1 2 Previous Next 15 Replies Latest reply on Nov 19, 2009 11:30 AM by RMCCULLO

    ePO 4.5 broke my agents

      When I upgraded from ePO 4.0 to 4.5, everything seemed to go well. Once I rebooted I got an error that a service failed to start. The service that failed turned out to be McAfee ePolicy Orchestrator 4.5.0 Server which the error log explained was due to a missing crt file. The crt file that was missing was conf/ssl.crt/ahcert.crt. In fact, the entire ssl.crt directory was empty. Now, none of my agents will connect to the server. Any ideas?
        • 1. RE: ePO 4.5 broke my agents
          akl71
          In epo 4.5 the agents communicate by default with ssl. Try to disable the "Agent-to-server communication secure port" under configuration -> server settings -> ports
          • 2. I think I got it
            There is an area where you can tell it to Regenerate a self-signed certificate and private key. That seems to have fixed it.

            Configuration > Server Settings > Server Certificate > Edit
            • 3. RE: I think I got it
              If you weren't able to login to the console, how did you make this change?
              • 4. RE: I think I got it
                I was able to login to ePO through the web interface. It was only the agents that wouldn't communicate.
                • 5. RE: I think I got it
                  challiwag


                  After you recreated the cert, did it work straight away? or did you have redistribute the agents?
                  • 6. RE: I think I got it
                    It seemed to have worked on my x86 machines but some of my x64 machines were not communicating. I was having a few other issues not related to ePO so I decided to do a full rebuild of the server which included a clean install of the OS, MSSQL 2008, and ePO. After doing that, I did have to re-deploy all of the agents. ePO is still not showing that VS is installed on some of my x64 machines, which was supposed to be fixed in ePO 4.5, but everything else seems to be working well.

                    I also installed Agent 4.5 RC to test on the x64 machines that aren't properly communicating with the server and it still didn't solve that problem. But that is an issue for another post.
                    • 7. Re: RE: I think I got it
                      RMCCULLO

                      Deploying the MA 4.5 agent with the problem you just describe will make maters worse, As now the 4.5 agent keeps a copy of the public SSL Apcahe Key in the Sitelist.xml.

                       

                      As noted in the other Post...

                       

                      FYI these type issues occur for one a of few reasons...

                      1. You Renamed the ePO Server.

                      2. The install truly never created the Apache SSL certs on install, (due to problems with the RSA SDK).

                      3. You are running another application that is using CRYPTOCME2.DLL and CRYPTOCME2.SIG. (Do a search for these files, they should only exist in the epo servers install path).

                      4. You restored another ePO Servers Database to the Current ePO Server you are working with, OR you pointed your current ePO server to another existing ePO Servers Database.

                      The important thing to know, is that the Certs are unique to each server, and that they are stored in the Database. Also that the ePO Server is really an Agent Handler, so if these values don't match then your server will never, Process ASCI's from client machine, Perform Push Agent Installs, Perform Wakeup Calls to agent machines, or Be able to perform the Ping function (via the epo console) to existing managed machines.

                      If you can tell me what scenario you are dealing with I can tell you who to fix the problem.  (With out having to do a reinstall).

                       

                      Note: If you reinstalled the epo server, have existing 4.5 agents, and have the configuration of the MA 4.5 agents to use SSL, you will have to redeploy the Mcafee Agent to these machines from the fresh install. Because as previously noted, the SSL cert is now part of the Sitelist.xml. Reinstalling creates a new Apache SSL Cert.

                      • 8. Re: RE: I think I got it

                        We did (1) & (4) as you described, the EPO 4.5 server was migrated to another new server (with a new hostname), and database was restored to this new server. Everything was fine except that:-

                        1. It has 2 agent handler: old server & new server hostname (Not sure how to get rid of the old server name)

                        2. EPO 4.5 Server was unable to deploy agent, and even if i manually install the agent 4.5, the agent is not able to communicate to the EPO 4.5.

                        It will return this error message:-

                        -------------------------------------------------------------------------------- -----------------------------

                        2009-11-05 16:59:23    I    #5280    Agent    Collecting IP address using Internet Manager
                        2009-11-05 16:59:24    I    #5280    naInet    HTTP Session initialized
                        2009-11-05 16:59:24    I    #5280    imsite    Connecting to site: 192.168.13.184 on port: 8080
                        2009-11-05 16:59:25    I    #5280    naInet    HTTP Session closed
                        2009-11-05 16:59:25    I    #5280    SpiPkgr    Using sequence number 92
                        2009-11-05 16:59:25    i    #5280    Agent    Agent communication session started
                        2009-11-05 16:59:25    i    #5280    Agent    Agent is sending PROPS VERSION package to ePO server
                        2009-11-05 16:59:25    i    #5280    Agent    Agent is connecting to ePO server
                        2009-11-05 16:59:25    I    #5280    imutils    Trying with site: 1192.168.13.184:8080
                        2009-11-05 16:59:25    I    #5280    naInet    HTTP Session initialized
                        2009-11-05 16:59:25    I    #5280    imsite        Upload from: C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129018851633900000_1419771716.spkg
                        2009-11-05 16:59:25    I    #5280    imsite        Upload response target: C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129018851650150000_2954487939.spkg
                        2009-11-05 16:59:28    E    #5280    imsite    Error trace:
                        2009-11-05 16:59:28    E    #5280    imsite     [uploadFile,,/spipe/pkg?AgentGuid={E89407F0-E54A-429B-9A22-A2C7E40D27D1}&Source =Agent_3.0.0,pkg00129018851633900000_1419771716.spkg,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129018851650150000_2954487939.spkg]->
                        2009-11-05 16:59:28    E    #5280    imsite      NaInet library returned code == -5
                        2009-11-05 16:59:28    E    #5280    imsite    Error trace:
                        2009-11-05 16:59:28    E    #5280    imsite     [uploadFile,,/spipe/pkg?AgentGuid={E89407F0-E54A-429B-9A22-A2C7E40D27D1}&Source =Agent_3.0.0,pkg00129018851633900000_1419771716.spkg,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129018851650150000_2954487939.spkg]->
                        2009-11-05 16:59:28    E    #5280    imsite      NaInet library returned code == -5
                        2009-11-05 16:59:28    I    #5280    naInet    HTTP Session closed
                        2009-11-05 16:59:28    e    #5280    Agent    Agent failed to communicate with ePO Server
                        2009-11-05 16:59:28    i    #5280    Agent    Agent communication session closed
                        2009-11-05 16:59:28    I    #5280    Agent    Agent communication failed, result=-2400
                        2009-11-05 16:59:28    I    #5280    Agent    Exponential retry in 606 seconds, error=-2400(Unable to connect to ePO Server)
                        2009-11-05 16:59:28    i    #5280    Agent    Agent will connect to the ePO Server in 10 minutes and 6 seconds.

                        -------------------------------------------------------------------------------- --------------------------------------------------------------

                         

                         

                        Opened a ticket with McAfee, but he mentioned that it could be port conflict. As EPO 4.5 tomcat's port no is defaultly set as "8080", which port "8080" is also agent communication port that we defined. Looking into this now.

                         

                        Anybody has any "insight" or similar problems??

                        • 9. Re: RE: I think I got it
                          RMCCULLO

                          Well first off its not a port conflict. Its the fact that you renamed your server. When you do this you are basically making your Apache SSL certs invalid, as they are issued to the Hostname of the server. Stop all 3 of the Mcafee ePO Services, and only restart the Mcafee ePolicy Orchestrator Server Service. Now browse to the install path of ePO and then DB\logs\ ( Default will be c:\program files\mcafee\epolicy orchestrator\4.5\DB\logs\), Open the Server.log and at the bottom if you see something similar to "Server is shutting down", this is because of the SSL Cert verification issues.

                           

                          So to resolve this issue you will need to do one of a few options: (Always make sure you Follow KB: 66616 before making major changes to the epo server)

                           

                          1. Rename the machine back to the Original Machine name. (even if you cannot do this for ever, try it first). See if it resolved the issue, as if it does, it confirms its not a port issue.

                           

                          AND/OR

                           

                          2. These Steps are really complex, so calling McAfee Support may be a good idea, but if you think you can handle it, proceed at your own risk:

                          Stop All Three Mcafee ePolicy Orchestrator X Services.

                          Browse to the <Install_path>\epolicy Orchestrator\Apache\Conf\ folder

                          Rename the SSL.CRT to SSL.CRT.OLD

                          Create a New Folder in the <Install_path>\ePolicy Orchestrator\Apache\Conf\ Called SSL.CRT (thus replacing the old folder with a blank one).

                          Start only the Mcafee ePolicy Orchestrator Application Service (leaving the other 2 Mcafee ePolicy Orchestrator X Services stopped)

                          Start | Run | CMD.exe

                          Once at the Dos Command Prompt change your path to the <Install_path>\ePolicy Orchestrator\ folder....

                          cd\

                          C:\:> cd Progra%

                          C:\Program Files\:> cd McAfee

                          C:\Program Files\McAfee:> cd ePO%

                          C:\Program Files\McAfee\ePolicy Orchestrator:> Rundll32.exe ahsetup.dll RunDllGenCerts <eposervername> <console HTTPS port> <admin username> <password> <"installdir\Apache2\conf\ssl.crt">

                          - Where <eposervername> = Your ePO servers NetBios Name
                          - Where <console HTTPS port> = Your ePO Console Port (default is 8443)
                          - Where <admin username> = admin (use the default ePO admin account)
                          - Where <password> = The Password to the ePO Admin console account.
                          - Where <installdir\Apache2\conf\ssl.crt> = Your installation path to the apache folder (Default installation path = "C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT" )

                           

                          Example:

                          Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT "

                          If you received NO Errors using this cmd, then proceed to the next step:

                          Restart/Start all Three of the Mcafee ePO Services. Check your Server.log again to see if you still see the errors.

                          Note: there are a few other clean up steps, but all you really need to do is remove the old server name from the Agent Handlers Lists and registered servers. Let me know if you need further help.

                          I am also working on getting this information into a KB Doc.

                          1 2 Previous Next