Microsoft Monitoring Agent is unable to connect to LogAnalytics Workspace - Event ID 4008

Question

_{Monday, July 9, 2018 6:56 PM}

Hi - Our servers does not have direct access to internet (disconnected scenario) and we have allowed following URLs through firewall (Port 443 Inbound and outbound):

*.ods.opinsights.azure.com 
*.oms.opinsights.azure.com
*.blob.core.windows.net
*.azure-automation.net
*. agentsvc.azure-automation.net

When we install Microsoft Monitoring agent, connection fails with the error:  The agent had an unknown failure 12175.

Event log throws below error:

Log Name:      Operations Manager
Source:        Service Connector
Date:          7/9/2018 2:29:14 PM
Event ID:      4008
Task Category: Communication
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxxxxxxx
Description:
A secure connection could not be negotiated with the service <workspaceID>.oms.opinsights.azure.com. The article KB3126513 has additional troubleshooting information for connectivity issues.  Possible reasons for this include: 
 
The certificate authority "Baltimore CyberTrust Root" is not in the "Third-Party Root Certification Authorities" store.  Please add this authority to that store. 
 
TLS 1.0, 1.1, and 1.2 are all disabled. 
 
A suitable cypher suite could not be negotiated. 
 
Other details: 
 
Failure Code: 12175L 
URL for Operation: https://xxxxxxxxx.oms.opinsights.azure.com/AgentService.svc/AgentTopologyRequest 
Proxy Host: 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Connector" />
    <EventID Qualifiers="49152">4008</EventID>
    <Level>2</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-07-09T18:29:14.000000000Z" />
    <EventRecordID>212</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>xxxxxxxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>xxxxx.oms.opinsights.azure.com</Data>
    <Data>12175L</Data>
    <Data>https://xxxxx.oms.opinsights.azure.com/AgentService.svc/AgentTopologyRequest</Data>
    <Data>
    </Data>
  </EventData>
</Event>

I have confirmed that the certificate authority "Baltimore CyberTrust Root" is in the "Third-Party Root Certification Authorities" store. TLS 1.0, 1.1, and 1.2 are selected in IE properties.

Can you please let me know what am I missing here?

-Ajay

All replies (4)

_{Friday, July 20, 2018 7:30 PM ✅Answered}

Jason, thanks.  We ended up opening a ticket with MS Support and upon further troubleshooting with them figured out the root cause that Network team did not enable 'Bypass https inspection' in the firewall exception.  Once it was enabled, Monitoring agent is able to communicate with Log analytics workspace.

-Ajay

---

_{Tuesday, July 17, 2018 6:33 PM}

Hi Ajay,

I see references to Log Analytics API namespaces here:

https://docs.microsoft.com/en-us/azure/application-insights/app-insights-ip-addresses#log-analytics-api

Have you tried allowing outbound traffic to those URLs?  

---

_{Wednesday, September 4, 2019 1:09 PM}

I have the same issue with Windows Server 2016 and 2019, however, with the same configuration (proxy includede), it´s works fine.

---

_{Wednesday, September 4, 2019 1:10 PM}

Sorry, it´s work fine with Windows 2008 R2