cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
PeterLageri
PeterLageri
Level 9
Report Inappropriate Content
Message 1 of 11
‎05-09-2018 04:30 AM

Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

Hello.

I have upgraded the ePO server to 5.3.3.

I can't upgrade the Agent Handler to 5.3.2. I managed to upgrade it from 5.3.0 to 5.3.1 to 5.3.2 as I did with the ePO server.

I get the message: Setup was unable to connect to the specified server.

Help me please.

Best Regards

Peter

 

0 Kudos
Reply
1 Solution

Accepted Solutions
PeterLageri
PeterLageri
Level 9
Report Inappropriate Content
Message 9 of 11
‎05-09-2018 05:18 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

Reorder the ciphers to have the following at the top:

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

There are several ways to accomplish this task; the quickest and easiest involves using the third-party tool IISCrypto. You can download this tool from www.nartac.com/Products/IISCrypto and execute it without installation on the impacted Handler(s). 

View solution in original post

0 Kudos
Reply
10 Replies
Highlighted
cdinet
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 11
‎05-09-2018 04:50 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

Is that agent handler in any dmz or firewalled environment?  Refer to KB66797 for required ports.  It appears the agent handler is not able to reach the epo server on all the required ports.  It needs 8443, 8444, 80 and 443 open as a minimum to the epo server and sql port to sql server.  It is either the epo or sql server that it is failing to connect to.  The logs would show better which server it is referring to.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
PeterLageri
PeterLageri
Level 9
Report Inappropriate Content
Message 3 of 11
‎05-09-2018 04:52 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

Ok. Which logs should I look at? And where are they?

I'm puzzled because the upgrade to 5.3.2 worked and yes the Agent is in a DMZ.

Best Regards

Peter

 

0 Kudos
Reply
cdinet
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 11
‎05-09-2018 04:54 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

%temp%\mcafeelogs directory should contain the agent handler logs.  Sometimes firewall rules can get changed without notification to system admins that require specific rules.  You can try to telnet to the epo and sql servers on the required ports to see if the agent handler can get through.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
PeterLageri
PeterLageri
Level 9
Report Inappropriate Content
Message 5 of 11
‎05-09-2018 05:02 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

Well. I moved the Agent Handler VM to the same subnet as the ePO server and gave the Agent Handler VM an IP address in that subnets scope and got the same error.

The log AH530-ahsetupdll_EPO-AGENT.log shows at the end of it:

 20180509135526 I #05528 AHSETUP Determine if 'admin' is an ePO Admin
20180509135526 E #05528 MCUPLOAD SecureHttp.cpp(697): Failed to send HTTP request to server epo-01.au.local for command name epo.command.isAdmin on port 8444. (error=12029)
20180509135526 E #05528 MCUPLOAD SecureHttp.cpp(886): Failed to process the secure communication request (error=12029)
20180509135526 E #05528 AHSETUP ahsetup.cpp(257): Received an error from the ePO server. Error=12029

Any Idea?

Best regards

Peter

 

0 Kudos
Reply
cdinet
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 11
‎05-09-2018 05:10 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

can you telnet to port 8444 from ah to epo?  Rather than posting sensitive info here, email me the orion logs from the epo server and the agent handler install logs.  Zip them up please.

caryn_dinet@mcafee.com

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
PeterLageri
PeterLageri
Level 9
Report Inappropriate Content
Message 7 of 11
‎05-09-2018 05:12 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

UHHH!

Bingo. I might be unto something there https://community.mcafee.com/t5/forums/replypage/board-id/epolicy-orchestrator/message-id/58255 

0 Kudos
Reply
cdinet
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 8 of 11
‎05-09-2018 05:16 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

for some reason I can't pull that up.  What does it say?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
PeterLageri
PeterLageri
Level 9
Report Inappropriate Content
Message 9 of 11
‎05-09-2018 05:18 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

Reorder the ciphers to have the following at the top:

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

There are several ways to accomplish this task; the quickest and easiest involves using the third-party tool IISCrypto. You can download this tool from www.nartac.com/Products/IISCrypto and execute it without installation on the impacted Handler(s). 

View solution in original post

0 Kudos
Reply
PeterLageri
PeterLageri
Level 9
Report Inappropriate Content
Message 10 of 11
‎05-09-2018 05:18 AM

Re: Cannot upgrade Agent Handler from 5.3.2 to 5.3.3

Jump to solution

Bingo!

Bonga Bonga Party!

Just follow the instructions in https://kc.mcafee.com/corporate/index?page=content&id=KB89858

and apply the order or those cipher suites on the Agent Handler.

Best Regards

Peter

 

0 Kudos
Reply
More McAfee Tools to Help You
  • How to Troubleshoot Install & Deployment Failures
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC