Troubleshooting a Forcepoint Endpoint Context Agent deployment

If you encounter issues during the Forcepoint ECA installation, review the following checklist, then try to install Forcepoint ECA again.

  • Verify that you installed Forcepoint ECA using an account with local administrator rights. Forcepoint ECA installation requires local administrator rights.
  • Check the connection between the endpoint machine and Forcepoint NGFW.
  • Check the certificates installed in the endpoint machine’s certificate stores using mmc.exe and the Certificates snap-in. The certificate issuer (CA certificate) must be configured in the SMC. Verify that the policy on the NGFW Engine is up to date. The endpoint machine receives the network-side CA certificate in the Forcepoint ECA configuration file.

    The certificate generated by the SMC is valid from the time it was created in the SMC. If the time on the endpoint machine is different from the time in the SMC, the endpoint machine might not accept the generated certificate. After the endpoint machine’s time reaches the certificate's validity start time, the certificate is accepted on the endpoint machine.

The Forcepoint ECA client initiates connections to certificate revocation list (CRL) servers to verify the signatures of the executables that are initiating connections from the endpoint machine. When an executable connects to the network for the first time, the Forcepoint ECA client checks the executable’s signature against the CRL.

If the executable has been modified, or if the code signing certificate has been revoked, Forcepoint ECA does not trust the executable fields, such as product name, product version, or signer name, when it tries to match the executable in the Forcepoint NGFW. The executable’s signature check status is then logged in the SMC logs as “Failed”.

The following list shows common connectivity error messages and troubleshooting steps:
  • Error message: Failed to accept SSL-connection...: SSL error: peer did not return a certificate
    • Check that the certificate is installed in the certificate store on the endpoint machine.
    • Check that the client certificate has the Client Authentication Application Policy enabled.
    • Check that the issuer of the client certificate on the endpoint machine matches the issuer of the client certificate in the ECA configuration in the SMC.
  • Error message: Failed to accept SSL-connection...: SSL error: sslv3 alert bad certificate
    • Check the DebugDump.txt file in the Forcepoint ECA installation folder on the endpoint machine for the actual error.
      • If the error message is Verify failure... certificate is not yet valid, check the time difference between the endpoint machine and the SMC.
  • Error message: Same client connected to adjacent node
    • If the Forcepoint ECA client disconnects immediately after proceeding to the CONFIGURED connection state and shows the Same client connected to adjacent node message in the DebugDump.txt file or in the Information Message field in the SMC, make sure that the Forcepoint ECA clients use different certificates. Forcepoint NGFW does not allow two or more connections to share a client certificate. Each Forcepoint ECA client must have a unique client certificate.