cancel
Showing results for 
Search instead for 
Did you mean: 
DBO
Level 9

Intermittent NTLMv2 failures with 6.9.3 build 13514


For the last 2-3 weeks, we have received report of auth popup showing up on the user screen.  It start going worse and worse until yesterday when even both Webwashe proxy failed the NTLM auth test.  After 10-15 minutes, it came back up.  Probably that the proxy switch to another of the DC in the list.  It start again on one of the proxy that I had to reboot to get thing back up fast.  Since then, both proxy are use the same DC  and no more popup yet (at least report to the support center).

Questions:

  • Where (in what log) should I look to find occurance of NTLMv2 failure? Any way to be alert for this before the phone start ringing?
  • Any specific diagnostic / possible source of the problem  (other then the DC are failing)?
  • Looking at the proxy config, I just realise that NTLM cache was not activated.  Any problem I should look at if I activate it with a 60 sec cache time?

Thank you

0 Kudos
5 Replies
McAfee Employee

Re: Intermittent NTLMv2 failures with 6.9.3 build 13514

Where to look: You can look in the errors log and see if any authentication failures are reported. It is somewhat spotty, but this would be the only place to go (MWG7 has special authentication debugging as a result of the features lacking in 7)

Diagnostics: run a tcpdump on port 445 (tcpdump -s 0 -i any port 445 -w filename.cap) -- do NOT post it here, open a case

NTLM Cache: You can activate this but I'm not sure it will have too much impact, please leave it at the default value, which I believe it 10 seconds... or 30 seconds.

I would also recommend checking your settings on MWG for how you have it joined to the domain. See link below:

https://community.mcafee.com/message/256713#256713

My description applies to MWG6 as well as MWG7.

Hope this helps,

Jon

0 Kudos
DBO
Level 9

Re: Intermittent NTLMv2 failures with 6.9.3 build 13514

The 2 proxy have been joined to the domain/Forest for a long time and working properly.  I have the feeling that on of the DC is having dificulty.  Both proxy now point to another DC (to GC in fact) and no more popup report.  Look like the DC was degrading to me.

In fact, I  found only one error link to DC

[26/Sep/2012:08:09:07 -0400] NTLM: Domain '-----' DC '------.com': Can't connect to DC

But I just found a new error for me:

Avira: Unable to locate a valid Avira update under antivirus folder

If the Avira engine is not showing up in mylicence and is not activate, why this error or, is it just an information msg???

0 Kudos
McAfee Employee

Re: Intermittent NTLMv2 failures with 6.9.3 build 13514

Given that you found that error in the logs, I would guess it is indeed a DC issue.

Regarding the avira messages, they are just informational, you would have had to manually enabled the Avria engine.

Best,

Jon

0 Kudos
DBO
Level 9

Re: Intermittent NTLMv2 failures with 6.9.3 build 13514

I can't find where to enable the Avira engine...  If it's not in my licence items, I presume I am not allow or has it been made available to all that have the AntiMalware Module?

0 Kudos
DBO
Level 9

Re: Intermittent NTLMv2 failures with 6.9.3 build 13514

Finally found the reference in the 6.9 Upgrade guide...  Avira is active now...

https://contentsecurity.mcafee.com/documentation_mwg6    , Section - Upgrade Guide

or

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23145/en_US/...

Ce message a été modifié par: DBO on 28/09/12 16:09:22 CDT
0 Kudos