Troubleshooting and Resolving ACC Errors<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Table of Contents Error Codes/Solutions ACC-1500: Unable to retrieve ACC plugin for check executionACC-1501: Unable to verify plugin with public signatureACC-2000: Allow-list blocked commandACC-2001: Allow-list blocked command due to exec not foundACC-2002: Allow-list blocked command due to no matching argsACC-2003: Allow-list blocked command due to invalid characterACC-2004: Allow-list blocked command due to invalid regexACC-2005: Allow-list blocked command due to shell mode not enabledACC-2006: Allow-list file cannot be read correctlyACC-2100: Execution timed outACC-2200: Disabled check execution due to Agent CPU threshold exceededACC-2201: Disabled check has been marked staleACC-2500: Data Collection encountered an errorACC-2501: Data collection payload is emptyACC-2502: Data collection output could not be parsedACC-2503: Data collection processing encountered a fatal errorACC-2504: Data collection IRE failedACC-2505: Data collection is missing basic inventory dataACC-2506: Data collection could not update the CMDBACC-2507: Data Collection is unable to identify the CIACC-2508: Data collection tcp_connection errorACC-2509: Data collection running process errorACC-3001: Policy size errorACC-3002: Policy CMDB group could not be foundACC-3003: Policy CMDB group is emptyACC-3004: Could not locate a CI for policy with CMDB groupACC-3005: Policy with script returned undefined resultACC-3006: Query for policy with script returned no CIsACC-3007: Could not determine proxy setting for policyACC-3008: Could not determine proxy agents for policyACC-3009: Could not find any proxy agents for policyACC-3010: Proxy script evaluation result is not a string for CIACC-3011: Policy filtered by CMDB group has empty CMDB group nameACC-4001: errorCategory1ACC-4002: errorCategory2ACC-4003: errorCategory3ACC-4004: Duplicate Agent ID DetectionACC-4100: Agent Registration FailedACC-4101: Agent cannot connect to gatewayACC-4102: Agent cannot access a file/folderACC-4103: Registration key is not validACC-4104: Agent already registeredACC-4105: Cannot create leaf certificate for agentACC-4106: Cannot locate KMF certificateACC-4107: Public key is emptyACC-4108: ICS Gateway URL is not configured on the instanceACC-4109: Failed to register agentACC-4110: WriteErrorACC-4111: Missing DataACC-4112: Invalid DataACC-4113: Invalid Certificate ChainACC-4199: Generic Registration Error for agentACC-5000: Agent could not be validatedACC-5001: Cannot determine agent versionACC-5002: Agent on Cloud Services does not support auto upgradeACC-5003: Agent does not have a host CIACC-5004: Could not locate computerACC-5005: Agent's host operating system does not support auto upgradeACC-5006: Could not support agent current version for upgradeACC-5007: Agent is not currently up to upgradeACC-5008: Did not get any check resultsACC-5009: Could not find sequence ID in check resultsACC-5010: Could not locate agent or agent id on Agent Client Collector tableACC-5011: Could not locate a sys ID in Agent Upgrade HistoryACC-5012: Could not locate agent ID or output to continue with upgradeACC-5013: Agent upgrade failed. Output is not a success.ACC-5014: Could not fully fetch log. Unable to determine upgrade successACC-5015: MID Server not Up, cannot schedule upgrade Other Possible Errors/Solutions: Error Codes/Solutions ACC-1500: Unable to retrieve ACC plugin for check execution An error was encountered when trying to retrieve an ACC plugin for check execution. output: error getting assets for check: couldn't verify asset (skipped fetching certificates and retrying): Could not determine a valid CA signed certificate to verify signature, aborting Asset signature verification Root certificate is missing on the agent host. Install the root certificate on the agent host.See: KB2119772 Agent Client Collector - Asset Certificate Validation Failed causing host data collection failure - DigiCert CA Certificate missing on agent host ServiceNow or Customer code-signing certificate may have expired, and a current one is unable to be retired from the MID Web serverSee: KB2542745 Troubleshooting ACC Plugin signing certificate has expired ACC-1501: Unable to verify plugin with public signature After retrieving the ACC plugin, the signature could not be verified. TBC ACC-2000: Allow-list blocked command The check command has been blocked by the agent's allow-list. TBC ACC-2001: Allow-list blocked command due to exec not found The check command has been blocked by the agent's allow-list due to the executing command not being found in the effective allow-list TBC ACC-2002: Allow-list blocked command due to no matching args The check command has been blocked by the agent's allow-list due to an invalid character being detected in the command string. TBC ACC-2003: Allow-list blocked command due to invalid character The check command has been blocked by the agent's allow-list due to an invalid character being detected in the command string. TBC ACC-2004: Allow-list blocked command due to invalid regex The check command has been blocked by the agent's allow-list due to an invalid regex pattern evaluation. TBC ACC-2005: Allow-list blocked command due to shell mode not enabled The check command has been blocked by the agent's allow-list due to this command not having an entry allowing shell mode execution. TBC ACC-2006: Allow-list file cannot be read correctly An allow-list file cannot be read correctly. This could be due to invalid JSON format or permission issues. Verify that the appropriate allow-list is used (configured allow-list or plugin allow-list) and that the allow-list file can be read. Verify the contents of the allow-list file and that they are in JSON format. ACC-2100: Execution timed out The check execution did not complete in the allotted time. The ACC-2100 error occurs when a check command times out. The timeout only takes into account the time spent running the command on the agent host. This does not include any time spent for the agent to receive the check execution request or sending the check result back to the Instance. One known cause for this issue is if the endpoint device enters sleep mode or goes down during a check request. See the Known Error article for current status: PRB1929456/KB2481802 When Windows agent executes check and the device goes to sleep, the check execution times out upon waking up, causing ACC-2100 errors to be logged Another cause for this issue is that the command being executed by the check exceeds the timeout set on the check definition or check instance record. Review the timeout duration defined on the check definition or check instance. Increase the value of the timeout based on the time required for the command to complete. In the case of the Enhanced Discovery check, timeout could be increased from 600 to 1200, or even 2400. This check is a ruby script endpoint_discovery.rb, run using a ruby.exe process, which then runs child ruby.exe processes for each of the ruby script names in the check command 's list: select=data_collection,enhanced_inventory,file_systems,network_adapters,tcp_connections,storage_devices,running_processes,local_users,intel_ema,memory_modules. Monitoring the running processes, and seeing the script name in the ruby command line, tells you which specific script is taking the time. ACC-2200: Disabled check execution due to Agent CPU threshold exceeded Check execution has been disabled due to ACC CPU usage exceeding configured CPU threshold. TBC ACC-2201: Disabled check has been marked stale Disabled check has been marked stale due to check instance no longer being run as part of a policy. TBC ACC-2500: Data Collection encountered an error Data collection has encountered an unclassified error. If you see in the check output "Permission denied" with the path of the file that is being executed, check the permissions on the file. Make sure that the run-as user for the ACC service has permissions to execute the file. If you see in the check output "error granting capabilities", this is a known issue. The PRB is PRB1888049. ACC-2501: Data collection payload is empty Agent returned a data collection payload that is empty. TBC ACC-2502: Data collection output could not be parsed Data collection payload could not be parsed. TBC ACC-2503: Data collection processing encountered a fatal error Data collection processing encountered a fatal error. output: invalid byte sequence in UTF-8 (Encoding::compatabilityError) data_collection.rb:90 in get_operating_system_domainUpgrade agent version to 4.2.1 or greater. output: get_serial_number_json': undefined method empty?' for nil (NoMethodError)\\ ****Look at KB1943387 workaround. There is a fix targeted for May 2025. output: cmd_err: <internal:C:/Program Files/ServiceNow/agent-client-collector/embedded/lib/ruby/3.3.0/rubygems/core_ext/kernel_require.rb>:136:in `new': fail: OLE initialize (RuntimeError)\\n HRESULT error code:0x80070008\\n Not enough storage is available to process this commandThis is a Windows error and there are existing solutions for searching "HRESULT error code: 0x80070583" ACC-2504: Data collection IRE failed Data collection data sent to CMDB IRE failed TBC ACC-2505: Data collection is missing basic inventory data Data collection data is missing basic inventory data, which is essential in identifying a CI. TBC ACC-2506: Data collection could not update the CMDB Data collection could not update the CMDB. TBC ACC-2507: Data Collection is unable to identify the CI For any generic message, the IRE rules need to be reviewed. Storage servers and other dependent CIs are not getting populatedSoftware Installations for some agents are not getting populatedstrip': invalid byte sequence in UTF-8 (Encoding::CompatibilityError)\\n\\tfrom C:/ProgramData/ServiceNow/agent-client-collector/cache/acc-f-modules/bin/data_collection.rb:90For any of these errors when processing Discovery data, apply the changes described in KB1828046. This is a known issue documented as PRB1818684 - Enhanced Discovery is not populating certain dependent table CIs, and a fix was targeted for the May 2025 release of the Agent Client Collector Visibility Content plugin. If you see intermittent serial number missing issues during server ACC discovery, upgrade the agent to versions higher than 4.2.1. ACC-2508: Data collection tcp_connection error TBC ACC-2509: Data collection running process error TBC ACC-3001: Policy size error During policy syncing, the policy size exceeds the maximum config_publish payload size. TBC ACC-3002: Policy CMDB group could not be found Could not find the CMDB group for a policy with a CMDB group filter. TBC ACC-3003: Policy CMDB group is empty The CMDB group is empty for a policy with a CMDB group filter. TBC ACC-3004: Could not locate a CI for policy with CMDB group Could not query the CMDB for the first CI in the CMDB group for a policy with a CMDB group filter. TBC ACC-3005: Policy with script returned undefined result When evaluating a policy with a filter script, the script returned an undefined result. TBC ACC-3006: Query for policy with script returned no CIs For a policy with a filter script, querying the script's returned GlideRecord resulted in 0 CIs. TBC ACC-3007: Could not determine proxy setting for policy Could not determine the proxy setting for a proxy policy. TBC ACC-3008: Could not determine proxy agents for policy For a proxy policy, could not determine the proxy agents. TBC ACC-3009: Could not find any proxy agents for policy For a proxy policy, determined that there are 0 proxy agents for the policy TBC ACC-3010: Proxy script evaluation result is not a string for CI For a scripted proxy policy, the result of the proxy script for one of the monitored CIs was not a string. TBC ACC-3011: Policy filtered by CMDB group has empty CMDB group name Policy filtered by CMDB group has empty CMDB group name TBC ACC-4001: errorCategory1 ACC static import related. TBC ACC-4002: errorCategory2 ACC static import related. TBC ACC-4003: errorCategory3 ACC static import related. TBC ACC-4004: Duplicate Agent ID Detection Multiple agents using same agent ID. The agent ID is supposed to be the unique identifier for each agent, but some users may be in a situation where multiple agents are using the same agent ID. In this scenario, there will only be one agent record on the Instance, and all agents using that agent ID will be stacked on top of that one record, continually replacing each other. This causes those agents to be useless and causes the ACC Admin to not have visibility into exactly how many agents they have connected. To resolve this please review the below kb article -https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2200106 ACC-4100: Agent Registration Failed An agent failed to register with the ServiceNow instance via REST API, due to an inactive or non-existent registration key. TBC ACC-4101: Agent cannot connect to gateway Agent cannot connect to the specified gateway TBC ACC-4102: Agent cannot access a file/folder Agent cannot acces a folder or file TBC ACC-4103: Registration key is not valid Agent's supplied registration key is not valid TBC ACC-4104: Agent already registered TBC ACC-4105: Cannot create leaf certificate for agent Leaf certification failed for agent TBC ACC-4106: Cannot locate KMF certificate KMF could not supply cerificate TBC ACC-4107: Public key is empty Public key is either empty or could not be accessed TBC ACC-4108: ICS Gateway URL is not configured on the instance ICS Gateway URL is not configured on the instance TBC ACC-4109: Failed to register agent TBC ACC-4110: WriteError Agent cannot write to specific location(s) and cannot continue TBC ACC-4111: Missing Data Agent has missing data from the instance and cannot continue TBC ACC-4112: Invalid Data Agent received invalid data from the instance and cannot continue TBC ACC-4113: Invalid Certificate Chain Agent received invalid certificate chain from the instance and cannot continue TBC ACC-4199: Generic Registration Error for agent Generic issue with agent registration TBC ACC-5000: Agent could not be validated TBC ACC-5001: Cannot determine agent version Could not determine agent version for agent with sys ID TBC ACC-5002: Agent on Cloud Services does not support auto upgrade Agent with this agent id is a Cloud Services agent. Cloud services agents currently not supported. TBC ACC-5003: Agent does not have a host CI Could not locate Agent Host CI reference TBC ACC-5004: Could not locate computer TBC ACC-5005: Agent's host operating system does not support auto upgrade The agent OS is currently not supported TBC ACC-5006: Could not support agent current version for upgrade The agent's current version is not the minimum agent version for upgrade. TBC ACC-5007: Agent is not currently up to upgrade Agent is not currently up, canceling upgrade. TBC ACC-5008: Did not get any check results Did not get any check results. Upgrade state unknown. TBC ACC-5009: Could not find sequence ID in check results Could not find sequence ID in check results. TBC ACC-5010: Could not locate agent or agent id on Agent Client Collector table Could not locate agent or agent id on Agent Client Collector table TBC ACC-5011: Could not locate a sys ID in Agent Upgrade History Could not locate a sys ID in Agent Upgrade History TBC ACC-5012: Could not locate agent ID or output to continue with upgrade Did not get enough details about agent ID or output. Cannot continue with upgrade. TBC ACC-5013: Agent upgrade failed. Output is not a success. Agent upgrade failed. Output is not a success. TBC ACC-5014: Could not fully fetch log. Unable to determine upgrade success Could not fully fetch log. Unable to determine upgrade success TBC ACC-5015: MID Server not Up, cannot schedule upgrade MID Server not Up, cannot schedule upgrade TBC Other Possible Errors/Solutions: If there is a Permission denied @ realpath_rec error,Fix permissions on the cache folder and subfiles. If there is an output with basic_inventory including os_user_name and unspecified data:The running process needs debug privilege Sedebug. If there is a fork/exec /var/cache/servicenow/agent-client-collector/acc-f-commons/bin/endpoint_discovery.rb: resource temporarily unavailable error,Fix permissions on your cache folder and subfiles If there is an error getting assets for check: couldn't verify asset (skipped fetching certificates and retrying),The root certificate is missing, so install the root certificate on the agent host OS. If there is an error getting assets for check: database not open,There is a permissions issue. The file was already there but is unable to be overwritten. If there is a ruby: version `GLIBC_<version>' not found error,Upgrade or install libc. If there is an error getting assets for check: can't open tmp file for asset: open /tmp/sensu-asset4208503627,This means that there is no space left on device, so free up disk space.