Overview
Use this guide to diagnose and resolve connectivity issues between Sensor Agents, Sensor Collector, and Cisco Crosswork Assurance.
Quick Diagnostic Checklist
- Verify network connectivity with curl/telnet
- Check firewall rules for required ports
- Validate DNS resolution
- Confirm TLS/SSL certificates are valid
- Review Docker networking configuration
Sensor Agent to Sensor Collector Connectivity
Using Curl to Check Connectivity
From within the container, test connectivity to Sensor Collector ports:
# Enter the container
sudo docker exec -it <CONTAINER_ID> /bin/bash -l
# Test management port (default 55777)
curl -k -vvv https://path.to.sensorcollector:55777
# Test data port (default 55888)
curl -k -vvv https://path.to.sensorcollector:55888
Expected Result: Connection details if successful, or timeout if blocked.
Common Causes of Connection Timeouts
- Local firewall blocking outbound connections
- Network firewall between agent and Sensor Collector
- Incorrect port configuration
Enabling LWS (Libwebsockets) Debugging
For detailed connection traces:
# Management connection debugging
docker exec -it <ContainerId> /usr/bin/agentStatus management debug lws err,info,warn,notice,debug,parser,header,ext,client,latency
# Data connection debugging
docker exec -it <ContainerId> /usr/bin/agentStatus data debug lws err,info,warn,notice,debug,parser,header,ext,client,latency
Checking Crosswork Assurance Reachability
Test Port 443 Connectivity
curl -fv https://<your-instance>.crossworkassurance.cisco.com
Expected Output:
* Connected to <your-instance>.crossworkassurance.cisco.com (203.0.113.10) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Docker Routing Issues
If curl/telnet works but the container cannot reach the target:
# Restart Docker service to reset routing rules
sudo systemctl stop docker && sudo systemctl start docker
TLS/SSL Troubleshooting
TLS Timeout Error
If you see: Connection error: Timed out waiting SSL
Common Cause: MTU mismatch between network interfaces and Docker.
Diagnosis:
ip link
Check if any interface (e.g., VPN) has a lower MTU than Docker's default 1500.
TLS Debugging Checklist
- Verify system time is correct (NTP recommended)
- Check for man-in-the-middle proxies/gateways
- Confirm TLS/SSL is not blocked by firewall
- Use
openssl s_clientto debug handshake
Required Ports Reference
| Direction | Protocol | Port | Purpose | Required? |
|---|---|---|---|---|
| Outbound | TCP | 55777 | Agent management (WebSocket) | Yes |
| Outbound | TCP | 55888 | Performance data (WebSocket) | Yes |
| Outbound | TCP | 443 | Sensor Collector to Crosswork Assurance | Yes |
| Outbound | UDP/TCP | 53 | DNS resolution | If using FQDNs |
| Inbound | UDP | 862 | TWAMP reflector | If reflector enabled |
| Inbound | TCP/UDP | 5201 | iPerf3 throughput | If reflector enabled |
© 2026 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms