Agent Failing Registration at 50%

Version 5



    To diagnose this issue, there are many symptoms that may need to be considered:




    There are many reasons the registration could fail, but generally the above symptoms indicate some sort of communication issue with the agent being unable to reach the Protect console for registration.




    Start by first checking that some simple connection tests work from the agent system to the console system:

    • Ensure you can ping the console system.
      • If you can't ping the console system, either you have no connection from the agent to the console system, or (rarely) you may have ICMP disabled.
    • Ensure you are able to successfully resolve the console system by nslookup.
      • Make sure the results of both forward and reverse nslookup match. Ensure there is no problem with machine name resolution.
    • Can you telnet to the console system over port 3121 successfully?
      • Port 3121 is used for agent communication back to the console. This is a port requirement and is not configurable.
    • Can you telnet to the target machine over port 4155 successfully?
      • Port 4155 is used for the console to communicate to the target machine. This is a default port requirement, but can be changed on the General Settings tab of your agent policy.
    • Make sure that TLS 1.0 is enabled or TLS 1.2 is properly configured as is mentioned in this document Disabling TLS 1.0 may causes issues with Protect and Patch for Windows Servers


    If the above tests are all successful, continue to the next steps in troubleshooting:

    • Ensure that the name, FQDN, or IP the agent is attempting to resolve exists in the Console Alias Editor within the Protect console.
    • In many of the log snippets above you can see that the agent attempts to register with https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration
      • Test putting the URL from your log into an Internet Explorer window to see if you can successfully navigate to it. (On the agent system)
        • If the test is successful you would see a screen displayed stating something along the lines of, "A service was created".
          • If this test works the agent should by all means be able to successfully register successfully.
          • Follow the steps in this document: Agent - Complete Uninstall then attempt installation again.
          • Contact support if it still fails.
        • If the test fails with an "Internet Explorer cannot display the webpage" message, continue to the next step.
      • Run a test on the agent system to see what security protocols are enabled.
        • Qualys SSL Labs - Projects / SSL Client Test is a good site to test with.
        • You may not have a security protocol enabled or something is incorrect in the configuration.
        • If no protocols are enabled, a secure web connection cannot truly be established, thus causing the agent registration to fail.
          • The Microsoft article TLS/SSL Tools and Settings: Logon and Authentication covers how to ensure protocols are enabled or disabled.
          • Generally you may need to investigate settings in the following registry key:

    Additional Information


    If the agent is failing to install at a different percentage mark or when manually installing, you may want to consider reviewing the following documents:

    Agent Failing at 67% (Registration Failure)

    Manual installation of agent fails on registration.


    Affected Products


    Shavlik Protect 9.x

    Ivanti Patch for Windows 9.3.x