Has anyone upgraded to ePO 5.3.3 and seen the problem "Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)". This is referenced in a new KB article KB89858. McAfee believes that it is related to a cipher suite change in ePO 5.3.3 and can affect wake-up calls, client run now tasks and Drive Encryption activations.
We have yet to move to ePO 5.3.3 but have just started the process. The Pre-Installation auditor program failed the cipher suites until I ran IISCrypto utility to remove older ciopher suites like SSL V2 etc. This KB article is not giving me the confidence at moving to ePO 5.3.3 as the workaround is to perform a disaster recovery to the previous version of ePO.
It appears the only reason to move to ePO 5.3.3 is for some security fixes for Tomcat. I wish that they has released these security fixes for ePO 5.3.2. Has anyone seen any issues so far with ePO 5.3.3 with relations to the problems in KB89858?
just upgraded the first productive server to 5.3.3, and no DataChannel issue. But we had a VM snapshot and database backup just in case.
That is good to know. I will test on my test ePO server next week and see what happens. We are a VM shop also, so I always do a VM snapshot also. This has saved my bacon in the past.
This morning, I decided to test ePO 5.3.3 after a upgrade from version 5.3.2. I can confirm that we do have this datachannel cipher suite bug. This I reproduced by doing a client run now task to uninstall VSE 8.8i from client. I noticed that the task does not show any progress on the ePO console and the client agent status shows errors "Failed to upload package to the ePO server". This is not an acceptable bug for us so we will hold off upgrading until McAfee fixes it. McAfee's workaround is to do a disaster recovery and to go back to the previous version. What is up with McAfee's QA process.
For anyone who is affected by this McAfee has update the KB article. You have to reorder certain ciphers to get it to work. Going to test this today.
Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)
Technical Articles ID: KB89858
McAfee ePolicy Orchestrator (ePO) 5.3.3
ProblemDataChannel connectivity between the ePO server service (Apache) and the Application Server service (Tomcat) stops working, resulting in functionality requiring the DataChannel to be negatively impacted. This issue could manifest in many ways including, but not limited to:
20170918133528 E #05472 MCUPLOAD SecureHttp.cpp(987): Failed to send HTTP request. Error=12029 (12029)
20170918133528 E #05472 NAIMSERV server.cpp(583): Failed to send request, err=0x80004005, HTTP status code=0
20170918133528 E #05472 NAIMSERV server.cpp(968): Error sending data channel message to application server
Upgraded ePO to 5.3.3.
This issue has not been observed on fresh installs of ePO 5.3.3, nor on ePO 5.9.
This issue appears to be related to a cipher suite security change present in ePO 5.3.3.
Technical Support is investigating this issue. As a temporary measure, implement the following workaround.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.
WorkaroundThis issue can be resolved by reordering cipher suites on impacted Agent Handler(s).NOTE: In an environment with only one ePO server and no remote handlers, the ePO server is an Agent Handler in this context.Reorder the ciphers to have the following at the top: