cancel
Showing results for 
Search instead for 
Did you mean: 
ATJH
Level 7
Report Inappropriate Content
Message 1 of 11

Dead agents and how to deal with them

Hello all

Current environment:

2500-3000 Workstations and Servers
ePO 4.0 patch 4
McAfee Agent 4 patch 2

A problem I've been having in my environment is agents going dead. By this I mean the communication between the client and server is no longer operational. The framework service continues to run on the client, but gives an error in the status log:

1. Agent failed to collect properties
2. Failed to upload package (Not verbatim)

Currently I have a query that runs every night to collect all machines who haven't reported in for 30+ days and move them into an "InActive Agent" group. In the group the McAfee agent gets deployed every hour to hopefully bring these machines back online. While this method is reasonably successful it's not 100%. There are clients that require the agent to be uninstalled with /forceuninstall before reinstallation.

I'm curious to know how people handle dead agents on a large enterprise level. I currently have 400 machines in my "Inactive Agent" group. I would say 70% of those are dead machines that either have been removed from the network or reimaged. I use Remote Sensor Detection, but with minimal positive results. It's not reasonable to troubleshoot agents on a micro level because the time and man power aren’t available.

Any help is appreciated.

Thanks
Tags (2)
10 Replies
kao
Level 9
Report Inappropriate Content
Message 2 of 11

RE: Dead agents and how to deal with them

Just wanted to say that we also experience this problem with a very similar environment (except fewer client seats). No solution but thought it may be good to know you are not alone with this issue.
tonyb99
Level 13
Report Inappropriate Content
Message 3 of 11

RE: Dead agents and how to deal with them

I use RSD with 1 of my 3.6.1 installs to check rogues and (after filtering out things that dont need agents) apply forced agent reinstalls if they fail a query of the agent, if they still show as rogue then they stay in RSD and I import placeholders for the names into the directory and start battering them with wakeup calls till they go away as duplicates. IF they dont then they are usually faulty and i use a manual script to forceuninstall and reinstall the agent.

AT the same time I manually run a query once a week to pull out anything that hasnt reported back in 3 months (we have a lot of machines that can be off for months at a time)and then run it through a GUI ping tool, anything that no longer has a DNS entry I remove anything else I check manually by importing back into the directory and wakeups/installs etc

all in all its a total pain for an epo with 6500 nodes

but with good ping tools and install/uninstall scripts, once you are used to it, it doesnt take as long as you would think
ATJH
Level 7
Report Inappropriate Content
Message 4 of 11

RE: Dead agents and how to deal with them



Sounds like a similar setup to mine, except for the last part. The GUI ping tool is a good idea. I use Secure Fusion for asset management and pull reports for any machine missing the Agent, but that's not 100% either. Definitely going to try creating some scripts along with getting a good GUI ping tool.

Thanks for the help.
Waspy
Level 7
Report Inappropriate Content
Message 5 of 11

RE: Dead agents and how to deal with them

You are not alone....

Same problem here with CMA 3.6.608.


What I do:

In LoginScript I check the registry key with contains the DAT version number and write it to a file.
If local stored DAT version less than delta 10, than I get an alert (blat.exe) via email.



Isn't it very painful for McAfee ???




/waspy
Highlighted

RE: Dead agents and how to deal with them

i also do the ping route via perl script to identify 'inactive' machines which are actually online but with a broken agent.

i can then put these active machines into an SMS collection to redistribute the EPO agent.
palbr
Level 7
Report Inappropriate Content
Message 7 of 11

RE: Dead agents and how to deal with them

Review your logs and let me know if you can find something like that:
TIME E #3832 EPOServer Agent xxxxxxxxxxxxxx with GUID {xxxxxxxxxxxxxxx} and IP xxx.xxx.xxx.248 and MAC xxxxxxxxxxxxxxxx has an invalid sequence number; expecting 275 > 2341
TIME E #3832 EPOServer Rejecting agent due to an invalid or duplicate sequence number
Usually this error occures becouse of cloning PC - there are two (or more) agents with the same GUID. Epo is not able to difrenciate them. However it seems that from time to time agent have problem with communication and this problej just appears - without any reason. I did not found good way to get sequence numbers synchronised.
Hint: there is value sequencenumber in registry under HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent
but agent keeps it somwhere else - when changed mannualy it is resotred in registry - but I don't have even idea where it reside. I'm just curious if your systems are afected by wrong sequence numbers...
rgds
P.
gmc_za
Level 8
Report Inappropriate Content
Message 8 of 11

RE: Dead agents and how to deal with them

Same problem here. Even a reinstall doesn't fix it - same error. Have to remove the agent using frminst.exe and then reinstall.
woodsjw
Level 7
Report Inappropriate Content
Message 9 of 11

RE: Dead agents and how to deal with them

I have a couple sites that deployed the agent in an image improperly so there are a lot of sequence errors. Thankfully ePO 4.0 P5 now logs the device names in a new db table so it's much easier to see which machines are having sequencing problems. 4.5 makes it even easier, but we're not ready to make that jump yet.

I used to periodically harvest GUID's from the server.log and use a SQL query to pull the associated device names etc.... but it was a pain. Now I just pull the device names out of the new table and use a script to remove them from managed mode (frminst /silent /remove=agent) and then reinstall. It wasn't that long ago you could just delete the GUID from the registry and let it re-register, but that doesn't work any more.
ATJH
Level 7
Report Inappropriate Content
Message 10 of 11

RE: Dead agents and how to deal with them



This seems to be a very common theme with McAfee products.
More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community