We have a 4050 sensor and a 2750 sensor which are on the same subnet as our McAfee Intrushield Security Manager. The manager sits on Windows 2003 SP2.
We have comms between the devices (ie they can ping each other). There is no firewall between the devices and they are plugged into the same switch.
When we try to add a sensor to the manager they never connect. On the IPS box we get the error "Alert Channel - error in install procedure".
I have run wireshark on the manager server and the handshake between the boxes takes place but the manager ends the conversation sending FIN,PSH,ACK back to the IPS box. This happens when trying to attach both IPS boxes to the manager.
The Windows firewall on the manager is turned off.
Does any one have any ideas as to what could be causing the problem. For me the issue lies with the manager.
Thanks for your help!
Just further to my post about I have tried everything suggested in this knowledge base article and I still cannot get a connection between a sensor and a manager.
Thanks for your help
First , just to cover the basics.
1.) Manager and Sensor both on same major version (6.x to 6.x, 5.x to 5.x)
2.) Sensor name on CLI matches Manager sensor name
Then investigate the following
1.) Reboot manager to confirm it is not in improper state. Same with Sensors.
2.) The ems.log file in the app root directory will sometimes show info related to a failed trust. check there immediately after the trust fails with the sensor
3.) You can install a demo version of the Manager on a laptop, and do cross over cable to the mgmt port on the sensor to completely rule out network/port issues
4.) You may have to open a ticket with support for further investigation.
Given that it has almost been a full month since you first posted this question I am hoping that you were able to resolve it by now.
If not, then please do the following:
Contact the NW Engineer and find out what the switchport that the Sensor Management port connects to is set to for negotiation.
Have him change it to 100/Full-Duplex fixed.
Log onto each sensor and type deinstall (should tell you that it was never established and that you can run the set sensor sharedsecretkey command).
Now type resetconfig - press Enter and then answer yes to the reboot. The sensor will restart.
On the NSM delete the sensor(s) from the manager.
Stop the NSM Service.
Wait 2 minutes and then restart the NSM Service.
Start Wireshark and in the filter section put the filter of ip.addr==<put the ip of the sensor here> - Apply it.
Under the View menu of wireshark go to the Name Resolution section and remove all checkmarks.
On the sensor CLI (should be back up by now)...
Type 'set mgmtport speed 100 duplex full' This will hardcode that to match the switchport you had the NW Engineer change earlier.
Type 'set manager ip <put NSM IP here> This was lost due to the resetconfig command earlier.
Type 'set sensor sharedsecretkey' and press enter.
Enter the shared secret key you used when you set up the sensor on the NSM.
Wireshark should start showing activity between the NSM and the Sensor.
If this works then stop the capture and go do the same for the other sensor.
If this didn't work --- and have patience.. it can take 10-15 minutes sometimes -- then save the capture and post it here to the forum along with the output of the SHOW and STATUS commands from the sensor.
As Steve said earlier - the versions have to match to ensure that the NSM can accept the request from the sensor and load a configuration.
If, for example - you have NSM version 22.214.171.124 loaded and try to add a 5.1 sensor it will usually fail.
(Note - i said usually.. there are times where it will inexplicably work. No clue why.)
For the best expectation of success make sure the same software version that is running on the sensor has been downloaded and installed on the NSM before adding the sensor. You can do this through the NSM GUI or by manually downloading from the portal or from http://menshen.intruvert.com .. your Grant# is both the username and password. (same credentials you used in the NSM).
So.. if your NSM is running 126.96.36.199 and the sensor is running 188.8.131.52 -- make sure that the 184.108.40.206 sensor software is downloaded and applied to the NSM.
Post the capture and show/status commands if this hasn't helped.
1) issue ping manager ip from sensor
2) if 1 ok check port allowed on firewall if the sensor have to go through firewall..
3) Make sure the names & shared key set correctly in manager you need to add names & shared key into manager first before register putting the shared key in sensor..
4) if everythong ok but failed.. contact mcAfee support..
Just adding this for anyone who finds this on a search...
had the same problem today on an N-550 NAC sensor. The problem was that the sensor name was entered in lowercase when naming the sensor and in uppercase when putting the name of the sensor into the NSM Manager.
The fix was just to change the entry in the NSM Manager to match the sensor, then reenter the shared secret key on the sensor.
We found this because the ems.log file on the NSM Manager had an entry with the sensor IP address followed by an entry that the name of the sensor was not found on the NSM Manager.
Hope this helps someone.,