Location Mapping Troubleshooting

In the world where we work remotely from different locations and use various WiFi routers, virtual app servers, VPN services, and other technologies, the process of business location mapping has become more complex.

This table lists several common scenarios where further steps must be taken to show correct business location names in Aternity dashboards.
Attribute Values Definition What's wrong? Solution
Off-site

Aternity reports the business location as Off-site when the device is not connected to the Microsoft Active Directory.

Learn more.

A device is in the office, but not showing in Active Directory, and its location name displays Off-site.

For example, a device is connected to the guests WiFi network and appears in the same subnet as corporate network.

  • If the device is not connected to the corporate network, Aternity ignores the Subnet_to_Site.csv file, so that business location name displays Off-site (even if the file includes the correct data for that device).

  • If the device is connected to the corporate network, but appears as Off-site, check the Active Directory settings. You might find a bug in the settings.

    To check if the Active Directory is properly configured, open Windows PowerShell and run [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Name.

  • If the device is not showing in Active Directory, although its subnet and location name are properly set in the Subnet_to_Site.csv file, contact Aternity SaaS Administration. You might need the Legacy method for location mapping.

Not Mapped

Business location name on dashboards displays Not Mapped if when Aternity has checked in the Subnet_to_Site.csv file, the device is not mapped there.

  • Aternity can retrieve business location names for any device type from the Subnet_to_Site.csv file.

  • Aternity can retrieve business location names for Windows devices from the Active Directory if Windows devices are connected to the organization’s network and Active Directory.

Learn more.

Why there is no business location name, although the Agent has reported the IP address and subnet?

  • Although, the selected location mapping method is Subnet_to_Site.csv file, and the file should be up-to-date, but the IP subnet does not exist in this file (subnet is unknown).

  • The device is connected to a VPN which allows connectivity to the corporate network (ON VPN shows True). However,when using a VPN with split-tunneling, the Agent may continue to connect to Aternity server through the home IP (which does not exist in the Active Directory or in the Subnet_to_Site.csv file). The reported IP is the one that is used by Agent to communicate with Aternity servers, and needless to say the subnet is of that same IP. As a result, the subnet is unknown and the device's business location shows Not Mapped because it does not exist in the Active Directory or in the Subnet_to_Site.csv file. In cases when the home subnet is similar to any of the subnets defined in the Active Directory, this location will be shown (and most likely will be wrong).

  • Check if the subnet and its respective site name exist in the Subnet_to_Site.csv file.

  • Check if the subnet and its respective site name in the Subnet_to_Site.csv file are correct. Fix if necessary. Learn more about the CSV file.

  • Check if your network router is configured to split tunneling. In this case, upgrade to the new Agent version which was developed to handle such cases. Contact Aternity SaaS Administration.

Business Location Name (vpn)

The Agent queries Windows for a virtual network adapter with an active connection and a common name in its description: AGN, Checkpoint, Cisco AnyConnect, Citrix VPN products, F5 Networks adapters, Juniper Networks, OpenVPN TAP, Palo Alto GlobalProtect, Pulse Secure, PureVPN, SonicWall, and VyprVPN.

If a user connects to the office via a known VPN utility (not necessarily corporate), then the On VPN field displays True and Aternity displays business location name as the office's name and adds the (VPN) suffix to show it is a remote connection.

In general, such device is connected to the organization’s network and Active Directory, and its subnet is mapped in the Subnet_to_Site.csv file.

Learn more.

Why the displayed business location name is wrong?

For example, a dashboard displays India as the device's location, but the device is in England.

  • Connected to a cloud that does not require VPN.

  • The wrong subnet used for location mapping (out of several network cards).

  • Connected to the router with split-tunneling.

  • Check whether the device is on VPN or not.

  • Check if the subnet and its respective site name in the Subnet_to_Site.csv file are correct. Fix if necessary. Learn more about the CSV file.

  • Wait for the new Agent for End User Devices that resolves the split-tunneling issue.

  • Route all the traffic through a VPN.

Business Location Name

Business Location is a text field that displays information about a site to which the device belongs and whether that device is connected through a VPN or not.

Learn more.

Why the displayed business location name is wrong?
  • Home Internet Service Provider IP is partially identical to the subnet of another business region.

    Aternity pulls location names from the file that maps subnets to locations. In rare cases, the subnet in that file might be identical to someone's home Internet Server Provider subnet. In that case, Aternity might display the wrong location name.

Route all the traffic through a VPN so as not to use the home Internet Service Provider IP.

On VPN

On Site

(Windows only) On Site is an attribute of a desktop or laptop and shows whether the device is connected to the Microsoft Active Directory.

(Windows only) Reported values depend on the existence of a Network Adapter that is identified as a VPN. Displays True when the device is connected to the corporate network through VPN. Displays False when none of the Network Adapters identified as a VPN. Displays N/A when the device cannot report the values.

Learn more.

Dashboards display wrong values for On VPN or On Site attributes.

These attributes refresh and their values may be updated in the following cases:
  • A network time-trigger happens

  • A change in the IP through which the Agent is connected to the Aternity server is detected

This means that as long as the Agent is connected through the same IP, the values will not be updated (until the time-trigger happens).

So, when a user is working remotely, and connecting and disconnecting from the VPN, the outdated values may be displayed for a considerable duration of time.

  • Update the Agent for End User Devices to 12.0.6. This Agent release can assure more sensitive behavior when network time-triggers happen and create higher accuracy of the On VPN and On Site values.

  • Reroute the Agent's traffic through the VPN. So, every time a user connects or disconnects from the VPN, the system rescans the network adapters and updates the values.

On VPN

On Site

(Windows only) On Site is an attribute of a desktop or laptop and shows whether the device is connected to the Microsoft Active Directory.

(Windows only) Reported values depend on the existence of a Network Adapter that is identified as a VPN. Displays True when the device is connected to the corporate network through VPN. Displays False when none of the Network Adapters identified as a VPN. Displays N/A when the device cannot report the values.

Learn more.

Dashboards display wrong values for On VPN or On Site attributes.

When using a VPN with split-tunneling, the Agent may be connected to Aternity through the home internet service provider IP.

So, when a user is working remotely, and connecting and disconnecting from the VPN, the outdated values may be displayed for a considerably long period of time.

Reroute the Agent's traffic through the VPN. So, every time a user connects or disconnects from the VPN, the system rescans the network adapters and updates the values.

This also assures that the subnet used for the Business Location will be that of the VPN.

Business Location Name

The Agent queries Windows for a virtual network adapter with an active connection and a common name in its description: AGN, Checkpoint, Cisco AnyConnect, Citrix VPN products, F5 Networks adapters, Juniper Networks, OpenVPN TAP, Palo Alto GlobalProtect, Pulse Secure, PureVPN, SonicWall, and VyprVPN.

Learn more.

In very rare cases, Aternity might not be able to recognize a rare type of VPN, so that a business location name will appear without suffix.

N/A

Business Location Name

Business Location is a text field that displays information about a site to which the device belongs and whether that device is connected through a VPN or not.

Learn more.

All files used for location mapping are up-to-date and include all necessary names. Why the names in dashboards are still wrong?

The changes take effect when Agent connects and reports for the end user device next time after you uploaded the updated files. The changes in Location Mapping do not take effect retroactively. Business location names as they were reported by Agent before you moved to the new Location Mapping strategy, are kept in the database and will be displayed in dashboards depending on the timeframe view you selected.

We suggest you limit the timeframe of the dashboard, so that you view only new data collected after you made a change.

Off-site

Correlation between On Site values and business location names

Aternity reports the business location as Off-site when the device is not connected to the Microsoft Active Directory.

(Windows only) On Site is an attribute of a desktop or laptop and shows whether the device is connected to the Microsoft Active Directory.

Learn the terminology in our glossary.

Why monitored devices are correctly mapped to business locations for the Inventory Data Source, but not for the other data sources?

Aternity uses Serving Device attributes to define the On Site values (True or False). And the Subnet_to_Site.csv file includes Serving Device's subnet.

Off-site

Correlation between On Site values and business location names

Aternity reports the business location as Off-site when the device is not connected to the Microsoft Active Directory.

(Windows only) On Site is an attribute of a desktop or laptop and shows whether the device is connected to the Microsoft Active Directory.

Learn the terminology in our glossary.

Why in some cases when On Site displays True, Business Location displays Off-Site instead of location name?

And vice versa, why in some cases when On Site displays False, Business Location displays the correct location name instead of Off-Site?

Updating On VPN and On Site Values

With Agents earlier than 12.0.6, the On VPN and On Site are refreshing in the following cases:
  • when a time-trigger happens

  • when a change in the IP through which the Agent is connected to the Aternity server is detected. So, as long as the Agent is connected through the same IP, those attributes will not be updated (until the time-trigger happens).

When using a VPN with Split-tunneling, the Agent may continue to connect to Aternity server through the home IP.

So, when a user is working remotely, and connecting and disconnecting from the VPN, the outdated values may be displayed for a considerable duration of time.

  • Reroute the Agent traffic through the VPN in all cases. Then, every time a user connects or disconnects from the VPN, a network trigger will be identified, resulting in rescanning of the network adapters and updating On Site and On VPN values. This will also assure that the Subnet used for the Business Location will be that of the VPN.

  • Update the Agent to 12.0.6 to assure more sensitive behavior when network triggers happen and to create higher accuracy of the On Site and On VPN values. But that alone without routing of the traffic through the VPN will not solve the subnet issue. You will know that the users are connected through VPN or not, but in some cases, the location will not be mapped (or wrongly mapped).

Reported Subnet

When using a VPN with Split-tunneling, the Agent may continue to connect to Aternity server through the home IP. The IP reported for a device is the one that is used by Agent to communicate with Aternity servers, and needless to say the Subnet is of that same IP. As a result, when a user is connected to a VPN, the Subnet used for business location mapping is NOT the one provided by the VPN.

  • The subnet might be unknown so that the Business Location is Not Mapped.

  • In case the home subnet of a user is similar to one of the subnets defined in the corporate Active Directory, the location will be shown (and most likely will be wrong).
  • Reroute the Agent traffic through the VPN in all cases. Then, every time a user connects or disconnects from the VPN, a network trigger will be identified, resulting in rescanning of the network adapters and updating On Site and On VPN values. This will also assure that the Subnet used for the Business Location will be that of the VPN.

  • Update the Agent to 12.0.6 to assure more sensitive behavior when network triggers happen and to create higher accuracy of the On Site and On VPN values. But that alone without routing of the traffic through the VPN will not solve the subnet issue. You will know that the users are connected through VPN or not, but in some cases, the location will not be mapped (or wrongly mapped).