cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee Agent 5.5.1 - Deployment ENS 10.6.1 = EPO communication problem while connected externally

Jump to solution

Hope you are well.

I'm running mcafee agent 5.5.1 342, EPO orchestrator 5.9.1 build 251 and ENS 10.5.4.

For test purpose and to prepare a future migration, I've deployed ENS 10.6.1 with Feburary Hotfix on test computers.

The migration went well but I noticed that once product is installed, if I disconnect the pc from corporate network and connect to an external connection, I'm losing the communication with EPO.

The issue re-appears on all test laptop where I've installed 10.6.1 but does not impact computers which currently running 10.5.4.

So pretty sure this is not an issue with the Agent Handler server.

The only way to fix this is to uninstall and reinstall the agent.

Following the posts I've saw around, seems to be linked with a certificate issue (despite I can't find anything related to this in the Mcafee agent logs.)

Please note that the root certificate on the agent handler has still not be activated because we were waiting for all computers to communicate with EPO first before enable it.

What will be my move here ? Activate the certificate SHA1withRSA on Agent Handler can solve the issue ?

Do I need to apply an hotfix first to our Epo Orchestrator server ?

Please note that we are also running some old 4.8 mcafee agents on some 2003 servers and I saw posts talking about incompatibilities after using the certificate manager.

Is anybody else got the same issue while trying to deploy ENS 10.6.1 ?

I have already open a case with our local provider but any answer in the meantime will be greatly appreciated.

Best,

 

WIS GSD

1 Solution

Accepted Solutions
Highlighted

Re: McAfee Agent 5.5.1 - Deployment ENS 10.6.1 = EPO communication problem while connected externall

Jump to solution

Thanks for your feedback and your advice about certificate migration. I'll hold until I localize all systems which did not received it yet.

Yes, external systems come into a DMZ agent handler, no ssl inspection and I've checked all logs in Firewall, no traffic blocked to the handler.

I could not find any relevant logs in EPO or Agent handler.

on the masvc log of the impacted machine, the only thing I see is since the ENS 10.6.1 installation, it could not contact anymore the handler.

he's trying to reach it but could not find the public ip of the handler.

I've compared the logs with a healthy machine not yet migrated :

machine communicating properly :

2019-02-21 08:25:23.092 masvc(4428.944) ahclient.Info: Network library rc = <1007>, Agent handler reports response code <0>.
2019-02-21 08:25:23.093 masvc(4428.944) ahclient.Info: Initiating spipe connection to site https://publiciphandler:4500/spipe/pkg?AgentGuid={3E650837-D91D-4778-96A4-CB22EED30D21}&Source=Agent_3.0.0.
2019-02-21 08:25:23.108 masvc(4428.944) ahclient.Info: connection initiated to site https:///publiciphandler:4500/spipe/pkg?AgentGuid={3E650837-D91D-4778-96A4-CB22EED30D21}&Source=Agent_3.0.0.
2019-02-21 08:25:23.222 masvc(4428.944) crypto.Info: Negotiated Cipher : EDH-RSA-AES256-SHA256
2019-02-21 08:25:23.392 masvc(4428.944) ahclient.Info: Network library rc = <1008>, Agent handler reports response code <200>.
2019-02-21 08:25:23.393 masvc(4428.944) ahclient.Info: Agent handler reports spipe package received. response code 200.
2019-02-21 08:25:23.400 masvc(4428.944) ahclient.Info: Spipe connection response received, network return code = 1008, response code 200.
2019-02-21 08:25:23.401 masvc(4428.944) policy.Info: Agent received POLICY package from ePO server
2019-02-21 08:25:23.541 masvc(4428.944) ahclient.Info: Scheduling spipe connection with "immediate" priority.
2019-02-21 08:25:23.541 masvc(4428.944) ahclient.Info: Agent communication session closed
2019-02-21 08:25:23.544 masvc(4428.944) ahclient.Info: Start processing spipe connection request.
2019-02-21 08:25:23.553 masvc(4428.944) property.Info: Agent is sending PROPS VERSION package to ePO server
2019-02-21 08:25:23.557 masvc(4428.944) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for : { PropsVersion }
2019-02-21 08:25:23.559 masvc(4428.944) ahclient.Info: Agent communication session started
2019-02-21 08:25:23.563 masvc(4428.944) ahclient.Info: Agent is connecting to ePO server
2019-02-21 08:25:23.566 masvc(4428.944) ahclient.Info: Sending the spipe package over existing connection site https:///publiciphandler:4500/spipe/pkg?AgentGuid={3E650837-D91D-4778-96A4-CB22EED30D21}&Source=Agent_3.0.0.
2019-02-21 08:25:23.566 masvc(4428.944) ahclient.Info: Sending the spipe package over existing connection to site https:///publiciphandler:4500/spipe/pkg?AgentGuid={3E650837-D91D-4778-96A4-CB22EED30D21}&Source=Agent_3.0.0.

machine not communicating :

2019-02-21 08:26:29.404 masvc(4396.2212) ahclient.Info: Network library rc = <1007>, Agent handler reports response code <0>.
2019-02-21 08:26:29.425 masvc(4396.2212) ahclient.Info: Using the new proxy config.
2019-02-21 08:26:29.469 masvc(4396.2212) ahclient.Error: Agent failed to communicate with ePO Server
2019-02-21 08:26:29.473 masvc(4396.2212) ahclient.Info: Spipe connection response received, network return code = 1301, response code -1.
2019-02-21 08:26:29.473 masvc(4396.2212) property.Info: Published property collect and send status message
2019-02-21 08:26:29.474 masvc(4396.2212) ahclient.Info: Scheduling spipe connection with "immediate" priority.
2019-02-21 08:26:29.474 masvc(4396.2212) ahclient.Info: Start processing spipe connection request.
2019-02-21 08:26:29.479 masvc(4396.2212) event.Info: Sending Events...
2019-02-21 08:26:29.484 masvc(4396.2212) event.Error: Failed to create ds iterator, error = 802
2019-02-21 08:26:29.484 masvc(4396.2212) event.Error: Failed to get the event xmls from datastore, error = 802
2019-02-21 08:26:29.485 masvc(4396.2212) event.Info: Agent is sending EVENT package to ePO server
2019-02-21 08:26:29.488 masvc(4396.2212) event.Info: Agent uploading 2 events to ePO Server
2019-02-21 08:26:29.492 masvc(4396.2212) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for : { Event }
2019-02-21 08:26:29.495 masvc(4396.2212) ahclient.Info: Agent communication session started
2019-02-21 08:26:29.499 masvc(4396.2212) ahclient.Info: Agent is connecting to ePO server
2019-02-21 08:26:29.502 masvc(4396.2212) ahclient.Info: Initiating spipe connection to site https://internalipofhandler:4500/spipe/pkg?AgentGuid={4fda58de-c63e-11e8-26e4-2477031f4af4}&Source=Agent_3.0.0.
2019-02-21 08:26:29.504 masvc(4396.2212) io.service.Info: Next collect and send properties in 10 minutes and 34 seconds.
2019-02-21 08:26:29.513 masvc(4396.2212) ahclient.Info: connection initiated to site https://internalipofhandler:4500/spipe/pkg?AgentGuid={4fda58de-c63e-11e8-26e4-2477031f4af4}&Source=Agent_3.0.0.

as you can see, it never find the public ip of our agent handler. there is also an interesting line :using the new proxy config. strange as we do not using a proxy.

UPDATE : The issue might just be related to a wrong policy applied. in order to test the deployment, i've created an OU with a specific policy in order to retrieve hotfixes for machine running 10.6.1.

for some reasons, i believe this policy breaks my agent communication.

changing the policy does not make the trick, i have to uninstall agent completely and reinstall first and once it takes back the correct policy, agent communicates properly.

Thanks,

WIS - GSD

 

 

 

2 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: McAfee Agent 5.5.1 - Deployment ENS 10.6.1 = EPO communication problem while connected externall

Jump to solution

I am going to copy this post with ENS team for their input.  For starters, don't finalize the migration until most, if not all, your systems have the new certs.  What errors do you see in the agent masvc log for communication and the epo or agent handler server logs when there is a failure?  Are the external systems coming into a dmz agent handler?  If so, does the firewall or proxy do any SSL inspection?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: McAfee Agent 5.5.1 - Deployment ENS 10.6.1 = EPO communication problem while connected externall

Jump to solution

Thanks for your feedback and your advice about certificate migration. I'll hold until I localize all systems which did not received it yet.

Yes, external systems come into a DMZ agent handler, no ssl inspection and I've checked all logs in Firewall, no traffic blocked to the handler.

I could not find any relevant logs in EPO or Agent handler.

on the masvc log of the impacted machine, the only thing I see is since the ENS 10.6.1 installation, it could not contact anymore the handler.

he's trying to reach it but could not find the public ip of the handler.

I've compared the logs with a healthy machine not yet migrated :

machine communicating properly :

2019-02-21 08:25:23.092 masvc(4428.944) ahclient.Info: Network library rc = <1007>, Agent handler reports response code <0>.
2019-02-21 08:25:23.093 masvc(4428.944) ahclient.Info: Initiating spipe connection to site https://publiciphandler:4500/spipe/pkg?AgentGuid={3E650837-D91D-4778-96A4-CB22EED30D21}&Source=Agent_3.0.0.
2019-02-21 08:25:23.108 masvc(4428.944) ahclient.Info: connection initiated to site https:///publiciphandler:4500/spipe/pkg?AgentGuid={3E650837-D91D-4778-96A4-CB22EED30D21}&Source=Agent_3.0.0.
2019-02-21 08:25:23.222 masvc(4428.944) crypto.Info: Negotiated Cipher : EDH-RSA-AES256-SHA256
2019-02-21 08:25:23.392 masvc(4428.944) ahclient.Info: Network library rc = <1008>, Agent handler reports response code <200>.
2019-02-21 08:25:23.393 masvc(4428.944) ahclient.Info: Agent handler reports spipe package received. response code 200.
2019-02-21 08:25:23.400 masvc(4428.944) ahclient.Info: Spipe connection response received, network return code = 1008, response code 200.
2019-02-21 08:25:23.401 masvc(4428.944) policy.Info: Agent received POLICY package from ePO server
2019-02-21 08:25:23.541 masvc(4428.944) ahclient.Info: Scheduling spipe connection with "immediate" priority.
2019-02-21 08:25:23.541 masvc(4428.944) ahclient.Info: Agent communication session closed
2019-02-21 08:25:23.544 masvc(4428.944) ahclient.Info: Start processing spipe connection request.
2019-02-21 08:25:23.553 masvc(4428.944) property.Info: Agent is sending PROPS VERSION package to ePO server
2019-02-21 08:25:23.557 masvc(4428.944) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for : { PropsVersion }
2019-02-21 08:25:23.559 masvc(4428.944) ahclient.Info: Agent communication session started
2019-02-21 08:25:23.563 masvc(4428.944) ahclient.Info: Agent is connecting to ePO server
2019-02-21 08:25:23.566 masvc(4428.944) ahclient.Info: Sending the spipe package over existing connection site https:///publiciphandler:4500/spipe/pkg?AgentGuid={3E650837-D91D-4778-96A4-CB22EED30D21}&Source=Agent_3.0.0.
2019-02-21 08:25:23.566 masvc(4428.944) ahclient.Info: Sending the spipe package over existing connection to site https:///publiciphandler:4500/spipe/pkg?AgentGuid={3E650837-D91D-4778-96A4-CB22EED30D21}&Source=Agent_3.0.0.

machine not communicating :

2019-02-21 08:26:29.404 masvc(4396.2212) ahclient.Info: Network library rc = <1007>, Agent handler reports response code <0>.
2019-02-21 08:26:29.425 masvc(4396.2212) ahclient.Info: Using the new proxy config.
2019-02-21 08:26:29.469 masvc(4396.2212) ahclient.Error: Agent failed to communicate with ePO Server
2019-02-21 08:26:29.473 masvc(4396.2212) ahclient.Info: Spipe connection response received, network return code = 1301, response code -1.
2019-02-21 08:26:29.473 masvc(4396.2212) property.Info: Published property collect and send status message
2019-02-21 08:26:29.474 masvc(4396.2212) ahclient.Info: Scheduling spipe connection with "immediate" priority.
2019-02-21 08:26:29.474 masvc(4396.2212) ahclient.Info: Start processing spipe connection request.
2019-02-21 08:26:29.479 masvc(4396.2212) event.Info: Sending Events...
2019-02-21 08:26:29.484 masvc(4396.2212) event.Error: Failed to create ds iterator, error = 802
2019-02-21 08:26:29.484 masvc(4396.2212) event.Error: Failed to get the event xmls from datastore, error = 802
2019-02-21 08:26:29.485 masvc(4396.2212) event.Info: Agent is sending EVENT package to ePO server
2019-02-21 08:26:29.488 masvc(4396.2212) event.Info: Agent uploading 2 events to ePO Server
2019-02-21 08:26:29.492 masvc(4396.2212) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for : { Event }
2019-02-21 08:26:29.495 masvc(4396.2212) ahclient.Info: Agent communication session started
2019-02-21 08:26:29.499 masvc(4396.2212) ahclient.Info: Agent is connecting to ePO server
2019-02-21 08:26:29.502 masvc(4396.2212) ahclient.Info: Initiating spipe connection to site https://internalipofhandler:4500/spipe/pkg?AgentGuid={4fda58de-c63e-11e8-26e4-2477031f4af4}&Source=Agent_3.0.0.
2019-02-21 08:26:29.504 masvc(4396.2212) io.service.Info: Next collect and send properties in 10 minutes and 34 seconds.
2019-02-21 08:26:29.513 masvc(4396.2212) ahclient.Info: connection initiated to site https://internalipofhandler:4500/spipe/pkg?AgentGuid={4fda58de-c63e-11e8-26e4-2477031f4af4}&Source=Agent_3.0.0.

as you can see, it never find the public ip of our agent handler. there is also an interesting line :using the new proxy config. strange as we do not using a proxy.

UPDATE : The issue might just be related to a wrong policy applied. in order to test the deployment, i've created an OU with a specific policy in order to retrieve hotfixes for machine running 10.6.1.

for some reasons, i believe this policy breaks my agent communication.

changing the policy does not make the trick, i have to uninstall agent completely and reinstall first and once it takes back the correct policy, agent communicates properly.

Thanks,

WIS - GSD

 

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator