KB Article | Forcepoint Support

Problem Description

Network Agent is not working properly.  How do I enable debugging to troubleshoot the issue?
 

Resolution

The options below are for gathering data for troubleshooting and can be done in any order. However, if going down the list, make sure to undo the Network Agent Packet Capture before performing the PrintSelf.

Network Agent debug:

  1. The Network Agent log file is found in the Websense bin directory. It is called NetworkAgent.log and its contents are controlled by the Forcepoint Security Manager.
  2. In the Manager, navigate to the Server > Settings > Network Agent > Global Settings > [IP address] > Advanced Network Agent Settings.
  3. Near the bottom of the page is a drop-down box labeled Mode.  You can choose: None, General, Error, Detail and Bandwidth.
    1. General is most often used for troubleshooting. 
  4. Log files grow quickly, and logging slows down Network Agent performance so use logging with caution.


Network Agent Packet Capture:

  1. Edit the natuning.ini file in the Websense bin directory, making sure it has the following line:
  CaptureFileDump=<filename>
  1. Restart Network Agent
  2. Packets will begin dumping to the file specified by <filename> before any processing has been done.

Note Debugging can cause Network Agent to slow down considerably. This setting is only recommended for troubleshooting Network Agent.

 
Network Agent PrintSelf:
This utility provides a snapshot of what Network Agent has done.  It also provides state information, errors, and abnormal conditions. To run Network Agent PrintSelf:

  1. Remove the CaptureFileDump line from the natuning.ini file and restart Network Agent to turn this feature off.
  2. Open a Command Prompt as Administrator.
  3. Navigate to the Websense\Web Security\bin directory.
  4. Type:  ConsoleClient localhost 55870

For more information on ConsoleClient, view the following articles:

Wireshark Packet Capture:
 A packet capture can show you what can be seen by the network card. Reset packets generated by Network Agent have the ip.id field of the packet set to 0x2f2.

Note Network Agent causes Wireshark to not function properly on open. To make a packet capture with Wireshark if Network Agent and Filtering Service are on the same server:
  1. Open Services using run command services.msc
  2. Right-click Websense Network Agent and select Properties.
  3. Change from Automatic to Disabled, then Stop the service.
  4. Restart the server.
  5. Open Wireshark and select the NIC for listening.
  6. Start the capture.
  7. Reopen Services.
  8. Right-click Websense Network Agent and select Properties.
  9. Change from Disabled to Automatic, then Start the service.
 

Examine ports and session states:
You can use the NETSTAT command to display the routing information.

  1. Open Command Prompt.
  2. To display routing information: netstat –r
  3. To display active TCP connections: netstat –an

Once Network Agent has seen a packet and established communication with the Filtering Service, there should be 50 ports connecting Network Agent with Filtering Service.If any blocking has occurred, there will also be connections to port 15871 in the time-wait state.

Article Feedback



Thank you for the feedback and comments.