9 Replies Latest reply on Mar 3, 2010 9:28 AM by jstanley

    Server/client keys?

    mrpg

      Hey Folks,

       

      I'm having an issue, somehow may server key changed/got messed up and have worked with mcafee over the last week, the end result of which was that a new key was created for clients to pickup, however most clients don't seem to get it as they're immediately reject by the server for having an unknown key\hash.  To get around that support has instructed me to run a frminst /forceuninstall on the clients in question then re-push the agent and instructed me on how I could create a pie-graph query to show agents with the defunct key- the report shows that the crap key\hash is on 3800+ agents.   I've been watching it over the past 2 days and the number of clients with/picking up the new server key hasn't changed much.

       

      I just spent 4 months deploying to sites/child companies across the country and i'm only about 45% complete with that project and now I've hit this wall-  where I'm faced with basically starting over.

       

      Anyone familiar with the keys\hash tech used with the agent?   Is there a way I can can just pick the keys off the server and drop then on the client via script?  Also if I restore my ePO DB from before the time my keys got fubar'd can I retrieve they key from the DB?  How is the key given to agent in the first place?  I need a way to do this, preferable scripts tied to GPO, that I can hand over to company admins spread across the country to hopefully rectify and complete this project by spring.

       

      Sorry for the essay post but I'm desperate- thanks.

        • 1. Re: Server/client keys?
          jstanley

          If the clients are failing to communicate with the EPO server due to security key issues then they will never be able to pick them up from EPO (because they are not communicating) so you will have to provide them the keys somehow.

           

          To address most of your questions below I need to know the following:

          • What version of EPO are you using?
          • What version of the agent are you using?
          • If your using MA 4.5 with EPO 4.5 are you using the secure communication port (443 by default) for agent-to-server communication or are you using the standard port (80 by default)?
          • Any information on what lead to this issue. Specifically did this occur after migrating EPO 4.5 to a new server?

           

          Their are ways to manually replace the keys (which differ depending on the above); however, you should be forwarded that many of them will be thwarted if VSE's Access Protection feature is enabled because it will prevent non-mcafee processes from altering the agents file or registry keys.

          • 2. Re: Server/client keys?
            mrpg

            Hey Jeremy-  my env is ePO 4.5 build 753 with a mix of 4.0 and 4.5 agents. Specifically 4.0.0.1421, 1494 and 4.5.0.1270.  Also the same for communication, a mix of secure/non-secure as per communication type report, it shows about 70/30  HTTPS/HTTP.

             

            The server was built new in July, Server 2003 enterprise w/ SP2 backened is full blown MS SQL2005 all on the same box, I've just been managing client pushes/deploys since mid-august really.  I've had a few misc issues and a bug but they were all remedied by McAfee. 2 weeks ago, approx 4 or so days before this last issue, seemingly out of the blue, all my agent pushes were failing.  Gold support via a webex session found that my framkepkg was fubar'd and pointed me to a KB to rebuild it- this involved shutting down 3 ePO services and extracting 2 key files from srSERVER.zip in the keystore folder under the ePO install directory.  I followed the directions with the tech watching, once completed we manually ran the framepkg and it installed fine, we then did a few deploys and all seemed fine until around the 7-8th.

             

            Since then working with supported we've tried to import the srSERVER.zip but it says key is already there.  We've re-checked in VSE 8.7 and MAgent 4.5, we've removed and re-added the Agent extension.  I was also instructed to re-install the agent manually on all my repositories and re-sync them.  As of Friday a new key was created and I was told to wait a few days for agents to pickup the new key and to do the forceuninstall and re-deploy to all the affected clients that did not pickup the key.  I did a few uninstall/re-deploy before leaving Friday, after the install it checked-in ok and pulled policies but this morning they seemed to return to their defunct state.

            • 3. Re: Server/client keys?
              jstanley

              MA 4.5 using the secure communication port uses a different encryption method than MA 4.X using the standard secure port so if you are having this problem on both then it is 2 different problems. In one method we are encrypting the connection (standard SSL) and the other we are encrypting the payload.

               

              I seems unlikely that you are having a problem with both so if I had to guess you are having a problem with either MA 4.0 communicating on the standard port or MA 4.5 communicating on the SSL port. From the information you posted above it sounds like the problem is MA 4.0 communicating on the standard port because those files you mention are the agent-to-server communication keys. The SSL keys are not in separate files rather the key is included in the sitelist.xml.

              • 4. Re: Server/client keys?
                mrpg

                My issue may be something different altogether then.  As I'm sure it exists on 4.0 and 4.5 agents.  One way I know for sure, is if I connect to a problem machine with either version and force a policy check, in the server.log I see this error;

                 

                ERROR: Failed to find server key matching agent (HOSTNAME) key hash: xxxXXXXxxXXXxxxxXXXXXXxxxx=

                 

                 

                *** Edit

                 

                To add to that, when I first encountered the problem with my FramePkg.exe being corrupt and pushes failing- one of the things I was told to do was to downgrade the client- so I was shown how to enable having 2 agent versions in my repository and downloed 4.0, checked it in and started deploying that.

                 

                 

                Message was edited by: mrpg on 12/16/09 2:57:57 PM GMT-05:00
                • 5. Re: Server/client keys?
                  jstanley

                  That error certianly indicates a client does not have a valid server key. To be clear you can get the above on both MA 4.0 and 4.5; however, the error would differ if you were using MA 4.5 on the secure port but if the agent is using the standard port it would behave identically to MA 4.0. Look in the agent log on a MA 4.5 client failing to communicate and you should see the following entry:

                  Connecting to site: <IP of your EPO server> on port: <whatever port it is using>

                  for example if your server's IP address is 192.168.1.5 and you are using the default secure communication port you would see this:

                  Connecting to stie: 192.168.1.5 on port: 443

                   

                  That will tell you what port the client is using.

                   

                  At any rate if the clients indeed do have corrupted keys the easiest fix is going to be to reinstall the agent. Here is a more complicated method you could try without reinstalling the agent:

                  1. Disable VSE's Access Protection
                  2. Stop the McAfee Framework Service
                  3. Grab a copy of the following files from a working agent's data directory and replace them in the same directory on the broken agent (assumes default directory on WinXP):
                    • C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\srpubkey.bin
                    • C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\reqseckey.bin
                    • C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\sitelist.xml
                  4. Delete all of the BIN keys in this registry location: [HKLM\Software\Network Associates\ePolicy Orchestrator\Agent\Keys]
                  5. Start the McAfee Framework Service
                  6. Perform an ASCI

                   

                  Again I would recommend reinstalling the agent as an easier fix than the above.

                  • 6. Re: Server/client keys?
                    mrpg

                    I checked the logs of one of the 4.5 agents- it seems to tries both- it first connects to port 443 then it tries to connect to 8080, see the log;

                     

                    2009-12-17 15:08:12    i    #1188    Agent    Agent started performing ASCI
                    2009-12-17 15:08:12    I    #1188    Agent    Agent is sending properties version to the ePO Server
                    2009-12-17 15:08:12    I    #1424    Agent    Started processing a package..
                    2009-12-17 15:08:12    I    #1424    Agent    Preparing Props Version Package
                    2009-12-17 15:08:12    I    #1424    Agent    Collecting IP address using Internet Manager
                    2009-12-17 15:08:12    I    #1424    naInet    HTTP Session initialized
                    2009-12-17 15:08:12    I    #1424    imsite    Connecting to site: 10.11.12.13 on port: 443
                    2009-12-17 15:08:12    I    #1424    naInet    HTTP Session closed
                    2009-12-17 15:08:12    I    #1424    SpiPkgr    Using sequence number 18
                    2009-12-17 15:08:12    i    #1424    Agent    Agent communication session started
                    2009-12-17 15:08:12    i    #1424    Agent    Agent is sending PROPS VERSION package to ePO server
                    2009-12-17 15:08:12    i    #1424    Agent    Agent is connecting to ePO server
                    2009-12-17 15:08:12    I    #1424    imutils    Trying with site: 10.11.12.13:8080
                    2009-12-17 15:08:12    I    #1424    naInet    HTTP Session initialized
                    2009-12-17 15:08:12    I    #1424    imsite        Upload from: C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129055540923990000_1507457812.spkg
                    2009-12-17 15:08:12    I    #1424    imsite        Upload response target: C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129055540924770000_3194968950.spkg
                    2009-12-17 15:08:12    I    #1424    imsite    NaInet library returned code == 13
                    2009-12-17 15:08:12    I    #1424    naInet    HTTP Session closed
                    2009-12-17 15:08:12    i    #1424    Agent    No package received from ePO Server
                    2009-12-17 15:08:12    i    #1424    Agent    Agent communication session closed

                     

                     

                    I've begun to re-deploy to the affected clients, don't seem to have much of a scriptable/faster options.

                     

                    Thanks for all your help!  I'm alot more informed on the process now thats for sure.

                    • 7. Re: Server/client keys?
                      jstanley

                      This log excert indicates the client used port 443 (successfully). This line in the log is indeed a bit confusing:

                      Trying with site: 10.11.12.13:8080

                       

                      I'm not sure why the agent logs that but it seems to appear on both successful and unsuccessfull communications. I typically just ignore it.

                       

                      This sections indicates a succesful connection on port 443:

                      009-12-17 15:08:12    I    #1424    imsite    Connecting to site: 10.11.12.13 on port: 443
                      2009-12-17 15:08:12    I    #1424    naInet    HTTP Session closed
                      2009-12-17 15:08:12    I    #1424    SpiPkgr    Using sequence number 18
                      2009-12-17 15:08:12    i    #1424    Agent    Agent communication session started
                      2009-12-17 15:08:12    i    #1424    Agent    Agent is sending PROPS VERSION package to ePO server
                      2009-12-17 15:08:12    i    #1424    Agent    Agent is connecting to ePO server

                       

                      Essentially the agent would not start sending the PROPS VERSION package to the ePO server if it could not first establish a connection. This section indicates everything was successful (no error response from the EPO server after sending the package):

                      2009-12-17 15:08:12    I    #1424    imsite    NaInet library returned code == 13
                      2009-12-17 15:08:12    I    #1424    naInet    HTTP Session closed
                      2009-12-17 15:08:12    i    #1424    Agent    No package received from ePO Server
                      2009-12-17 15:08:12    i    #1424    Agent    Agent communication session closed

                      In particular the "NaInet library returned code" section is important. A sub-zero return code typically indicates a problem. For example NaInet library returned code == -14 would indicate an error.

                       

                      I hope that helps!

                      • 8. Re: Server/client keys?
                        smalldog

                        Hi Jeremy Stanley, sorry for old title but i have the same problem but my situation: install new epo server with the same ipaddress, hostname but just have MA 4.0 can connect to epo server and MA 4.5 is not. How to make MA 4.5 working like MA 4.0. Thanks for helping!

                        • 9. Re: Server/client keys?
                          jstanley

                          You may want to open a new thread and post the contents of your agent log as agent-to-server communication can fail for many different reasons. I'm not sure exactly what you mean by making MA 4.5 work like MA 4.0. If you mean you want MA 4.5 to use the standard agent-to-server communication port rather than the secure agent-to-server communication port you can do this in ePO 4.5 by going to Menu | Configuration | Server Settings | Ports | Edit and changing the Agent-to-server communication secure port to Disable and clicking save. After this you will have to re-push the agents to get them to start using the standard port.