000017499 - DLP 9.5 Endpoint Coordinator fails to join or remains in pending state

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017499
Applies ToDLP 9.5  9.6
IssueAdd an Endpoint Coordinator (EPC)
Joining the EPC results in the EPC remaining in a Pending State for an extended period of time

Diagnostic steps:

1) Check em.log for "Could not process status for Endpoint Coordinator with identifier GUID"; if found, then continue with Step 2
2) Check EM database table "EP_ENDPOINT_COORDINATOR" for the endpoint_coordinator_id
     a) This ID will be used for comparison purposes in Step 3
     b) This can be performed by viewing the table for EP_ENDPOINT_COORDINATOR or by SQL query; sample query provided below.
       1) In SQL Management Studio, expand Databases
       2) Right-click on the appropriate DLP DB and choose New Query
       3) In the Query window, enter: select endpoint_coordinator_id from EP_ENDPOINT_COORDINATOR
       4) Press Execute
3) Check certificates are removed:
     a) MMC Certificates Snap-In for Computer Account
       1) Start -> Run -> type in: mmc and press Enter
       2) File -> Add/Remove Snap-in...
       3) Press Add
       4) Double-click on Certificates, from list provided
       5) Select Computer Account and press Next
       6) Select Local Computer and press Finish
       7) The previous window will re-appear; press Close
       8) On the Add/Remove Snap-in Window, press OK
     b) Check for "RSA DLP EPiTrust" folder and contents
       1) Expand out Certificates (Local Computer) from the Console Root
       2) Expand out RSA DLP EPi Trust and select Certificates
     c) There is a certificate with a guid and this should show that the ids are different.
       1) From the right pane, double click on the Certificate with random alphanumeric characters. If this Cert is missing, then skip to Step 4
       2) Select the Details tab
       3) Select Issuer and compare the SERIALNUMBER provided in the lower window against the endpoint_coordinator_id identified in Step 2. To validate the EM & EPC are out of sync, the endpoint_coordinator_id (identified in Step 2) and the Cert Serial Number should not match.
       4) Press OK

Verify Ports 5671,5772,5773,5774,5871 are open between the Root EPC and EPC. you can check by running telnet <IPC of of Root EPC> <port number>
Workaround to fix this issue:

1) Once confirmed that the IDs do not match or are missing, uninstall the EPC software
2) Remove EPC from EM UI
3) Reinstall the EPC software
     a) Check new guid
       1) Repeat Steps 2 & 3 in the DLPKB Diagnostic Steps, but this time ensure the endpoint_coordinator_id and the Cert SERIALNUMBER match
4) Add EPC to the EM UI

NotesReference DLPKB-159
Legacy Article IDa60139