?
Environment
SentinelOne
Resolution
Behavior when an Agent is offline:
-
If the Agent was installed but never connected to the Management, it does not enforce a policy and does not perform mitigation.
-
After an Agent connects to the Management for the first time and gets the policy, it runs the automatic mitigation defined in its policy, even if it is offline.
-
Offline Agents do not get changes made from the Management Console:
-
They DO NOT run mitigation initiated from the Management Console. They DO run the automatic mitigation defined in their policy.
-
If you made a change to the policy and the Agent was offline, it will get the change when it next connects to the Management.
-
To find Agents that are offline:
-
In the Sentinels view, filter for Agents with Connected to Management = No.
-
In the Endpoint Details for one Agent, see if the Console Connectivity shows Offline or Online.
Troubleshoot Offline Agents:
-
Press the Windows Start key and enter:
cmd
-
Right-click Command Prompt and select Run as administrator.
Network Connectivity Test
- From an endpoint, ping your Management URL and see that it resolves.
> ping yourOrg.sentinelone.net
-
- If the ping times out, but resolves to an IP address, the ping is successful.
- Telnet to your Management URL on port 443.
- Open the "Turn Windows Features on or off" Control Panel.
-
- Next, enable the Telnet feature.
-
- Open an elevated Command Prompt and run the Telnet command to your Management URL.
Agent Services Test
-
See if Agent services are up and running. On an endpoint, run:
services.msc
-
In the window that opens, see that Sentinel services are up and running.
- See if the Agent and Monitor are running. Run these commands:
> cd "C:\Program Files\SentinelOne\Sentinel Agent <latest installed version>"
-
- TIP: Use TAB to auto-complete the pathnames.
> sentinelctl status
See that the output shows loaded and running, similar to the example.
> sentinelctl config server.mgmtServer
> sentinelctl config server.site
- Make sure the output is not empty.
- If one or both of these values are empty, reconnect the Agent to the Site with the
bind
command:
- If one or both of these values are empty, reconnect the Agent to the Site with the
sentinelctl bind {MGMT_URL | SITE_TOKEN}
SentinelOne Event Viewer
SentinelOne Agent logs are available in Windows Event Viewer on endpoints. These logs show you the SentinelOne activities on the endpoint.
-
On an endpoint with a supported SentinelOne Agent, open Event Viewer (Windows key + "event").
- In Event Viewer (Local), click Applications and Services Logs > SentinelOne > Operational.
- Search for Error ID 5, error in registration due to invalid certificate or other connection issues.
Check TLS Cipher Suites
IMPORTANT NOTE:
-
-
TLS1.0 and TLS1.1 were deprecated and will be unsupported in a future release. We strongly recommend you make sure all your endpoints support TLS1.2.
-
Windows Agent versions 3.3 and lower do not support TLS1.2 or TLS1.3. We strongly recommend you upgrade Agents to the latest GA version.
-
Make sure your Windows Servers are patched according to Microsoft recommendations. In particular, Windows Server 2012 R2 must be updated with the April 2014 patch.
-
The Linux Agent creates a static link to the openssl library, which determines the version of TLS. As of 2021, Linux versions 21.x, the Agent supports only TLS 1.2.
-
- Supported Cipher Suites:
-
-
ECDHE_RSA_AES128_GCM_SHA256
-
ECDHE_ECDSA_AES128_GCM_SHA256
-
ECDHE_RSA_AES256_GCM_SHA384
-
ECDHE_ECDSA_AES256_GCM_SHA384
-
DHE_RSA_AES128_GCM_SHA256
-
DHE_DSS_AES128_GCM_SHA256
-
kEDH+AESGCM
-
ECDHE_ECDSA_AES128_SHA256
-
ECDHE_ECDSA_AES128_SHA
-
ECDHE_ECDSA_AES256_SHA384
-
ECDHE_ECDSA_AES256_SHA
-
DHE_RSA_AES128_SHA256
-
DHE_RSA_AES128_SHA
-
DHE_DSS_AES128_SHA256
-
DHE_RSA_AES256_SHA256
-
DHE_DSS_AES256_SHA
-
DHE_RSA_AES256_SHA
-
- Unsupported Cipher Suites:
As part of the latest security enhancements, from Management version North Pole SP1 we no longer support these Cipher Suites.
-
-
ECDHE_RSA_WITH_AES_256_CBC_SHA384
-
ECDHE_RSA_WITH_AES_128_CBC_SHA
-
RSA_WITH_AES_256_GCM_SHA384
-
RSA_WITH_AES_128_CBC_SHA256
-
ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
RSA_WITH_AES_256_CBC_SHA
-
RSA_WITH_AES_256_CBC_SHA256
-
RSA_WITH_AES_128_GCM_SHA256
-
ECDHE_RSA_WITH_AES_256_CBC_SHA
-
RSA_WITH_CAMELLIA_128_CBC_SHA
-
RSA_WITH_CAMELLIA_256_CBC_SHA
-
- Supported TLS Versions
-
-
TLS1.0
-
TLS1.1
-
TLS1.2
-
TLS1.3
-
Additional troubleshooting steps
- From the endpoint, open a browser and connect to the Management See if there are certificate errors.
- If there are third-party anti-virus applications on the endpoint, make sure the SentinelOneAgent (specifically, the "C:\Program Files\SentinelOne\" folder and all its contents) is excluded from the AV.
- See if there is a proxy and if it is configured correctly.
Cause
Offline Agents are not connected to the SentinelOne Management.
Agents can lose connectivity with the Management Console for multiple reasons: installation corruption, firewall restrictions, DNS issues, and more.