Error: Activation Failed
Several events can trigger an "Activation Failed" alert:
- Activation Failed - Protocol Error
- Activation Failed - Unable to resolve hostname
- Activation Failed - No Agent/Appliance
- Activation Failed - Blocked port
- Activation Failed - Maximum five protected computers
This error typically occurs when you use Workload Security to attempt to activate a Deep Security Agent and Workload Security is unable to communicate with the agent. The communication directionality that the agent uses determines the method that you should use to troubleshoot this error.
When the agent uses agent-initiated communication, you need to activate the agent from the agent computer. (See Activate an agent.)
When using Workload Security, agent-initiated communication is the recommended communication directionality.
Use the following troubleshooting steps when the error occurs and the agent uses bidirectional communication:
- Ensure that the agent is installed on the computer and that the agent is running.
- Ensure that the ports are open between Workload Security and the agent. (See Port numbers and Define a firewall rule.)
The error: Activation Failed (Unable to resolve hostname) could be the result of an unresolvable hostname in DNS or of activating the agent from Workload Security when you are not using agent-initiated activation.
If your agent is in bidirectional or manager-initiated mode, your hostname must be resolvable in DNS.
If you are a Workload Security customer, we recommend that you always use agent-initiated activation. To learn how to configure policy rules for agent-initiated communication and deploy agents using deployment scripts, see Activate and protect agents using agent-initiated activation and communication.
This error message indicates that the agent software has not been installed on the computer that you would like to protect.
If you are seeing 'Activation Failed' events with the following error messages in the ds_agent.log:
• 2018-06-25 17:52:14.000000: [Error/1] | CHTTPServer::AcceptSSL(<IP>:<PORT>) - BIO_do_handshake() failed - peer closed connection. | http\HTTPServer.cpp:246:DsaCore::CHTTPServer::AcceptSSL | 1E80:1FEC:ActivateThread
• 2018-06-25 17:52:14.143355: [dsa.Heartbeat/5] | Unable to reach a manager. | .\dsa\Heartbeat.lua:149:(null) | 1E80:1FEC:ActivateThread
• 2018-06-25 17:52:14.000000: [Info/5] | AgentEvent 4012 | common\DomainPrivate.cpp:493:DsaCore::DomPrivateData::AgentEventWriteHaveLock | 1E80:1FEC:ActivateThread
• 2018-06-25 17:52:14.143355: [Cmd/5] | Respond() - sending status line of 'HTTP/1.1 400 OK' | http\HTTPServer.cpp:369:DsaCore::CHTTPServer::Respond | 1E80:1D7C:ConnectionHandlerPool_0011
...and the following messages in your packet capture software (pcap):
• [TCP Retransmission] <Ephemeral Port> -> 443 [SYN, ECN, CWR] .......
• [TCP Retransmission] <Ephemeral Port> -> 443 [SYN] .......
...it may be because you have blocked a port used by the Deep Security Agents and Workload Security (the manager) to establish communication. agent-manager communication ports could be any of the following:
|Agent-manager communication type||Source / Port||Destination / Port|
|Agent-initiated communication||Deep Security Agent / Ephemeral port||Manager / 4119|
|Agent-initiated communication||Deep Security Agent / Ephemeral port||Workload Security / 443|
|Manager-initiated communication||Workload Security / Ephemeral port||Agent / 4118|
As you can see from the table above, ephemeral ports are used for the source port for outbound communication between agent and manager. If those are blocked, then the agent can't be activated and heartbeats won't work. The same problems arise if any of the destination ports are blocked.
To resolve this issue:
- Remove restrictions on client outbound ports (ephemeral) in your network configuration.
- Allow access to Workload Security on 443.
- Allow inbound access to Deep Security Agent on port 4118 if you're using Manager-initiated communication.
For details on ports, see Port numbers.
After your 30-day free trial for Workload Security is over, your account only supports five protected computers while it's in free status.
To confirm how many protected computers you already have:
- Go to Your Account Name > Account Details.
- Your status is displayed next to Type and the amount of Currently Protected computers.
To successfully activate another Deep Security Agent:
- Upgrade to a paid Workload Security account. See Sign up for Workload Security for more information.
- Deactivate protected computers from Workload Security. Go to Computers > Actions > Deactivate.
- Delete your unused protected computers from Workload Security. Go to Computers > Delete.
- Shut down your unused protected computers.