cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
nashcoop
Level 11
Report Inappropriate Content
Message 1 of 24

Error: DB Server Key Check Failed

Jump to solution

I recently upgraded EPO 5.9.1 to 5.10 and started getting the error in the attached screenshot below which is accompanied by the EPO server completely locking up.  A reboot is necessary to make it functional.  The problem has happened twice in the past week.  SQL and EPO are installed on the same server.

I see this error in the EpoApSvr.log on the EPO server many times when the error occurs: 

20191022123041 E #06036 EPODAL , msg=Unspecified error
20191022123041 E #06036 EPODAL ePOData_Connection.cpp(719): COM Error 0x80004005, source=Microsoft SQL Server Native Client 11.0, desc=TCP Provider: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.

I have reviewed the conversation in this forum

https://community.mcafee.com/t5/ePolicy-Orchestrator/ePO-Database-Connection-Issue-DB-Server-Key-Che...

I ran nmap to check the cipher suite on my EPO server and only see the keys shown below.

TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

There are no TLSv1.2 keys listed for "TLS_ECDHE"

Someone referenced KB91304 for more info on that, but I'm not able to locate that KB.  

 

EPO error.jpg

2 Solutions

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 17 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

JvmMx to: 8 x 1024-1 = 8191 - that is correct.

For sql, I would set it to use 4 g (4*1024).  To do that, in sql management studio, at the very top where the sql server is listed when you connect to the server registration, right-click on the properties of that sql server instance and go to properties, then go to the memory tab.  Under maximum server memory in mb, add the 4g value there.  That should take affect immediately without restart of sql services.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

nashcoop
Level 11
Report Inappropriate Content
Message 22 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

Before trying that I decided to remove the extension for the NSP 9.1.x which was provided to me by member of our team who manages NSP, and it looks like that may have been the culprit.  I'm going to monitor TCP connections for tomcat and SQL over the next 24 hours.  During the past two hours since I removed that extension the connections haven't increased in number for either process, so initial findings are pretty good.

View solution in original post

23 Replies
McAfee Employee aravikum
McAfee Employee
Report Inappropriate Content
Message 2 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

I suppose this caused due to  ePO 5.10 installer is not able to negotiate a Transport Layer Security (TLS) connection with the SQL Server.


The completed line reads as follows - a single line with no spaces or line breaks:

jtds.enabledCipherSuites="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"

NOTE: You do not need to have the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite enabled on the SQL Server. 

Additionally, enable TLS v1.1 and TLS v1.2 in the DB server to accept the connections.

Was my reply helpful?


If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

McAfee Employee vivs
McAfee Employee
Report Inappropriate Content
Message 3 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

Hello,

Thanks for your post.

First thing is coming here after seeing the screenshot:

ERROR: Warning: DB Server Key Check Failed (on the ePolicy Orchestrator login page) 

Also you can check the KB article which is mentioned in your post:

https://kc.mcafee.com/corporate/index?page=content&id=KB91304&actp=null&viewlocale=en_US&showDraft=f... 

Also please check the eventparser.log as well.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

nashcoop
Level 11
Report Inappropriate Content
Message 4 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

I should have mentioned that SQL was upgraded to 2016 before I upgraded EPO from 5.9.1 to 5.10.  However the pre-installation audit ran and checked out fine before the upgrade, and there were no issues or errors during the upgrade to 5.10.   KB71125 says that agents will no longer be able to communicate with the EPO server but when I view the "Last Communication" column in EPO they are still currently communicating with the server.  Is there another way to verify if the keystore is corrupted, or would the fact that the agents are still communicating based on the info in the Last Communication column indicate KB71125 is not applicable?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 5 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

What are the specs on the server - ram installed?  How many systems are you managing?  How long after the upgrade did you get the error?  Did anything else change on the system at all?  Do the sql error logs show anything interesting?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

nashcoop
Level 11
Report Inappropriate Content
Message 6 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

8 gb's of RAM for roughly 700 clients.  Error didn't occur until one week after the upgrade.  The first time the error occurred I had to reboot the server through vSphere in order to make it functional again.  Following the reboot everything seemed fine for three days before the problem occurred again yesterday. Rebooting the server seems to be the short term workaround.  I have my SQL admin looking into this on the SQL side of things.  He mentioned maybe doubling the memory, but I'm not convinced yet that this is simply a memory issue.

I'm seeing the error below in the EpoApSvr.log

20191022123041 E #06036 EPODAL , msg=Unspecified error
20191022123041 E #06036 EPODAL ePOData_Connection.cpp(719): COM Error 0x80004005, source=Microsoft SQL Server Native Client 11.0, desc=TCP Provider: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 7 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

The "system lacked sufficient buffer space" message clearly points to a memory issue.  Here is the problem and why that server is severely under supported specifications.

1.  We require 8g available ram, not installed ram.

2.  Sql will, by default, use all available memory, so that must be limited, especially when epo is on the same system.

So you can see by that, you clearly don't have enough ram.  When epo installs, it allocates half the ram to tomcat Java and it may or may not use all that allocation.  Then apache itself could use up to 2gb, which leaves 2g for the OS and none for sql.

I would at least triple the memory, then adjust memory settings as follows.

In [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\MCAFEETOMCATSRV530\Parameters\Java] options, change jvmmx to half the installed ram.  So, if you install 24g ram, for example, half of that is 12g - you would calculate it as such:

12 x 1024 -1.  For some reason, that is how epo calculates it on install.  So in your case, you would set jvmmx at 12287.  So then you want to leave about 4g available for the OS, which leaves you 8g for sql.  In the properties for the sql server, set max memory to 8 x 1024, or 8192.  That should clear up that issue.  Those are just examples, obviously it is going to depend on what amount of ram you actually install.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

nashcoop
Level 11
Report Inappropriate Content
Message 8 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

Ok thanks, I'll submit a request to upgrade the RAM. 

I have another EPO server with 4,500 clients that was also upgraded from 5.9.1 to 5.10 which is running SQL 2014 on the same box and only 8 gb's of RAM that is not having this db server key check issue.  That EPO server did not have SQL upgraded before the upgrade to 5.10.  Both servers have been running  EPO and SQL with 8 gb's of RAM without any problem for at least a year but probably longer.  The "db server key check failed" error is on the EPO server that had SQL upgraded to 2016 prior to the 5.10 upgrade.  If this is just a memory availability issue, then shouldn't I see the same error on my other EPO 5.10 box?  Also, why would the error only start after upgrading to EPO 5.10 if SQL memory availability is the sole issue?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 9 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

Each version of epo may utilize memory differently and the same with sql.  A newer version of sql would possibly have more internal features, as well as external, that it uses.  You may not be seeing those issues on the other server, but it is definitely not a supported config as it doesn't meet minimum requirements.  So even if you were to open a ticket with us for troubleshooting the issue, we would require a memory upgrade to get to a supported environment.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

nashcoop
Level 11
Report Inappropriate Content
Message 10 of 24

Re: Error: DB Server Key Check Failed

Jump to solution

Understood.  Thanks for the feedback, and I've already sent a request to increase RAM.  I should have that done within the hour and will be able to monitor for any issues over the next few days.

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community