browse
What does it mean?
Normally this error message indicates that a Connector service is not able to post user logon events to one or more Virtual Appliances (VA's).
From the Dashboard there is currently no way to ascertain which VA the Connector is having difficulty communicating with. However, you can quickly find this information by checking the Connector log.
Where is the log?
The connector log is located here:
C:\Program Files (x86)\OpenDNS Connector\v1.x.x\OpenDNSAuditClient.log
Note: The log rotates, so if the server running the Connector has not been restarted for a while you will not see a 'SYNC RESPONSE' from the Dashboard API near the beginning. You can however just restart the OpenDNS Connector service with no interruption to users, wait a few minutes, and open the logfile to continue.
How to check the list of VAs the connector should know about
When the Connector service is started, it makes a POST to Umbrella containing some unique information, and receives a response back containing information it needs to operate, such as Domain Controllers that are registered in the dashboard, other Connectors that are installed to the same 'Umbrella Site' and a list of Virtual Appliances. An example is below:
11/07/2016 9:56:32 AM: SYNC RESPONSE: .......
......
["objectGUID"],"PreloadThreshold":"1"}]},"VAServers":{"Servers":[{"AssetID":"11223344","InternalIPs":["10.100.0.100"]},{"AssetID":"11223345","InternalIPs":["10.100.0.101"]},{"AssetID":"11223346","InternalIPs":["192.168.1.100"]},{"AssetID":"11223347","InternalIPs":["192.168.1.101"]}]}}
Here you can see the label "VAServers" and a list of Assed ID's (the unique number for that VA which ties it in with our back-end systems) and Internal IP's of the VA's.
Checking the log further
Looking for events that are being received by some VA's but not others.
The connector sends logon events (just the Username and the source IP address of that event) to the VA's in order for a User-to-IP mapping file to be updated. This in-turn allows the VA to associate a DNS request from an internal IP to that specific Username. Below is an example of this event being posted to a working VA.
The Connector discovering the logon event
11/07/2016 12:38:19: FOUND EVENT 16252724 on 192.168.1.50: Code=4769 for Username=MCFELCHINGTON$ IP=192.168.1.249 Live=True LogonId=0 Written=2016-07-11T12:33:14 DelaySec=305.50
Note: 192.168.1.50 is the IP of the Domain Controller that handled the users logon to the domain.
Working VA
11/07/2016 12:38:19: SendUserLogin Event 16252724 to VA IP 192.168.1.100, POST Data: VERSION=1.0&Type=Login&Username=MCFELCHINGTON.domain.local$&IP=192.168.1.249&DN=66e6605fb9147d26029d381e4a373670
11/07/2016 12:38:19: Response to login was UEM_OK from 192.168.1.100 for event 16252724 in 8 msec: [200] Success!
Failing VA
11/07/2016 12:38:19: SendUserLogin Event 16252724 to VA IP 192.168.1.101, POST Data: VERSION=1.0&Type=Login&Username=MCFELCHINGTON.domain.local$&IP=192.168.1.249&DN=66e6605fb9147d26029d381e4a373670
11/07/2016 12:38:22: Response to login was UEM_OK from 192.168.1.101 for event 16252724 in 3118 msec: [-1] The operation has timed out
So what's causing it?
Probably network access. The connector needs to be able to post this information to the VA's using port 443. Connectivity from Connector to VA is required as follows:
- 443 TCP to VA’s - AD events
- 8080 TCP to VA’s - Connector log upload to VA
Both of these are One-Way communication only, so there is no need to open the port back from VA to Connector.