Agent Client Collector (ACC) error codes and troubleshooting<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Introduction Troubleshoot Agent Client Collector (ACC) errors using error codes found in the sn_agent_error_msg table. This article provides causes and resolutions for common ACC errors. Note: This article documents error codes with known resolutions. For error codes not listed or marked as pending documentation, contact ServiceNow Support. In this article Before you beginError code categoriesPlugin retrieval and verification errors (ACC-1500–1501) Allow-list errors (ACC-2000–2006)Execution and performance errors (ACC-2100–2201)Data collection errors (ACC-2500–2509)Policy configuration errors (ACC-3001–3011)Agent registration and connectivity errors (ACC-4001–4199)Agent upgrade errors (ACC-5000–5015)Common errors without ACC codes Before you begin Error codes provide a brief description only. To understand the full context of an error, retrieve and review the acc.log file from the agent. Debugging tips: If an issue is reproducible, enable debug in acc.yml before reproducing. This provides more detail in acc.log.Errors appear in the sn_agent_error_msg table, which references the specific agent having the issue.Agents that have not yet connected to the instance do not have errors in that table. Review the acc.log file directly on the agent host. Note: In this article, "asset" refers to "ACC Plugin." Error code categories Error Code Range Category ACC-1500–1501 Plugin retrieval and verification ACC-2000–2006 Allow-list issues ACC-2100–2201 Execution and performance ACC-2500–2509 Data collection ACC-3001–3011 Policy configuration ACC-4001–4199 Agent registration and connectivity ACC-5000–5015 Agent upgrades Plugin retrieval and verification errors (ACC-1500–1501) ACC-1500: Unable to retrieve ACC plugin for check execution An error was encountered when trying to retrieve an ACC plugin for check execution. Error Message Cause Resolution error getting assets for check: couldn't verify asset (skipped fetching certificates and retrying): Could not determine a valid CA signed certificate to verify signature, aborting Asset signature verification Root certificate is missing on the agent host Install the root certificate on the agent host. See KB2119772. error getting assets for check: couldn't verify asset (skipped fetching certificates and retrying) ServiceNow or customer code-signing certificate may have expired For troubleshooting expired ACC Plugin signing certificate, see KB2542745 error getting assets for check: can't open tmp file for asset: open /tmp/sensu-asset...: permission denied Agent service user lacks permissions to the /tmp folder Grant the agent service user permissions to the /tmp folder. error getting assets for check: sync C:\Temp\sensu-asset...: Insufficient system resources exist to complete the requested service Windows computer is out of memory or other resources Free up memory or system resources on the Windows host. error getting assets for check: error downloading asset: context canceled gRPC error, possibly a timeout Review network connectivity and timeout settings. error getting assets for check: error downloading asset: local error: tls: bad record MAC TLS/connection error For details, see Microsoft WSARecv function error codes. error getting assets for check: error downloading asset: read tcp x.x.x.x:xxx->x.x.x.x:443: wsarecv: An established connection was aborted by the software in your host machine Connection aborted by host software For details, see Microsoft WSARecv function error codes. error getting assets for check: error downloading asset: read tcp x.x.x.x:xxx->x.x.x.x:443: wsarecv: An existing connection was forcibly closed by the remote host Connection forcibly closed For details, see Microsoft WSARecv function error codes. error getting assets for check: error downloading asset: unexpected EOF Unexpected end of file (EOF) during download Review network connectivity between agent and MID Server or ITOM Gateway. error getting assets for check: error downloading asset: write C:\Temp\sensu-asset...: There is not enough space on the disk Windows system drive with %TEMP% folder is out of disk space Free up disk space on the system drive. error getting assets for check: error extracting asset: reading file in tar archive... There is not enough space on the disk Windows system drive with %ProgramData% folder is out of disk space Free up disk space on the system drive. error getting assets for check: error extracting asset: reading file in tar archive: file already exists: C:\ProgramData\ServiceNow\agent-client-collector\cache\... File already exists in cache Clear the cache folder or resolve the file conflict. error getting assets for check: error fetching asset: Get "https://<mid server>:443/static/acc_plugin/...": context canceled Connection to MID Server timed out Review network connectivity to the MID Server. error getting assets for check: error fetching asset: Get "https://<mid server>:443/static/acc_plugin/...": dial tcp x.x.x.x:443: connectex: A connection attempt failed... Connection to MID Server failed Verify MID Server is accessible from the agent host. error getting assets for check: error fetching asset: Get "https://<mid server>:443/static/acc_plugin/...": dial tcp: lookup <hostname>: no such host DNS lookup failed for MID Server or load balancer Verify DNS resolution for the MID Server hostname. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": all proxy attempts failed All proxy attempts to ITOM Gateway failed Review proxy configuration and connectivity to ITOM Gateway. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": EOF Connection to ITOM Gateway ended unexpectedly Review network connectivity to ITOM Gateway. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": dial tcp: lookup <hostname>: no such host DNS lookup failed for ITOM Gateway Verify DNS resolution for the ITOM Gateway hostname. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": read tcp x.x.x.x:xxx->149.96.x.x:443: wsarecv: A connection attempt failed... Connection to ServiceNow IP range failed Review network connectivity; 149.96.x.x is a ServiceNow IP range. See Microsoft WSARecv function error codes. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": read tcp x.x.x.x:xxx->172.x.x.x:443: wsarecv: An established connection was aborted... Connection aborted; internal IP suggests inspection firewall Review firewall rules between agent and ITOM Gateway. The 172.x.x.x IP suggests an inspection firewall may be involved. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": read tcp x.x.x.x:xxx->165.225.x.x:443: wsarecv: An existing connection was forcibly closed... Connection closed; zScaler IP suggests inspection firewall Review firewall rules. The 165.225.x.x IP is a zScaler address, suggesting an inspection firewall may be involved. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": read tcp x.x.x.x:xxx->172.x.x.x:443: read: connection reset by peer Connection reset; internal IP suggests inspection firewall Review firewall rules between agent and ITOM Gateway. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": http: server gave HTTP response to HTTPS client Received HTTP response instead of HTTPS The ITOM Gateway only uses HTTPS. This response is likely from a proxy or firewall between the agent and ITOM Gateway. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": remote error: tls: unknown certificate TLS certificate not recognized The ITOM Gateway uses DigiCert certificates. The agent is likely seeing a certificate from an inspection/interception firewall between the agent and ITOM Gateway. error getting assets for check: error fetching asset: Get "https://<itom gateway>:443/content/v1/assets/...": tls: failed to verify certificate: x509: certificate signed by unknown authority Certificate signed by unknown authority The ITOM Gateway uses DigiCert certificates. The agent is likely seeing a certificate from an inspection/interception firewall. error getting assets for check: error fetching asset: Response Code 401: Response Body: mTLS request with path /content/v1/assets/... is missing cert header mTLS certificate header missing Review mTLS configuration for the agent. error getting assets for check: error fetching asset: Response Code 404: Response Body: attachment /tmp/files/<instance>/file-... does not exist on instance ACC Plugin file does not exist on instance The ITOM Gateway cannot get the ACC Plugin file because it does not exist in the instance. Verify the plugin is available. ACC-1501: Unable to verify plugin with public signature After retrieving the ACC plugin, the signature could not be verified. Resolution pending documentation. Contact ServiceNow Support. Allow-list errors (ACC-2000–2006) ACC-2000: Allow-list blocked command The check command has been blocked by the agent's allow-list.Resolution pending documentation. Contact ServiceNow Support. ACC-2001: Allow-list blocked command due to exec not found The check command has been blocked because the executing command was not found in the effective allow-list.Resolution pending documentation. Contact ServiceNow Support. ACC-2002: Allow-list blocked command due to no matching args The check command has been blocked due to no matching arguments in the allow-list.Resolution pending documentation. Contact ServiceNow Support. ACC-2003: Allow-list blocked command due to invalid character The check command has been blocked due to an invalid character detected in the command string.Resolution pending documentation. Contact ServiceNow Support. ACC-2004: Allow-list blocked command due to invalid regex The check command has been blocked due to an invalid regex pattern evaluation.Resolution pending documentation. Contact ServiceNow Support. ACC-2005: Allow-list blocked command due to shell mode not enabled The check command has been blocked because this command does not have an entry allowing shell mode execution.Resolution pending documentation. Contact ServiceNow Support. ACC-2006: Allow-list file cannot be read correctly An allow-list file cannot be read correctly. This could be due to invalid JSON format or permission issues. Error Message Cause Resolution Allow-list file cannot be read Invalid JSON format or permission issues Verify that the appropriate allow-list is used (configured allow-list or plugin allow-list).Verify that the allow-list file can be read by the agent service user.Verify the contents of the allow-list file are in valid JSON format. Execution and performance errors (ACC-2100–2201) ACC-2100: Execution timed out The check execution did not complete in the allotted time. The timeout only accounts for time spent running the command on the agent host. It does not include time for the agent to receive the check execution request or send the check result back to the instance. Error Message Cause Resolution Execution timed out Endpoint device enters sleep mode or goes down during a check request For current status of this known issue with Windows agents, see KB2481802 Execution timed out Command execution exceeds the timeout set on the check definition or check instance record Review the timeout duration on the check definition or check instance. Increase the value based on the time required for the command to complete. Enhanced Discovery check timeout: For the Enhanced Discovery check, you can increase the timeout from 600 to 1200, or even 2400. This check runs endpoint_discovery.rb using a ruby.exe process, which then runs child ruby.exe processes for each script in the check command list: data_collection, enhanced_inventory, file_systems, network_adapters, tcp_connections, storage_devices, running_processes, local_users, intel_ema, memory_modules. To identify which script is taking time, monitor running processes and look for the script name in the Ruby command line. ACC-2200: Disabled check execution due to Agent CPU threshold exceeded Check execution has been disabled because ACC CPU usage exceeds the configured CPU threshold.Resolution pending documentation. Contact ServiceNow Support. ACC-2201: Disabled check has been marked stale A disabled check has been marked stale because the check instance is no longer run as part of a policy.Resolution pending documentation. Contact ServiceNow Support. Data collection errors (ACC-2500–2509) ACC-2500: Data collection encountered an error Data collection has encountered an unclassified error. Error Message Cause Resolution Permission denied <file path> Agent service user lacks execute permissions Verify the run-as user for the ACC service has permissions to execute the file. error granting capabilities Known issue See PRB1888049 for current status. ACC-2501: Data collection payload is empty Agent returned a data collection payload that is empty.Resolution pending documentation. Contact ServiceNow Support. ACC-2502: Data collection output could not be parsed Data collection payload could not be parsed.Resolution pending documentation. Contact ServiceNow Support. ACC-2503: Data collection processing encountered a fatal error Data collection processing encountered a fatal error. Error Message Cause Resolution output: invalid byte sequence in UTF-8 (Encoding::compatabilityError) data_collection.rb:90 in get_operating_system_domain Encoding compatibility issue in older agent versions Upgrade agent version to 4.2.1 or later. output: get_serial_number_json': undefined method empty?' for nil (NoMethodError) Known issue For a workaround, see KB1943387 Fix targeted for May 2025. output: cmd_err: <internal:...rubygems/core_ext/kernel_require.rb>:136:in 'new': fail: OLE initialize (RuntimeError) HRESULT error code:0x80070008 Not enough storage is available... Windows resource error This is a Windows error. Search for solutions using "HRESULT error code: 0x80070008". ACC-2504: Data collection IRE failed Data collection data sent to CMDB IRE failed. Troubleshooting: To find the raw input data from the check, on the ACC record, select Show recent ECC Queues.To check for script processing logs, review the System Log table [syslog] for records where the Message field includes the Agent ID.To check for IRE errors, review the System Log table [syslog] for records where Level is Error and the Message field starts with "identification_engine". The message may also include the hostname of the agent.If the error is repeatable, temporarily enable the following debug properties to see detailed error information: sn_agent.logging.verbosity — Set to "debug" to log detailed Agent Client Collector Framework messagesglide.cmdb.logger.source.identification_engine — Set to "debug" or "debugVerbose" to log IRE details For more information, see: Agent Client Collector Framework configuration propertiesCMDB Identification and Reconciliation (IRE) propertiesCMDB Identification and Reconciliation - IRE error messages ACC-2505: Data collection is missing basic inventory data Data collection data is missing basic inventory data, which is essential in identifying a CI.To find the raw input data from the check, on the ACC record, select Show recent ECC Queues. You may see an error message in place of the expected basic_inventory data, which should be the first set of data in the ECC input result. ACC-2506: Data collection could not update the CMDB Data collection could not update the CMDB.Resolution pending documentation. Contact ServiceNow Support. ACC-2507: Data collection is unable to identify the CI Data collection is unable to identify the CI. Error Message Cause Resolution Generic message about CI identification failure IRE rules need review Review IRE rules configuration. Storage servers and other dependent CIs are not getting populated Known issue Apply changes described in KB1828046. Fix targeted for May 2025 release of the Agent Client Collector Visibility Content plugin. Software installations for some agents are not getting populated Known issue Apply changes described in KB1828046. strip': invalid byte sequence in UTF-8 (Encoding::CompatibilityError) from .../data_collection.rb:90 Encoding compatibility issue Apply changes described in KB1828046. Intermittent serial number missing issues during server ACC discovery Agent version issue Upgrade the agent to version 4.2.1 or later. ACC-2508: Data collection tcp_connection error Resolution pending documentation. Contact ServiceNow Support. ACC-2509: Data collection running process error Resolution pending documentation. Contact ServiceNow Support. Policy configuration errors (ACC-3001–3011) ACC-3001: Policy size error During policy syncing, the policy size exceeds the maximum config_publish payload size.Resolution pending documentation. Contact ServiceNow Support. ACC-3002: Policy CMDB group could not be found Could not find the CMDB group for a policy with a CMDB group filter.Resolution pending documentation. Contact ServiceNow Support. ACC-3003: Policy CMDB group is empty The CMDB group is empty for a policy with a CMDB group filter.Resolution pending documentation. Contact ServiceNow Support. ACC-3004: Could not locate a CI for policy with CMDB group Could not query the CMDB for the first CI in the CMDB group for a policy with a CMDB group filter.Resolution pending documentation. Contact ServiceNow Support. ACC-3005: Policy with script returned undefined result When evaluating a policy with a filter script, the script returned an undefined result.Resolution pending documentation. Contact ServiceNow Support. ACC-3006: Query for policy with script returned no CIs For a policy with a filter script, querying the script's returned GlideRecord resulted in zero CIs.Resolution pending documentation. Contact ServiceNow Support. ACC-3007: Could not determine proxy setting for policy Could not determine the proxy setting for a proxy policy.Resolution pending documentation. Contact ServiceNow Support. ACC-3008: Could not determine proxy agents for policy For a proxy policy, could not determine the proxy agents.Resolution pending documentation. Contact ServiceNow Support. ACC-3009: Could not find any proxy agents for policy For a proxy policy, determined that there are zero proxy agents for the policy.Resolution pending documentation. Contact ServiceNow Support. ACC-3010: Proxy script evaluation result is not a string for CI For a scripted proxy policy, the result of the proxy script for one of the monitored CIs was not a string.Resolution pending documentation. Contact ServiceNow Support. ACC-3011: Policy filtered by CMDB group has empty CMDB group name Policy filtered by CMDB group has an empty CMDB group name.Resolution pending documentation. Contact ServiceNow Support. Agent registration and connectivity errors (ACC-4001–4199) ACC-4001–4003: ACC static import errors These errors are related to ACC static import.Resolution pending documentation. Contact ServiceNow Support. ACC-4004: Duplicate Agent ID detection Multiple agents are using the same agent ID. The agent ID is the unique identifier for each agent. When multiple agents use the same agent ID, only one agent record exists on the instance. All agents using that ID overwrite each other on that single record, making those agents unusable and preventing visibility into the actual number of connected agents. Error Message Cause Resolution Duplicate Agent ID detected Multiple agents using the same agent ID For steps to resolve duplicate Agent ID issues, see KB2200106. ACC-4100: Agent registration failed An agent failed to register with the ServiceNow instance via REST API due to an inactive or non-existent registration key.Resolution pending documentation. Contact ServiceNow Support. ACC-4101: Agent cannot connect to gateway Agent cannot connect to the specified gateway.Resolution pending documentation. Contact ServiceNow Support. ACC-4102: Agent cannot access a file or folder Agent cannot access a folder or file.Resolution pending documentation. Contact ServiceNow Support. ACC-4103: Registration key is not valid Agent's supplied registration key is not valid.Resolution pending documentation. Contact ServiceNow Support. ACC-4104: Agent already registered Resolution pending documentation. Contact ServiceNow Support. ACC-4105: Cannot create leaf certificate for agent Leaf certification failed for agent.Resolution pending documentation. Contact ServiceNow Support. ACC-4106: Cannot locate KMF certificate KMF could not supply certificate.Resolution pending documentation. Contact ServiceNow Support. ACC-4107: Public key is empty Public key is either empty or could not be accessed.Resolution pending documentation. Contact ServiceNow Support.ACC-4108: ICS Gateway URL is not configured on the instanceICS Gateway URL is not configured on the instance.Resolution pending documentation. Contact ServiceNow Support. ACC-4109: Failed to register agent Resolution pending documentation. Contact ServiceNow Support. ACC-4110: Write error Agent cannot write to specific locations and cannot continue.Resolution pending documentation. Contact ServiceNow Support. ACC-4111: Missing data Agent has missing data from the instance and cannot continue.Resolution pending documentation. Contact ServiceNow Support. ACC-4112: Invalid data Agent received invalid data from the instance and cannot continue.Resolution pending documentation. Contact ServiceNow Support. ACC-4113: Invalid certificate chain Agent received an invalid certificate chain from the instance and cannot continue.Resolution pending documentation. Contact ServiceNow Support. ACC-4199: Generic registration error Generic issue with agent registration.Resolution pending documentation. Contact ServiceNow Support. Agent upgrade errors (ACC-5000–5015) ACC-5000: Agent could not be validated Resolution pending documentation. Contact ServiceNow Support. ACC-5001: Cannot determine agent version Could not determine agent version for agent with sys ID.Resolution pending documentation. Contact ServiceNow Support. ACC-5002: Agent on Cloud Services does not support auto upgrade Agent is a Cloud Services agent. Cloud Services agents are currently not supported for auto upgrade.Resolution pending documentation. Contact ServiceNow Support. ACC-5003: Agent does not have a host CI Could not locate Agent Host CI reference.Resolution pending documentation. Contact ServiceNow Support. ACC-5004: Could not locate computer Resolution pending documentation. Contact ServiceNow Support. ACC-5005: Agent's host operating system does not support auto upgrade The agent operating system is currently not supported for auto upgrade.Resolution pending documentation. Contact ServiceNow Support. ACC-5006: Could not support agent current version for upgrade The agent's current version is not the minimum agent version for upgrade.Resolution pending documentation. Contact ServiceNow Support. ACC-5007: Agent is not currently up for upgrade Agent is not currently up, canceling upgrade.Resolution pending documentation. Contact ServiceNow Support. ACC-5008: Did not get any check results Did not get any check results. Upgrade state unknown.Resolution pending documentation. Contact ServiceNow Support. ACC-5009: Could not find sequence ID in check results Could not find sequence ID in check results.Resolution pending documentation. Contact ServiceNow Support. ACC-5010: Could not locate agent or agent ID on Agent Client Collector table Could not locate agent or agent ID on Agent Client Collector table.Resolution pending documentation. Contact ServiceNow Support. ACC-5011: Could not locate a sys ID in Agent Upgrade History Could not locate a sys ID in Agent Upgrade History.Resolution pending documentation. Contact ServiceNow Support. ACC-5012: Could not locate agent ID or output to continue with upgrade Did not get enough details about agent ID or output. Cannot continue with upgrade.Resolution pending documentation. Contact ServiceNow Support. ACC-5013: Agent upgrade failed Agent upgrade failed. Output is not a success.Resolution pending documentation. Contact ServiceNow Support. ACC-5014: Could not fully fetch log Could not fully fetch log. Unable to determine upgrade success.Resolution pending documentation. Contact ServiceNow Support. ACC-5015: MID Server not up, cannot schedule upgrade MID Server is not up, cannot schedule upgrade.Resolution pending documentation. Contact ServiceNow Support. Common errors without ACC codes The following errors may appear in acc.log without an ACC error code. Error Message Cause Resolution Permission denied @ realpath_rec Permissions issue on cache folder Fix permissions on the cache folder and subfiles. basic_inventory including os_user_name and unspecified data Running process needs debug privilege Grant the Sedebug privilege to the running process. fork/exec /var/cache/servicenow/agent-client-collector/.../endpoint_discovery.rb: resource temporarily unavailable Permissions issue on cache folder Fix permissions on the cache folder and subfiles. error getting assets for check: couldn't verify asset (skipped fetching certificates and retrying) Root certificate missing Install the root certificate on the agent host OS. error getting assets for check: database not open Permissions issue; file exists but cannot be overwritten Fix permissions on the file. ruby: version 'GLIBC_<version>' not found Missing or outdated libc library Upgrade or install libc. error getting assets for check: can't open tmp file for asset: open /tmp/sensu-asset...: no space left on device No disk space on /tmp Free up disk space.