Troubleshoot TETRA Definitions Update Failure with 3000 Error

Available Languages

Download Options

  • PDF     (1.3 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (879.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:December 4, 2023
Document ID:218150

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes steps to troubleshoot TETRA Definitions failure with error 3000 error.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Endpoint

    Components Used

    The information in this document is based on:

    • Cisco Secure Endpoint connector (any version)
    • Wireshark (any version)

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem

      1. On endpoint, TETRA Definitions update fail with "Unable to install updates.Please try again later" error message.
        Screenshot 2022-08-25 at 9.15.29 AM
      2. On Cisco Secure Endpoint Console, mentioned failure error is observed:

        "Update failed because of a network timeout. Check your network, firewall or proxy settings to verify connectivity between endpoints and the update server. Contact Cisco support if the issue persists."

        Screenshot 2022-08-24 at 9.00.49 PM
      3. In debug sfc.exe.log, definitions updated failed with error 3000 error is observed, which stands for Unknown_Error as documented. 
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: TETRAUpdateInterface::update updateDir: C:\Program Files\Cisco\AMP\tetra, 20, -3000, -3000, 0, 0, 0
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: ERROR: TETRAUpdateInterface::update Update failed with error -3000
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: PipeSend: sending message to user interface: 26, id: 0
        (978223515, +0 ms) Aug 04 07:30:23 [860]: PipeWrite: waiting on pipe event handle
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: TETRAUpdaterInit defInit: 0, bUpdate: 0
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: TETRAUpdaterInit bUpdate: 0, bReload: 0
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: FASharedPtr<class TETRAUpdateInterface>::ReleaseInstance count: 1
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: PerformTETRAUpdate: bUpdated = FALSE, state: 20, status: -3000
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: PerformTETRAUpdate: sig count: 0, version: 0
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: Config::IsUploadEventEnabled: returns 1, 1
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: AVStat::CopyInternal : engine - 2, defs - 0, first failure - never, last err code - 4294964296, last upd success - never
        (978223515, +0 ms) Aug 04 07:30:23 [11944]: AVStat::CopyInternal : engine - 2, defs - 0, first failure - Thu Aug 4 06:35:16 2022, last err code - 4294964296, last upd success - never

    Solution

      1. Please enable Allow user to update TETRA definitions option in AMP Policy > Client User Interface on the Console. With this parameter you can trigger TETRA update as required during troubleshooting.
        Screenshot 2022-08-24 at 10.12.06 PM
      2. Also, enable debug Connector and Tray-level log on the endpoint or via AMP Policy.

      3. Please take packet captures on both TETRA update successful and failed endpoint for TETRA Definitions while you click Update TETRA on endpoint.

      4.  On TETRA update successful endpoint, in packet-capture filter the packets with http.host == "tetra-defs.amp.cisco.com:443" and then "follow the tcp.stream" of each packets to analyse the related traffic.
      5. In Server Hello packet, you can see the Server accepts "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" cipher in Server Hello packet.
        Screenshot 2022-08-24 at 6.35.40 PM
      6. Cisco Secure Endpoint TETRA server accepts only mentioned Ciphers:
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_AES_128_GCM_SHA256
      7. On TETRA update failed endpoint, in packet-capture, a fatal error in SSL handshake is seen after Client Hello packet.Screenshot 2022-08-24 at 6.36.02 PM
      8. In the Client Hello packet, you can see the offered Ciphers from the endpoint.Screenshot 2022-08-25 at 9.47.15 AM
      9. In addition, you can cross-verify the enabled Ciphers on endpoint with the  Get-TlsCipherSuite | ft name  PowerShell command.
        Screenshot 2022-08-24 at 8.21.46 PM
      10. In case the ciphers mentioned in Step 6 are not listed here, that is the reason for the SSL handshake failure.
      11. To fix this, please verify the SSL Cipher Suite Order in the Group Policy: 
        Run -> gpedit.msc -> Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order -> Edit policy setting
        Screenshot 2022-08-24 at 8.58.16 PM
      12. The Cipher Suite Order must be Not Configured or Disabled and if set to Enabled, add the ciphers mentioned in Step 6 in the list.
        Screenshot 2022-08-24 at 8.57.26 PM
      13. Apply these changes and reboot the endpoint to bring these changes available for applications.
      14. Please retry Update TETRA once the reboot is completed.
      15. In case the TETRA Definitions issue persists, please analyze the logs and captures again.

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    04-Dec-2023
    Initial Release
    1.0
    06-Sep-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Vivek Singh
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco