I've been seeing a lot of this even with McAfee agent version 5.6.2.209 and Single System Troubleshooting. Sometimes this works, sometime it does not. 

It shows that agent is connected to ePO as last communication is of recent date and time.

Is there anything that we can do get this working again? 

Are there any errors in the server or agent logs around it?

cdinet, 

I do not have access to the user's device's agent logs but here's what I'm seeing in the external agent handler server's DB -> Logs -> server_<external Agent Handler server>:

20200324161638 E #00768 NAIMSERV naSPIPE.cpp(338): Failed to connect to <user's device private IP>:8801, network error was 10060
20200324161638 E #00768 NAIMSERV AgentWakeup.cpp(206): Server failed to wake up <user's device private IP>, detailed error = -999
20200324161638 I #06284 NAIMSERV Agent SPIPE property User1 specified Font Driver Host\UMFD-0 missing policy version, assuming 0

This particular user is not connected to the firm's network or VPN but I would have presumed that the external agent handler would take care of this scenario. The devices connected to the ePO server itself or internal agent handler, we are not seeing this issue.

Tried to do a wake-up call on the agent and I'm getting this:

3/24/20 4:01:10 PM
Waking up agent <user's device> through Agent Handler <external Agent Handler>
3/24/20 4:01:10 PM
Waking up agent <user's device>.fios-router.home using DNS name
3/24/20 4:01:10 PM
Unable to resolve address of remote system
3/24/20 4:01:10 PM
Waking up agent <user's device> using NetBIOS
3/24/20 4:01:10 PM
Unable to resolve address of remote system
3/24/20 4:01:10 PM
Waking up agent at IP address <user's device private IP>
3/24/20 4:01:10 PM
Unknown error contacting agent
3/24/20 4:01:10 PM
Wakeup agent failed
3/24/20 4:04:05 PM
Waking up agent <user's device>.fios-router.home using DNS name
3/24/20 4:04:05 PM
Unable to resolve address of remote system
3/24/20 4:04:05 PM
Waking up agent <user's device> using NetBIOS
3/24/20 4:04:05 PM
Unable to resolve address of remote system
3/24/20 4:04:05 PM
Waking up agent at IP address <user's device private IP>
3/24/20 4:04:05 PM
Unknown error contacting agent
3/24/20 4:04:05 PM

Refer to kb58818 for wakeups failing to clients on vpn (that may not be your case exactly).  An external client without vpn working from a home or other type network is going to have a private IP address and even if their ISP nats it to a public IP, a private IP is not externally routable and a natted IP can't be reached by epo.  The only way wakeups would work (which would most likely also include getting agent logs) is if you have a dxl broker set up and the clients are connected to the broker.  

You also might want to ensure that the agent policy setting to accept connections only from epo server is also disabled to test.

Ultimately, from the log, it seems to be the non-routable private IP that is just not reachable.

Interesting. Thought our external agent handler, which actually resides in the DMZ and is configured with a public IP, should be able to handle this scenario. So, we would still need to configure a DXL broker, too?

But yes, you are correct. The fact for this particular user, his private IP not going to be able to talk to the public IP makes sense. 

Thank you.

I can't honestly say that a dxl broker would resolve the single system troubleshooting scenario without testing it (I don't have a way to test currently), but it would help with wakeups and run client task now that also relies on wakeups.