just upgraded the first productive server to 5.3.3, and no DataChannel issue. But we had a VM snapshot and database backup just in case.
That is good to know. I will test on my test ePO server next week and see what happens. We are a VM shop also, so I always do a VM snapshot also. This has saved my bacon in the past.
This morning, I decided to test ePO 5.3.3 after a upgrade from version 5.3.2. I can confirm that we do have this datachannel cipher suite bug. This I reproduced by doing a client run now task to uninstall VSE 8.8i from client. I noticed that the task does not show any progress on the ePO console and the client agent status shows errors "Failed to upload package to the ePO server". This is not an acceptable bug for us so we will hold off upgrading until McAfee fixes it. McAfee's workaround is to do a disaster recovery and to go back to the previous version. What is up with McAfee's QA process.
For anyone who is affected by this McAfee has update the KB article. You have to reorder certain ciphers to get it to work. Going to test this today.Failed to send HTTP request Error=12029 (DataChannel connectivity fails after upgrading to ePolicy Orchestrator 5.3.3)
Technical Articles ID: KB89858
Last Modified: 10/5/2017
EnvironmentMcAfee ePolicy Orchestrator (ePO) 5.3.3
ProblemDataChannel connectivity between the ePO server service (Apache) and the Application Server service (Tomcat) stops working, resulting in functionality requiring the DataChannel to be negatively impacted.
- McAfee Agent Wake Ups and Run Client Task Nows succeeding on the endpoint, but never reporting back status.
- Drive Encryption activation failures.
20170918133528 E #05472 MCUPLOAD SecureHttp.cpp(987): Failed to send HTTP request. Error=12029 (12029)
20170918133528 E #05472 NAIMSERV server.cpp(583): Failed to send request, err=0x80004005, HTTP status code=0
20170918133528 E #05472 NAIMSERV server.cpp(968): Error sending data channel message to application server
Upgraded ePO to 5.3.3.
This issue has not been observed on fresh installs of ePO 5.3.3, nor on ePO 5.9.
This issue appears to be related to a cipher suite security change present in ePO 5.3.3.
SolutionTechnical Support is investigating this issue. As a temporary measure, implement the following workaround.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.
WorkaroundThis issue can be resolved by reordering cipher suites on impacted Agent Handler(s).
- Run IISCrypto on the handler and select Cipher Suites in the left column. The Available list displays.
- Select one of the checkboxes to turn all gray items white (indicating they are now active).
NOTE: The order has not been explicitly specified (which the tool represents by graying the checkboxes).
- Reorder the suites using the up/down buttons and click Apply.
- Restart the system; changes are not applied until after a restart.
- Confirm the error messages displayed in the Problem section are no longer present and DataChannel functionality (including encryption and Run Client Task Nows, for example) is fully operational.