4 Replies Latest reply on Oct 6, 2017 8:28 AM by twenden

    Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)

    twenden

      Has anyone upgraded to ePO 5.3.3 and seen the problem "Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)". This is referenced in a new KB article KB89858. McAfee believes that it is related to a cipher suite change in ePO 5.3.3 and can affect wake-up calls, client run now tasks and Drive Encryption activations.

       

      McAfee Corporate KB - Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy…

       

      We have yet to move to ePO 5.3.3 but have just started the process. The Pre-Installation auditor program failed the cipher suites until I ran IISCrypto utility to remove older ciopher suites like SSL V2 etc. This KB article is not giving me the confidence at moving to ePO 5.3.3 as the workaround is to perform a disaster recovery to the previous version of ePO.

       

      It appears the only reason to move to ePO 5.3.3 is for some security fixes for Tomcat. I wish that they has released these security fixes for ePO 5.3.2. Has anyone seen any issues so far with ePO 5.3.3 with relations to the problems in KB89858?

       

      Thanks

        • 1. Re: Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)
          frank_enser

          Hi,

           

          just upgraded the first productive server to 5.3.3, and no DataChannel issue. But we had a VM snapshot and database backup just in case.

           

          Regards,

          Frank

          • 2. Re: Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)
            twenden

            Frank,

             

            That is good to know. I will test on my test ePO server next week and see what happens.  We are a VM shop also, so I always do a VM snapshot also. This has saved my bacon in the past.

            • 3. Re: Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)
              twenden

              This morning, I decided to test ePO 5.3.3 after a upgrade from version 5.3.2. I can confirm that we do have this datachannel cipher suite bug. This I reproduced by doing a client run now task to uninstall VSE 8.8i from client. I noticed that the task does not show any progress on the ePO console and the client agent status shows errors "Failed to upload package to the ePO server". This is not an acceptable bug for us so we will hold off upgrading until McAfee fixes it. McAfee's workaround is to do a disaster recovery and to go back to the previous version. What is up with McAfee's QA process.

              • 4. Re: Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)
                twenden

                For anyone who is affected by this McAfee has update the KB article. You have to reorder certain ciphers to get it to work. Going to test this today.

                 

                 

                Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)

                 

                Technical Articles ID:   KB89858
                Last Modified:  10/5/2017


                 

                Environment

                McAfee ePolicy Orchestrator (ePO) 5.3.3

                 

                 

                Problem

                DataChannel connectivity between the ePO server service (Apache) and the Application Server service (Tomcat) stops working, resulting in functionality requiring the DataChannel to be negatively impacted.

                 

                This issue could manifest in many ways including, but not limited to:
                • McAfee Agent Wake Ups and Run Client Task Nows succeeding on the endpoint, but never reporting back status.
                • Drive Encryption activation failures.
                The ePO server_servername.log (located in ePO_install_dir\db\log) will include messaging that demonstrates its inability to communicate to the Application Server service, similar to the following:
                20170918133528 E #05472 MCUPLOAD SecureHttp.cpp(987): Failed to send HTTP request.  Error=12029 (12029)
                20170918133528 E #05472 NAIMSERV server.cpp(583): Failed to send request, err=0x80004005, HTTP status code=0
                20170918133528 E #05472 NAIMSERV server.cpp(968): Error sending data channel message to application server

                 

                System Change

                Upgraded ePO to 5.3.3.

                 

                This issue has not been observed on fresh installs of ePO 5.3.3, nor on ePO 5.9.

                Cause

                This issue appears to be related to a cipher suite security change present in ePO 5.3.3.

                 

                Solution

                Technical Support is investigating this issue. As a temporary measure, implement the following workaround.
                To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.

                 

                 

                Workaround

                This issue can be resolved by reordering cipher suites on impacted Agent Handler(s).

                 

                NOTE: In an environment with only one ePO server and no remote handlers, the ePO server is an Agent Handler in this context.

                 

                Reorder the ciphers to have the following at the top:
                • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
                • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
                • TLS_RSA_WITH_AES_256_GCM_SHA384
                • TLS_RSA_WITH_AES_128_GCM_SHA256
                There are several ways to accomplish this task; the quickest and easiest involves using the third-party tool IISCrypto. You can download this tool from www.nartac.com/Products/IISCrypto and execute it without installation on the impacted Handler(s).

                 

                If third-party tools are disallowed in the environment, you can also make this change with a Windows Group Policy. For detailed steps, see:
                msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx.

                 


                Using IISCrypto
                1. Run IISCrypto on the handler and select Cipher Suites in the left column. The Available list displays.
                2. Select one of the checkboxes to turn all gray items white (indicating they are now active).

                  NOTE: The order has not been explicitly specified (which the tool represents by graying the checkboxes).
                3. Reorder the suites using the up/down buttons and click Apply.
                4. Restart the system; changes are not applied until after a restart.
                5. Confirm the error messages displayed in the Problem section are no longer present and DataChannel functionality (including encryption and Run Client Task Nows, for example) is fully operational.

                 

                 


                 

                Rate this document

                 

                Did this article resolve your issue?


                Please provide any comments below

                Submit

                 

                Affected Products


                ePolicy Orchestrator 5.3
                Known Issue/Product Defect

                 

                 

                Beta Translate with

                Select a desired language below to translate this page.

                 

                 

                Glossary of Technical Terms


                Highlight Glossary Terms

                 


                Please take a moment to browse our Glossary of Technical Terms.