Kaspersky Security Center FAQ

How to troubleshoot issues with connecting Network Agent to Administration Server

You can check the connection and obtain detailed information about the settings of the connection between a client device and Administration Server by using the klnagchk utility. When Network Agent is installed on a device, the klnagchk utility is automatically copied to the Network Agent installation folder.

The klnagchk utility can detect the following potential issues with connecting Network Agent to Administration Server:

  • After startup, the klnagchk utility first outputs the result of connecting to the Network Agent:
    • If the connection between Administration Server and the Network Agent was established successfully, the following result is displayed:

      Starting utility 'klnagchk'...

      ...

      Attempting to connect to Administration Server...OK

      Attempting to connect to Network Agent...OK

      Network Agent is running.

    • If the klnagent service does not work or it continuously restarts, you need to reinstall the Network Agent and get traces of the installation.

      For example, if the following result is displayed, you have to reinstall the Network Agent:

      Starting utility 'klnagchk'...

      ...

      Attempting to connect to Administration Server...OK

      Attempting to connect to Network Agent...Error - Network Agent is not running.

      You cannot always rely on information about the status of the Network Agent service from the klnagchk output. For example, if you did not enable the Start application during installation check box when you installed the Network Agent, the klnagchk output will not show any information about the Network Agent service. In this case, you can use the following PowerShell command:

      Get-Service klnagent

    • If in the Attempting to connect to Administration Server... line of the command output, an error about connecting to Administration Server is displayed, pay attention to the specified error text and the device connection address in the result line of sending the ICMP (the address displayed after the An attempt to send ICMP packet to the Administration Server line).

      Connection errors to Administration Server or a connection gateway are usually caused by the following:

      • Connecting client devices that are not included in the allowlist of IP addresses.
      • Filtering traffic on the network equipment, on the operating system firewall, or in the security applications for endpoints.
      • Problems with the client device, services, or the client device is turned off.
      • Routing network traffic is enabled.
      • Hijacking network traffic with certificate substitution (MITM attacks).
  • If you have problems with network availability of the Administration Server SSL port (by default, 13000), for example, when your client device is located outside of the main network and is connected to Administration Server through the connection gateway, you can check the availability of the port 13000 by using the telnet or akconnect tool.

    If you use a firewall that decrypted the traffic between the Network Agent and Administration Server (SSL/TLS deep inspection), problems with network availability of the Administration Server SSL port may occur. In this case, switch the Administration Server port to 14000 by using the klmover utility as follows:

    klmover -address administrationserveraddressorIP -pn 14000 -nossl

    After that, check the availability of port 14000 by using the telnet or akconnect tool. If port 14000 is available, then using the SSL/TLS deep inspection may lead to the problems with network availability of port 13000.

  • If you have an SSL connection error or timeout connection error, you can use the OpenSSL tool to check whether the TLS connection is established.

    Run the following command to check the SSL connection (TLS 1.0):

    openssl s_client -connect KSCServername:13000 -tls1 >tls1check.txt

    Example of the OpenSSL output when a problem with TLSv1 traffic occurs:

    CONNECTED(000001F4)

    write:errno=10054

    ---

    no peer certificate available

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 0 bytes and written 137 bytes

    Verification: OK

    ---

    New, (NONE), Cipher is (NONE)

    Secure Renegotiation IS NOT supported

    Compression: NONE

    Expansion: NONE

    No ALPN negotiated

    SSL-Session:

    Protocol : TLSv1

    Cipher : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1694581538

    Timeout : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Run the following command to check the SSL connection (TLS 1.2):

    openssl s_client -connect KSCServername:13000 -tls1_2 >tls1_2check.txt

    Example of the OpenSSL output when a problem with TLSv1.2 traffic occurs:

    CONNECTED(000001F4)

    write:errno=0

    ---

    no peer certificate available

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 0 bytes and written 227 bytes

    Verification: OK

    ---

    New, (NONE), Cipher is (NONE)

    Secure Renegotiation IS NOT supported

    Compression: NONE

    Expansion: NONE

    No ALPN negotiated

    SSL-Session:

    Protocol : TLSv1.2

    Cipher : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1694581395

    Timeout : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

For more information, refer to Troubleshooting the connection problems between the Network Agent for Windows and the Administration Server.

Article ID: 273885, Last review: Oct 24, 2024
Page top