Azure ATP Network Exception

This post is a part of Azure ATP troubleshooting and focuses on Azure ATP errors with short ways to troubleshoot the issues and solutions.

After deployed Azure ATP sensor on a domain controller server 2016 standard with a single Active Directory environment, without any errors during installation the Azure ATP sensor started to restart itself again and again and didn’t connect to the cloud.

Azure ATP Sensor Error

In this specific issue, the Azure ATP sensor agent version is 2.59.6040.997, and Microsoft.Tri.The sensor-Errors log file contains the following errors:

2019-09-08 19:32:40.3349 Error ExceptionDispatchInfo System.Net.Http.HttpRequestException: An error occurred while sending the request. —> System.Net.WebException: The underlying connection was closed: A connection that was expected to be kept alive was closed by the server. —> System.IO.IOException: Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
at int System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
at int System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
— End of inner exception stack trace —
at int System.Net.Security._SslStream.EndRead(IAsyncResult asyncResult)
at int System.Net.TlsStream.EndRead(IAsyncResult asyncResult)
at void System.Net.Connection.ReadCallback(IAsyncResult asyncResult)
— End of inner exception stack trace —
at WebResponse System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at void System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
— End of inner exception stack trace —
at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)
at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count)
at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request)
at async Task<TResponse> Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync<TResponse>(IRequestWithResponse<TResponse> request)
at async Task Microsoft.Tri.Sensor.EntitySender.SendEntityBatchAsync(EntityBatch entityBatch, EntityBatch postponedEntityBatch)
at async Task Microsoft.Tri.Sensor.EntitySender.SendEntityBatchesAsync()

The Findings

Once received this log you can focus on a few specific errors:

• An error occurred while sending the request – the Azure ATP sensor cannot send a request to the Azure ATP cloud
• The underlying connection was closed – This one means the connection to the cloud cannot occur
• A connection attempt failed because the connected party did not properly respond after some time, or established connection failed because connected host has failed to respond – another error about a connection that cannot occur to the Azure ATP cloud service
• Microsoft.Tri.Sensor.Common.ServiceProxy – the Azure ATP sensor cannot send connection through the proxy

The solution

All of the errors above mean that you’ve got a connection issue and the Azure ATP sensor cannot have a connection to the Azure ATP cloud service because of network blocking and this might the proxy, firewall, or other network components that block the traffic.

You can run a few tools that investigate the traffic from the local Azure ATP sensor to the Azure ATP cloud service, such as Nslookup, Wireshark, etc.

In this specific situation, the Firewall didn’t show any drop connection, and therefore the next step was to check the proxy, and there we saw a drop connection.

Once the proxy got the specific domain and IPs for Azure ATP cloud services, the Azure ATP sensor connection was successful in the cloud.