cancel
Showing results for 
Search instead for 
Did you mean: 
Nick_B
Level 11
Report Inappropriate Content
Message 1 of 14

Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

Dear McAfee Community,

One of our customers with an estate of around 13,000 managed endpoints and various McAfee products deployed, have observed an issue lately in one particular location of the business only, whereby after the upgrade of the McAfee Agent to 5.6.2 or 5.6.3 the systems fail to update their AMCore files unless they are rebooted.

It is not clear why only one area of the business is affected but this is what has been observed.

I obtained a MER from one of the affected systems which is running Windows 7 Professional SP1 Build 7601, although they have provided about 5 or six systems which have the issue and they all run Windows 7 except for one which is on Windows 10.

When I was examining the MER logs from one of the affected devices (Windows 7), I discovered some interesting entries in the masvc_hostname.log which is seen below.

From what I can gather, the cURL error 7 is an indication that there was a firewall, proxy or permissions issue and cURL error 6 is an inability to resolve the IP to a hostname.

masvc_IND_Hostname.log extract - Copy.PNGMasvc Log Extract from an affected system

Anyone else experienced this kind of issue?

I look forward to hearing from you!

 

13 Replies
hem McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

For details about curl error #: 

https://kc.mcafee.com/corporate/index?page=content&id=KB74939&locale=en_US

 

CURLE_COULDNT_RESOLVE_HOST (6)  Could not resolve host. The given remote host could not be resolved
CURLE_COULDNT_CONNECT (7) Failed to connect to host or proxy
Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?please select Accept as Solution in my reply and together we can help other members?
YashT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

Hello @Nick_B ,

As @hem  suggested the kb will help you with resolving the issue with curl error 6 and 7.

I would like to know after the upgrade the agent is properly installed ?

Does it says installed successful? Also check in one of the system where you are facing the issue if the agent is properly installed, right click on the McAfee icon on bottom right corner select about and check if the agent says managed or unmanaged?

1. Above steps is to isolate if the agent is properly installed. also verify "PendingFileRenameOperations" in registry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" this will guide you if the system is requesting reboot after the upgrade of agent or any other product.

2. Also from the error logs I can see that the agent is failed to communicate to EPO, If the repository setting is configured to take the update from Fallback site McAfeeHttp then it should take the update from internet Manage source and fallback sites best practice.

3. I have seen one more error in your logs which has UV write failed - uv error <36> <broken pipe> .

Same issue is described in KB86760, let me know if this helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Yash T
cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

What version of the agent did you upgrade to?  Do the server logs on epo server or agent handler show any connection errors?  KB88664 has a similar error - see if that applies.

Go to C:\ProgramData\McAfee\Agent and double-click on the cabundle.cer.  Is it 1024 or 2048 bit cert?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 5 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

Hi @cdinet@hem & @YashT 

Good to hear from you guys 😉

The Agent on the affected machine (identified as INMUM) I collected the MER file from was upgraded to MA 5.6.3.157.

I checked in the Server log on the AH server where it connects and it does not appear to have any comms issues there. Snip below is taken from today's connections. The entries from 11 Feb (when the MER was collected) are no longer available as the log has rolled over and the backup doesn't go that far back.

INMUM - Entry in Server Log on AH Server from 17 Feb - more detail2.PNGEntry for INMUM client in Server Log on AH

I can check what key size is listed (1,024 or 2,048 bits) and get back to you on that, hopefully tomorrow. I assume you mean the Public key as found about half way down on the Details tab when you open the cabundle.cer file? So, RSA 2,048 bits for example.

Speak soon!

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

That looks like it should be a successful communication.  Does it show failed all the time on the client side?  Yes, that is what I am referring to with the 2048 bit reference.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 7 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

Hiya,

No, on this particular client now it should be all good as it has been rebooted (last Thursday was the last boot time according to our custom props field). The issue appears to manifest after the new Agent is installed for a particular area of the business only. Known as P Division, they have sites all over the world so it is not specific to a geographic area or an office/building or anything like that.

Rebooting the endpoint resolves the issue but the customer is concerned mainly because of the logistics involved in getting hundreds of users to reboot their devices. So, until they are rebooted the DAT files are not updated etc so there lies a risk.

Speak soon!

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

Was ens or vse also upgraded?  Just an agent upgrade doesn't normally require a reboot.  You can check the mfemactl.log to see if by chance there was any blocking of McAfee processes that might require the reboot to reload syscore drivers.  It would have to be the McAfee process being the one blocked due to injection of another, such as mcscript_inuse.exe blocked by.... for that to be part of the problem.  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 9 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

Hi @cdinet 

The affected machines were not upgraded in terms of ENS as far as I know, just the McAfee Agent.

I have the MER from the INMUM machine from 11 Feb still which includes the logs but does not have the mfemactl log however, is that by design? Snip belows shows the left pane from the MER Analyzer with the .tgz file open.

MER snip for INMUM machine.PNGMER log snip

 

 

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 14

Re: Communication Between Certain Managed Endpoints and McAfee ePO Stops, Post Agent Upgrade

That is strange - you have logs from a 4.x agent as well as 5.x.  You may have remnants also of the install files that may be causing interference.  I have seen that also cause agent installs to fail.  I would suggest seeing if a reboot removes those remnants and if not, perhaps a complete removal/reinstall.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community