Error: Activation Failed | Trend Micro Service Central

Protocol Error

This error typically occurs when you use Server & Workload Protection to attempt to activate an agent and Server & Workload Protection is unable to communicate with the agent. The communication directionality that the agent uses determines the method that you should use to troubleshoot this error.

Agent-initiated communication

When the agent uses agent-initiated communication, you need to activate the agent from the agent computer. (See Activate an agent.)

When using Server & Workload Protection, agent-initiated communication is the recommended communication directionality.

Tip

Ensure that the console allows agent-initiated activation by going to Administration → System Settings → Agent and selecting Allow Agent-Initiated Activation.

Bidirectional communication

Use the following troubleshooting steps when the error occurs and the agent uses bidirectional communication:

Ensure that the agent is installed on the computer and that the agent is running.
Ensure that the ports are open between Server & Workload Protection and the agent. (See Port numbers and Define a firewall rule.)

Unable to resolve hostname

The error: Activation Failed (Unable to resolve hostname) could be the result of an unresolvable hostname in DNS or of activating the agent from Server & Workload Protection when you are not using agent-initiated activation.

If your agent is in bidirectional or manager-initiated mode, your hostname must be resolvable in DNS.

If you are a Server & Workload Protection customer, we recommend that you always use agent-initiated activation. To learn how to configure policy rules for agent-initiated communication and deploy agents using deployment scripts, see Activate and protect agents using agent-initiated activation and communication.

No agent/appliance

This error message indicates that the agent software has not been installed on the computer that you would like to protect.

Review Deploy agents to your EC2 instances.

Blocked port

If you are seeing 'Activation Failed' events with the following error messages in the ds_agent.log:

• 2018-06-25 17:52:14.000000: [Error/1] | CHTTPServer::AcceptSSL(<IP>:<PORT>) - BIO_do_handshake() failed - peer closed connection. | http\HTTPServer.cpp:246:DsaCore::CHTTPServer::AcceptSSL | 1E80:1FEC:ActivateThread

• 2018-06-25 17:52:14.143355: [dsa.Heartbeat/5] | Unable to reach a manager. | .\dsa\Heartbeat.lua:149:(null) | 1E80:1FEC:ActivateThread

• 2018-06-25 17:52:14.000000: [Info/5] | AgentEvent 4012 | common\DomainPrivate.cpp:493:DsaCore::DomPrivateData::AgentEventWriteHaveLock | 1E80:1FEC:ActivateThread

• 2018-06-25 17:52:14.143355: [Cmd/5] | Respond() - sending status line of 'HTTP/1.1 400 OK' | http\HTTPServer.cpp:369:DsaCore::CHTTPServer::Respond | 1E80:1D7C:ConnectionHandlerPool_0011

...and the following messages in your packet capture software (pcap):

• [TCP Retransmission] <Ephemeral Port> -> 443 [SYN, ECN, CWR] .......

• [TCP Retransmission] <Ephemeral Port> -> 443 [SYN] .......

...it may be because you have blocked a port used by the agents and Server & Workload Protection (the manager) to establish communication. agent-manager communication ports could be any of the following:

Agent-manager communication type	Source / Port	Destination / Port
Agent-initiated communication	Agent / Ephemeral port	Manager / 4119
Agent-initiated communication	Agent / Ephemeral port	Server & Workload Protection / 443
Manager-initiated communication	Server & Workload Protection / Ephemeral port	Agent / 4118

As you can see from the table above, [ephemeral ports](https://en.wikipedia.org/wiki/Ephemeral_port) are used for the source port for outbound communication between agent and manager. If those are blocked, then the agent can't be activated and heartbeats won't work. The same problems arise if any of the destination ports are blocked.

To resolve this issue:

Remove restrictions on client outbound ports (ephemeral) in your network configuration.
Allow access to Server & Workload Protection on 443.
Allow inbound access to the agent on port 4118 if you're using Manager-initiated communication.

For details on ports, see Port numbers.

Expired subscription

When your 30-day trial is over or if your Server & Workload Protection subscription has expired, agent activation will no longer work. To verify the status of your subscription, go to the Subscription Management page in your Trend Micro Cloud One console. Log on to Trend Micro Cloud One and click Subscription Management, found at the bottom of the page.

To successfully activate an agent, upgrade to a paid Server & Workload Protection account. See Sign up for Trend Micro Cloud One for more information.

Endpoint behind proxy

If you are using a proxy, in the console go to Support → Deployment Scripts and update the fields with your proxy, then reactivate the agent. For more information, see Use deployment scripts to add and protect computers.

Reinstallation required

If the agent is not activating, you may need to Uninstall the agent, then reinstall the agent.