Troubleshooting the connection problems between the Network Agent for Windows and the Administration Server
Show applications and versions that this article concerns
- Kaspersky Security Center 14.2 (version 14.2.0.26967)
- Kaspersky Security Center 14 (version 14.0.0.10902)
Issue
- The Network Agent was successfully installed remotely, but the target managed device object did not appear on the Administration Server. Or the object appeared, but there is no mark that the Network Agent is installed on it.
- Simultaneous remote installation of the Network Agent and application package runs at 50% and stops after the message that the Agent has been successfully installed. The Event Log in the console interface shows that the application is not being installed.
- Connection to the managed device is lost after installing a new version of the Network Agent on top of a previous one. A task displays a message that you should restart the managed device.
- Checking the Network Agent connection to the Administration Server using the klnagchk.exe utility ends with an error.
- The remote installation of the Network Agent stops at the event “Running (32%) (device is inaccessible)” or “The installation service is running on this device. Please wait...”.
The Network Agent service on the target device is not running, and when you try to start any component:- An event about the emcat.dl and em.dll files appears in the Windows application log: “Info 1603. The file C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\em.dll is being held in use. Close that application and retry.”
- The Network Agent crashes with the error “Faulting application name: klnagent.exe, version: 14.2.0.26967, time stamp: 0xa0f42d48 Faulting module name: KERNELBASE.dll, version: 6.1.7601.17514, time stamp: 0x4ce7bafa <...>”.
Cause
- Incorrect settings of the Network Agent package or policy.
- The Network Agent service (klnagent) fails.
- Third-party software blocks the Network Agent files.
- There is no connectivity between the Network Agent and Administration Server.
Solution
Restart the target device's operating system and make sure that there is enough space on the disc. If the issues persist, there are several solutions.
Solution 1. Search unassigned devices
If the device does not appear in the list of managed devices after the Network Agent has been successfully installed, it may be correctly connected but not automatically moved to the Managed Devices group. In this case:
- Right-click the Administration Server and select Search.
- Enter the first letters of the masked device name (e.g. comp*) or its IP address and click Find now.
If you find the device, add it to the Managed Devices group manually.
If you can’t find the device or if the Last connected to Administration Server value of the found device is significantly out of date, check the status and connection settings of the Network Agent on the target device using the klnagchk.exe utility, then try other solutions from this article.
Solution 2. Check the connection settings in the Network Agent package that is distributed by the task
- Find out the name of the Network Agent package you are using:
- Go to Tasks and select Install application remotely.
- Click Settings in the left menu.
You will find the name of the package in the Installation packages section.
- Close the task, open the properties of the Administration Server, select General and click View Administration Server certificate.
- Close the properties of the Administration Server. In the Administration Console, go to Advanced → Remote installation → Installation packages.
- Right-click the required package and open its properties.
- Go to Connection and do the following:
- Check that the Network Agent certificate fingerprint from the Use Server certificate field matches the Administration Server certificate fingerprint from step 2.
If the certificates don’t match, select for the Network Agent the same certificate as for the Administration Server from the %ProgramData%\KasperskyLab\adminkit\1093\cert\klserver.cer folder on the server. For details, see this article. - Check that the correct name of the Administration Server is specified in the Administration Server field and that the correct ports are set.
If the Use SSL check box is selected and the correct certificate is specified, check only the SSL port. - Make sure that the Open Network Agent ports in Microsoft Windows Firewall check box is selected if your infrastructure does not use centralized Windows Firewall configuration and this package is used as a standalone installation package.
- Make sure that the correct settings are set in the Configure connection through proxy server section if you are using a proxy server connection.
- Check that the Network Agent certificate fingerprint from the Use Server certificate field matches the Administration Server certificate fingerprint from step 2.
- If the Connect to Administration Server by using a connection gateway check box is selected, go to Advanced and verify that the correct gateway address is specified.
Solution 3. Check the KB3063858 update on devices with outdated operating systems
The KB3063858 security update must be installed on the operating systems of devices with the Network Agent version 14.2 or later. It mitigates the security risks associated with the interaction between the Network Agent and the Administration Server.
If the update is not installed on your operating system, the Network Agent service will be in the Stopped status. If you try to run the Network Agent components, they will crash.
To fix this issue, install the security update for your operating system and restart the device. The Network Agent will restore without further actions.
Solution 4. Check if the Network Agent service starts and whether its files get blocked
This solution is relevant if a device object is labeled Restart is required and the Network Agent update task has stopped at 32 %.
The situation can occur if, during the installation of the Network Agent, its DLL files (usually emcat.dll and em.dll) were blocked without the possibility of overwriting them, for the following reasons:
- The Event Viewer MMC snap-in was opened on the target device during the installation.
- The infrastructure uses the DLP (Data Loss Prevention) systems or log collection and analysis system agents (SIEM, Log collector).
Blocking these files prevents you from upgrading the Network Agent to a new version. You will be prompted to restart the operating system without starting the Network Agent service. The update task will only continue when communication with the device is resumed.
To fix this issue, identify the third-party software that blocks the DLL files. To do so, use the tools:
- Resource Monitor for Windows
- Microsoft Process Explorer
In the search field, specify the names of the blocked DLL files of the Network Agent.
If you identified the software, add the Network Agent files to the exclusions for that software, or suspend the software while the Agent is updated.
If you didn’t identify the software or this option is not suitable for you, prompt the user to restart the operating system when installing the Network Agent. To do so, go to Tasks. Select Install application remotely and find the Install Kaspersky Security Center Administration Agent task. Go to Operating system restart and select the Prompt user for action radio button.
Solution 5. Check if the Network Agent is already installed
Perhaps the Network Agent is already installed on the target device, but it is configured to work with a different server or lost communication with the Administration Server. This can happen if the device has not synchronized with the server for a long time and has not managed to get a reserve certificate during the main certificate renewal period.
To fix this issue, remove the previously installed Network Agent and then install the same or a new version.
If the target device does not use a connection gateway or proxy server to connect to the Administration Server, you can use the klmover utility to configure the Agent to communicate with the current server without reinstalling the Agent, and then upgrade the Network Agent to the new version.
Solution 6. Check if the Administration Server is accessible from the target device
- Do the following:
- The Administration Server can be accessed from the client device.
- The Administration Server addresses are correctly resolved to IP addresses on the client device.
- The correct settings are set for network hardware and shielding, and the operating system of the Administration Server and target device.
- There are no connection errors on the proxy server side if it is used to connect to the Administration Server.
- The connection gateway is available if it is used to connect to the Administration Server.
- The correct configuration of connection profiles in the Network Agent policy on the server is used.
This is especially relevant if the Agent disconnects from the server after the first synchronization. For details about connecting Agent to the server, see this article.
- Use the installer package settings from solution 2 to run the command on the target device:
Where ksc.example.com is the Fully Qualified Domain Name (FQDN) or an IP address of the Kaspersky Security Center Administration Server if it is visible for the target device; 13000 is a connection port of the Network Agent. This is the SSL port if a connection certificate is specified and used in the package, or the normal port if no certificate is used.
- Analyze the command result and follow the instructions from the Solution column of the table.
What to do if the issue persists
- Make sure that your device is working properly and there are no other issues with the hardware, including its configuration, the integrity of the hard disk or RAM cells.
- Check the date and time on your device.
- Exclude checking the connection of the target device to the Administration Server and Network Agent if Deep Packet Inspection (DPI) or decryption technology and traffic analysis technologies (SSL inspection) are used as part of third-party protection software.
- Use the klnagchk utility to perform advanced diagnostics.
- If the issue still persists, submit a request to Kaspersky Technical Support via Kaspersky CompanyAccount.
Describe the problem: specify which steps from the instructions you have performed, and add a console output of the diagnostic commands from this article. Attach:- Screenshots of the issue and the text of the error that occurs.
- The GetSystemInfo report with operating system events from the target device that doesn’t connect to the Network Agent, and from the Administration Server to which you are trying to connect.
- The log file of the klnagchk utility
To get it, run the command as an administrator from the working directory of the Network Agent:
.\klnagchk.exe -logfile c:\klnagchk.log- Installation logs of the Network Agent.
- Contents of the %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent\~dumps, if it contains files.