1 2 Previous Next 10 Replies Latest reply on Jul 29, 2009 12:33 PM by woodsjw

    Dead agents and how to deal with them

      Hello all

      Current environment:

      2500-3000 Workstations and Servers
      ePO 4.0 patch 4
      McAfee Agent 4 patch 2

      A problem I've been having in my environment is agents going dead. By this I mean the communication between the client and server is no longer operational. The framework service continues to run on the client, but gives an error in the status log:

      1. Agent failed to collect properties
      2. Failed to upload package (Not verbatim)

      Currently I have a query that runs every night to collect all machines who haven't reported in for 30+ days and move them into an "InActive Agent" group. In the group the McAfee agent gets deployed every hour to hopefully bring these machines back online. While this method is reasonably successful it's not 100%. There are clients that require the agent to be uninstalled with /forceuninstall before reinstallation.

      I'm curious to know how people handle dead agents on a large enterprise level. I currently have 400 machines in my "Inactive Agent" group. I would say 70% of those are dead machines that either have been removed from the network or reimaged. I use Remote Sensor Detection, but with minimal positive results. It's not reasonable to troubleshoot agents on a micro level because the time and man power aren’t available.

      Any help is appreciated.

        • 1. RE: Dead agents and how to deal with them
          Just wanted to say that we also experience this problem with a very similar environment (except fewer client seats). No solution but thought it may be good to know you are not alone with this issue.
          • 2. RE: Dead agents and how to deal with them
            I use RSD with 1 of my 3.6.1 installs to check rogues and (after filtering out things that dont need agents) apply forced agent reinstalls if they fail a query of the agent, if they still show as rogue then they stay in RSD and I import placeholders for the names into the directory and start battering them with wakeup calls till they go away as duplicates. IF they dont then they are usually faulty and i use a manual script to forceuninstall and reinstall the agent.

            AT the same time I manually run a query once a week to pull out anything that hasnt reported back in 3 months (we have a lot of machines that can be off for months at a time)and then run it through a GUI ping tool, anything that no longer has a DNS entry I remove anything else I check manually by importing back into the directory and wakeups/installs etc

            all in all its a total pain for an epo with 6500 nodes

            but with good ping tools and install/uninstall scripts, once you are used to it, it doesnt take as long as you would think
            • 3. RE: Dead agents and how to deal with them
              ATJH, are your machines secured with any sort of write protection software? DeepFreeze, CleanSlate, etc?

              Sounds like an issue that I had in our academic labs. Still trying to solve it actually, but I can give you some good info if that's what you're running.
              • 4. RE: Dead agents and how to deal with them

                This seems to be a very common theme with McAfee products.
                • 5. RE: Dead agents and how to deal with them

                  Sounds like a similar setup to mine, except for the last part. The GUI ping tool is a good idea. I use Secure Fusion for asset management and pull reports for any machine missing the Agent, but that's not 100% either. Definitely going to try creating some scripts along with getting a good GUI ping tool.

                  Thanks for the help.
                  • 6. RE: Dead agents and how to deal with them
                    You are not alone....

                    Same problem here with CMA 3.6.608.

                    What I do:

                    In LoginScript I check the registry key with contains the DAT version number and write it to a file.
                    If local stored DAT version less than delta 10, than I get an alert (blat.exe) via email.

                    Isn't it very painful for McAfee ???

                    • 7. RE: Dead agents and how to deal with them
                      i also do the ping route via perl script to identify 'inactive' machines which are actually online but with a broken agent.

                      i can then put these active machines into an SMS collection to redistribute the EPO agent.
                      • 8. RE: Dead agents and how to deal with them
                        Review your logs and let me know if you can find something like that:
                        TIME E #3832 EPOServer Agent xxxxxxxxxxxxxx with GUID {xxxxxxxxxxxxxxx} and IP xxx.xxx.xxx.248 and MAC xxxxxxxxxxxxxxxx has an invalid sequence number; expecting 275 > 2341
                        TIME E #3832 EPOServer Rejecting agent due to an invalid or duplicate sequence number
                        Usually this error occures becouse of cloning PC - there are two (or more) agents with the same GUID. Epo is not able to difrenciate them. However it seems that from time to time agent have problem with communication and this problej just appears - without any reason. I did not found good way to get sequence numbers synchronised.
                        Hint: there is value sequencenumber in registry under HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent
                        but agent keeps it somwhere else - when changed mannualy it is resotred in registry - but I don't have even idea where it reside. I'm just curious if your systems are afected by wrong sequence numbers...
                        • 9. RE: Dead agents and how to deal with them
                          Same problem here. Even a reinstall doesn't fix it - same error. Have to remove the agent using frminst.exe and then reinstall.
                          1 2 Previous Next