cancel
Showing results for 
Search instead for 
Did you mean: 

Agents Cannot Update from a SADR

Jump to solution

We have several distributed repositories and replication is fine.

Machines at these sites are getting a "Valid Repository Could not be Found" whenever they try to manually update their AV defs.

age_MachineName.log on the Distributed Repository is showing

2010-01-23 21:41:51 I #4084 LstnSvr CAsyncSocket:Smiley Very HappyoAccept for event: FD_ACCEPT

LstnSvr [Port Blocking] Connection from 22.22.53.174 rejected

for several hundred IP's

SiteStat.xml is set to Enabled

SiteList.xml is all in order on the machines.

Set Logging to Level 8 and got:

2010-01-23 21:40:12 X #7096 SiteHlp Getting Spipe site
2010-01-23 21:40:12 X #7096 SiteHlp Free memory for Sitelist
2010-01-23 21:40:12 X #7096 SiteHlp Free memory for Sitelist
2010-01-23 21:40:12 X #7096 LstnSvr CAsyncSocket::Accept() hTemp=1552, rConnectedSocket=0x020d0f90
2010-01-23 21:40:12 X #7096 LstnSvr CAsyncSocket::AttachHandle hSocket=1552 ,pSocket = 0x020d0f90, bRet=1
2010-01-23 21:40:12 X #7096 LstnSvr [Port Blocking] port blocking feature is ON
2010-01-23 21:40:12 X #7096 LstnSvr [Port Blocking] ePO server IP address: 22.22.20.122, Peer IP address: 22.35.38.145
2010-01-23 21:40:12 X #7096 LstnSvr Leave CAsyncSocket::Release() hSocket=1080,nRef=1, Reason=0
2010-01-23 21:40:12 X #7096 LstnSvr Inside SocketWndProc...
2010-01-23 21:40:12 X #4248 LstnSvr WQThreadProc:  Calling CAsyncSocket:Smiley Very HappyoCallBack...
2010-01-23 21:40:12 X #4248 LstnSvr CAsyncSocket:Smiley Very HappyoCallBack for event: FD_READ
2010-01-23 21:40:12 X #4248 LstnSvr [Port Blocking] port blocking feature is ON
2010-01-23 21:40:12 X #4248 LstnSvr [Port Blocking] ePO server IP address: 22.22.20.122, Peer IP address: 22.35.38.145
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - new request (t=4248,s=1552,r=2)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - receiving (t=4248,s=1552,r=2)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - received (t=4248,s=1552,r=2,b=93)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - request status (t=4248,s=1552,r=2,rs=0)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - process line (t=4248,s=1552,r=2,b=93,i=38)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - process line (t=4248,s=1552,r=2,b=93,i=78)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - process line (t=4248,s=1552,r=2,b=93,i=91)
2010-01-23 21:40:12 I #4248 LstnSvr [Port Blocking] Connection from 22.35.38.145 rejected
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - request status != 2 (t=4248,s=1552,r=2,rs=5)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - request status == 5 (t=4248,s=1552,r=2,rs=5)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - AsyncSelect:  FD_WRITE | FD_CLOSE (t=4248,s=1552,r=2,rs=5)
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive -End Process (t=4248,s=1552,r=2)
2010-01-23 21:40:12 X #7096 LstnSvr Inside SocketWndProc...
2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - Exit  (t=4248,s=1552,r=2)
2010-01-23 21:40:12 X #4248 LstnSvr CAsyncSocket:Smiley Very HappyoCallBack:  Calling Release(0)...
2010-01-23 21:40:12 X #5736 LstnSvr WQThreadProc:  Calling CAsyncSocket:Smiley Very HappyoCallBack...
2010-01-23 21:40:12 X #4248 LstnSvr Leave CAsyncSocket::Release() hSocket=1552,nRef=1, Reason=0
2010-01-23 21:40:12 X #4248 LstnSvr CAsyncSocket:Smiley Very HappyoCallBack:  Returned from Release(0)...
2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket:Smiley Very HappyoCallBack for event: FD_WRITE
2010-01-23 21:40:12 X #4248 LstnSvr WQThreadProc:  Returned from CAsyncSocket:Smiley Very HappyoCallBack...
2010-01-23 21:40:12 X #5736 LstnSvr OnSend - Enter (t=5736,s=1552,r=2)
2010-01-23 21:40:12 X #5736 LstnSvr OnSend - process (t=5736,s=1552,r=2)
2010-01-23 21:40:12 X #5736 LstnSvr OnSend - bytes left to send (t=5736,s=1552,r=2,b=0)
2010-01-23 21:40:12 X #5736 LstnSvr OnSend - End Process (t=5736,s=1552,r=2)
2010-01-23 21:40:12 X #5736 LstnSvr OnSend - total sent (t=5736,s=1552,r=2,b=0)
2010-01-23 21:40:12 X #5736 LstnSvr OnSend - Setting killed (t=5736,s=1552,r=2)
2010-01-23 21:40:12 X #5736 LstnSvr OnSend - Setting Release = TRUE (t=5736,s=1552,r=2)
2010-01-23 21:40:12 X #5736 LstnSvr OnSend - Releasing:  RELEASE_REASON_ONSEND (t=5736,s=1552,r=2)
2010-01-23 21:40:12 X #5736 LstnSvr Leave CAsyncSocket::Release() hSocket=1552,nRef=1, Reason=2
2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket:Smiley Very HappyoCallBack:  Calling Release(0)...
2010-01-23 21:40:12 X #5736 LstnSvr Delete AsyncSocket object 0x020d0f90, reason=0, m_hSocket=1552
2010-01-23 21:40:12 X #5736 LstnSvr  Enter ~CRequestSocket()
2010-01-23 21:40:12 X #5736 LstnSvr  ~CRequestSocket()--m_pRequest->Release() iRefCount=0
2010-01-23 21:40:12 X #5736 LstnSvr  ~CRequestSocket()--RequestSocket object 0x020d0f90 destructed
2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket::~CAsyncSocket m_hSocket=1552
2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket::KillSocket hSocket=1552
2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket:Smiley Very HappyetachHandle hSocket=1552
2010-01-23 21:40:12 X #5736 LstnSvr Leave CAsyncSocket::Release() hSocket=1552,nRef=0, Reason=0
2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket:Smiley Very HappyoCallBack:  Returned from Release(0)...
2010-01-23 21:40:12 X #5736 LstnSvr WQThreadProc:  Returned from CAsyncSocket:Smiley Very HappyoCallBack...
2010-01-23 21:40:12 X #7096 LstnSvr Inside SocketWndProc...
2010-01-23 21:40:12 I #7096 LstnSvr CAsyncSocket:Smiley Very HappyoAccept for event: FD_ACCEPT
2010-01-23 21:40:12 X #7096 SiteHlp Constructing sites helper object
2010-01-23 21:40:12 X #7096 SiteHlp Getting Sitelist file name
2010-01-23 21:40:12 X #7096 SiteHlp Getting Sitelist versions
2010-01-23 21:40:12 X #7096 IPLock readLock - providing read lock
2010-01-23 21:40:12 X #7096 IPLock readUnLock - unlocking the read lock successful
2010-01-23 21:40:12 X #7096 SiteHlp Get EPO Server IP Address
2010-01-23 21:40:12 X #7096 SiteHlp Reading Sitelist
2010-01-23 21:40:12 X #7096 IPLock readLock - providing read lock
2010-01-23 21:40:12 X #7096 IPLock readUnLock - unlocking the read lock successful
2010-01-23 21:40:12 X #7096 SiteHlp Reading site from SiteList
2010-01-23 21:40:12 X #7096 SiteHlp Reading site from SiteList
2010-01-23 21:40:12 X #7096 SiteHlp Reading site from SiteList

Disabled IPS on the SADR - did not fix

Restarted Framework service - did not fix

Rebooted server - did not fix

Forced a new incremental replication - did not fix

Nothing showing up in the AV logs for the Distributed Repository

Nothing showing up in the IPS logs on the Distributed Repository

Checked settings on network management even

Any ideas on how to shut off this port blocking feature?

Distributed Repositories are running Agent 4.0

Running ePo 4.0 on the main server

Able to RDP into the server with no issues.

NOTE:  Upgraded agent to 4.5 on the SADR Repository and now the [Port Blocked] messages have disappeared.  Agent on the ePo server was 4.0 as well............odd.

Message was edited by: epository on 1/24/10 5:40:16 AM CST
1 Solution

Accepted Solutions
apoling
Level 14
Report Inappropriate Content
Message 4 of 8

Re: Agents Cannot Update from a SADR

Jump to solution

Hi,

Just a vague idea: could you check if the "Accept connections from ePO server only" checkbox in the McAfee agent policy for those clients is set?

Perhaps it has to do with "port blocking" feature activated on the client...

Attila

7 Replies
ajacobs
Level 12
Report Inappropriate Content
Message 2 of 8

Re: Agents Cannot Update from a SADR

Jump to solution

Has your issue been resolved? I'm not a product expert but I've moved it to the ePO area.

Re: Agents Cannot Update from a SADR

Jump to solution

Issue not resolved, but it is working now.........

Not sure what the issue was.

apoling
Level 14
Report Inappropriate Content
Message 4 of 8

Re: Agents Cannot Update from a SADR

Jump to solution

Hi,

Just a vague idea: could you check if the "Accept connections from ePO server only" checkbox in the McAfee agent policy for those clients is set?

Perhaps it has to do with "port blocking" feature activated on the client...

Attila

Re: Agents Cannot Update from a SADR

Jump to solution

Here is basically what is now happening.

SADR's wont replicate if agent 4.5 is installed on the SADR.

Downgrade the SADR's agent to 4.0 and replication is fine, but

start getting the port blocking messages in the SADR's agent log again.

Upgrade the SADR agent to 4.5 and the port blocking messages go away, but client still cannot update.

McScript log notes that they connect on the AgentPingPort to the local SADR.

Reinstall the agent on machines and they updating normally.

Why? I dont know.  McAfee has had the logs for analysis for 4 days now, but radio silence after spending 4 hours on the phone with them.

The result of the 4 hours was to that I was to send them more agent logs.

Re: Agents Cannot Update from a SADR

Jump to solution

We have 2 networks with 2 separate ePo's, both were set to accept connections only from ePO for the SADR policy.

Changed the policy for the ones for problem SADR's to accept connections from anywhere and now AV defs are fine.

The other network still has the checkbox checked, but no issues with machines receiving AV defs.

No consistency and no idea why one network has no issues with this issues and the other one does.

BTW, when it says "connections" does it mean every type of connection?  I could access all of these SADR's via RDP from my workstation with no issues.

No idea ....

apoling
Level 14
Report Inappropriate Content
Message 7 of 8

Re: Agents Cannot Update from a SADR

Jump to solution

Hi,

can you tell what host is on IP 22.22.53.174? ..and on 22.22.38.145 ?

Is SADR a "superagent distributed repository" ?

What is the ePO server version and patch level?

..just trying to position myself within the  environment.

Also, what does the mcscript.log say on one client when update failing? Post a section around the error message with log level 8, please...

Attila

apoling
Level 14
Report Inappropriate Content
Message 8 of 8

Re: Agents Cannot Update from a SADR

Jump to solution

Important: what type of access is set in the distributed repositories for agents to download signatures? FTP, HTTP or UNC or other?

A.

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.