cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee Agents on solaris clusters overwrite each other in ePO

Hello,

I am currently running into an issue with McAfee Agent 4.0 for Solaris (multiple minor revs) and ePO 4.0.  Our environment has 3 clusters of 4 servers each (12 servers total) running Solaris 10 and Solaris Cluster software.  Since Solaris Cluster software creates a private network interface that shows up as the last interface shown by running ifconfig -a, the McAfee agent always chooses this private network interface as the interface to query for network data (MAC Address)  to send to the ePO server.  Because Sun Cluster software assigns that interface a MAC Address equal to that server's cluster position (00:00:00:00:00:01 through 00:00:00:00:00:04) and because McAfee Agent uses this MAC address in the GUID creation, the McAfee Agents amongst common cluster positions (1 through 4) overwrite each other in ePO so that only 4 servers (instead of 12) show up at any given time.

Has anyone else experienced this?  I found an old post from 2007 that sounds like a similar issue but it was never answered  (https://community.mcafee.com/message/42208#42208)

I don't have the ability to upgrade our ePO server to 4.5 and I don't think I can upgrade to McAfee Agent 4.5 either.  Before I go ask for money to go down the upgrade path, does anyone know of a solution/patch/workaround that I could do to get these agents to show up in ePO all at the same time with the software versions I already have?

Thanks,

Ryan

2 Replies

Re: McAfee Agents on solaris clusters overwrite each other in ePO

See:

https://kc.mcafee.com/corporate/index?page=content&id=KB57886&actp=search&viewlocale=en_US&searchid=...

Duplicate MACs cause ePO to see different machines as the same node even if the GUID is different, so the workaround is to set ePO to ignore MACs when communicating with an "unknown" machine.

The "HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Options\DisableMACSearch" Key is mentioned to be left in place long enough to have all your nodes communicate with the ePO server and then removed, although I've left it in place indefinitely because our vpn software tends to cause duplicate MACs, causing issues with duplicate MACs causing duplicate GUIDs.

Message was edited by: tmckinney on 11/1/11 6:44:58 PM CDT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: McAfee Agents on solaris clusters overwrite each other in ePO

 I've left it in place indefinitely because our vpn software tends to cause duplicate MACs, causing issues with duplicate MACs causing duplicate GUIDs.

ePO actually has a separate mechanism for dealing with VPN connections - it's effectively a "targetted DisableMacSearch" function that is only applied to certain MAC address families. Have a look at KB52949 for more details.

We really don't recommend leaving the global DisableMacSearch function enabled permanently - this should give you the best of both worlds

HTH -

Joe