Several events can trigger an "Activation Failed" alert:
Protocol Error
This error typically occurs when you use Deep Security Manager to attempt to activate
a Deep Security Agent and the manager is unable to communicate with the agent. The
communication directionality that the agent uses determines the method that you should
use to troubleshoot this error. (See Agent-Manager communication .)
Agent-initiated communication
When the agent uses agent-initiated communication, you need to activate the agent
from the agent computer. (See Activate an agent.)
![]() |
TipEnsure that the console allows agent-initiated activation by going to Administration > System Settings > Agent and selecting Allow Agent-Initiated Activation.
|
Bidirectional communication
Use the following troubleshooting steps when the error occurs and the agent uses bidirectional
communication:
-
Ensure that the agent is installed on the computer and that the agent is running.
-
Ensure that the ports are open between the manager and the agent. (See Port numbers and Define a firewall rule.)
Unable to resolve hostname
The error: Activation Failed (Unable to resolve hostname) could be the result of an
unresolvable hostname in DNS or of activating the agent from Deep Security Manager
when you are not using agent-initiated activation.
If your agent is in bidirectional or manager-initiated mode, your hostname must be
resolvable in DNS. Check the DNS on your Deep Security Manager to ensure it can resolve
your hosts.
If you your computers are in cloud accounts, we recommend that you always use agent-initiated
activation. To learn how to configure policy rules for agent-initiated communication
and deploy agents using deployment scripts, see Activate and protect agents using agent-initiated activation and communication.
No agent/appliance
This error message indicates that the agent software has not been installed on the
computer that you would like to protect.
Blocked port
If you are seeing 'Activation Failed' events with the following error messages in
the
ds_agent.log
:• 2018-06-25 17:52:14.000000: [Error/1] |
CHTTPServer::AcceptSSL(<IP>:<PORT>) - BIO_do_handshake() failed - peer
closed connection. | http\HTTPServer.cpp:246:DsaCore::CHTTPServer::AcceptSSL |
1E80:1FEC:ActivateThread
• 2018-06-25 17:52:14.143355: [dsa.Heartbeat/5] | Unable to reach a manager. |
.\dsa\Heartbeat.lua:149:(null) | 1E80:1FEC:ActivateThread
• 2018-06-25 17:52:14.000000: [Info/5] | AgentEvent 4012 |
common\DomainPrivate.cpp:493:DsaCore::DomPrivateData::AgentEventWriteHaveLock |
1E80:1FEC:ActivateThread
• 2018-06-25 17:52:14.143355: [Cmd/5] | Respond() - sending status line of
'HTTP/1.1 400 OK' | http\HTTPServer.cpp:369:DsaCore::CHTTPServer::Respond |
1E80:1D7C:ConnectionHandlerPool_0011
...and the following messages in your packet capture software (pcap):
• [TCP Retransmission] <Ephemeral Port> -> 443 [SYN, ECN, CWR]
.......
• [TCP Retransmission] <Ephemeral Port> -> 443 [SYN] .......
...it may be because you have blocked a port used by the Deep Security Agents and
manager to establish communication. agent-manager communication ports could be any
of
the following:
Agent-manager communication type
|
Source / Port
|
Destination / Port
|
Agent-initiated communication
|
Deep Security Agent / Ephemeral port
|
Manager / 4119
|
Manager-initiated communication
|
Deep Security Manager / Ephemeral port
|
Agent / 4118
|
As you can see from the table above, ephemeral ports are used for the source port for outbound communication between agent and manager.
If those are blocked, then the agent can't be activated and heartbeats won't work.
The same problems arise if any of the destination ports are blocked.
To resolve this issue:
-
Remove restrictions on client outbound ports (ephemeral) in your network configuration.
-
Allow access to Deep Security Manager on port 4119.
-
Allow inbound access to Deep Security Agent on port 4118 if you're using Manager-initiated communication.
For details on ports, see Port numbers.
Duplicate Computer
This error typically occurs when you activate a computer using a name that already
exists, or a computer that is already active in a different connector.
To resolve this issue you can use one of the following methods:
-
Remove one of the duplicate computers and reactivate the remaining computer if necessary.
-
From the Deep Security Manager, go to Administration > System Settings > Agents and select your preferences for agent-initiated activation. If a computer with the same name already exists, there are options to re-activate the existing computer, activate a new computer with the same name, or not allow activation. For more details, see Agent-initiated activation.
AWS Marketplace billing usage data has not been submitted in 48 hours
The error: Unable to activate the agent because AWS Marketplace billing usage data
has not
been submitted in 48 hours. Ensure your Deep Security Manager instance is assigned
an IAM
role with permission 'aws-marketplace:MeterUsage' and can reach the AWS Marketplace
Billing
end point.
For troubleshooting information, see Error: AWS
Marketplace billing usage data has not been successfully submitted in over 48
hours.
Endpoint behind proxy
If you are using a proxy, in the Deep Security Manager go to Support > Deployment Scripts and update the fields with your proxy, then reactivate the agent. For more information,
see Use deployment scripts to add and protect computers.
Reinstallation required
If Deep Security Agent is not activating, you may need to Uninstall Deep Security Agent, then reinstall Deep Security Agent.