8 Replies Latest reply on Jan 6, 2010 1:43 PM by adirk

    Agent to Server Communication Fails [Parent error: NaInet library returned code == -88]

      Forum,

       

      We are getting the issue where our all agents are unable to communicate to our ePO 4.5 server. Details below

       

      - ePO 4.5, McAfee Agent 4.5 (2700 clients)

      - I have re-created the server key

      - Push agent onto client, force install but still the same issue exists

      - There is no reference on McAfee on what [Parent error: NaInet library returned code == -88] means

      - I have a current support case open with McAfee just trying to see if anyone has any other feedback on this issue.

       

       

      2010-01-06 14:40:30 i #4368 Agent Agent is sending FULL PROPS package to ePO server
      2010-01-06 14:40:30 i #4368 Agent Agent is connecting to ePO server
      2010-01-06 14:40:30 I #4368 imutils Trying with site: 10.181.3.68:89
      2010-01-06 14:40:30 I #4368 naInet HTTP Session initialized
      2010-01-06 14:40:30 I #4368 imsite  Upload from: C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129072246307370000_3748081455.spkg
      2010-01-06 14:40:30 I #4368 imsite  Upload response target: C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129072246307840000_1263039018.spkg
      2010-01-06 14:40:30 E #4368 imsite Error trace:
      2010-01-06 14:40:30 E #4368 imsite  [uploadFile,,/spipe/pkg?AgentGuid={534130CC-9D79-4857-A92E-A497FE0C784E}&Source =Agent_3.0.0,pkg00129072246307370000_3748081455.spkg,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129072246307840000_1263039018.spkg]->
      2010-01-06 14:40:30 E #4368 imsite   NaInet library returned code == -88
      2010-01-06 14:40:30 E #4368 imsite Error trace:
      2010-01-06 14:40:30 E #4368 imsite  [uploadFile,,/spipe/pkg?AgentGuid={534130CC-9D79-4857-A92E-A497FE0C784E}&Source =Agent_3.0.0,pkg00129072246307370000_3748081455.spkg,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129072246307840000_1263039018.spkg]->
      2010-01-06 14:40:30 E #4368 imsite   NaInet library returned code == -88
      2010-01-06 14:40:30 E #4368 imsite Error trace:
      2010-01-06 14:40:30 E #4368 imsite  [uploadFile,,/spipe/pkg?AgentGuid={534130CC-9D79-4857-A92E-A497FE0C784E}&Source =Agent_3.0.0,pkg00129072246307370000_3748081455.spkg,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Unpack\pkg00129072246307840000_1263039018.spkg]->
      2010-01-06 14:40:30 E #4368 imsite   The naInet library returned an error. [Parent error: NaInet library returned code == -88]
      2010-01-06 14:40:30 I #4368 naInet HTTP Session closed
      2010-01-06 14:40:30 e #4368 Agent Agent failed to communicate with ePO Server
      2010-01-06 14:40:30 i #4368 Agent Agent communication session closed

      -

        • 1. Re: Agent to Server Communication Fails [Parent error: NaInet library returned code == -88]
          jstanley

          If all of your agents are failing to communicate then it is most likely a problem with the EPO server's Apache SSL security certificate. To confirm this take a look at the last entry in your server.log located here by default:

          C:\Program Files\McAfee\ePolicy Orchestrator\DB\Logs\server.log

           

          If the last entry in that log is the ePO server has stoppedthen your SSL cert is most likely broken. This issue can often occur if you have migrated EPO to a new server or if you have renamed the EPO server (or joined it to a domain after installing EPO).

          You should be able to resolve the problem by implementing steps 8-12 in KB66616:

          https://kc.mcafee.com/corporate/index?page=content&id=KB66616

           

          Try those steps first without removing the SSL certs that currently exist in C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\. If that does not resolve the problem then move all the files in that directory out and run through step 8-12 in KB66616 again. After you restart your apache service be sure to check the last entry in the server.log and confirm it is not the ePO server has stopped. Assuming it is not then check to make sure your agents are not communicating. If they aren't then you may have to re-deploy the agents depending on how the ePO server arrived in this situation in the first place.

          • 2. Re: Agent to Server Communication Fails [Parent error: NaInet library returned code == -88]

            Hi Jeremy thankyou for your response,

             

            This was the KB that I was following throughout this issue, we have already had to re-install ePO app and restore the datbase to get it up and running again this is the last of the issues. The ePO server has started correctly as indicated within the server.log

             

            We initially had the reverse of this issue with agents able to talk to the server but the server (wakeup calls) unable to communicate to the agents. To resolve this we re-created the server Apache key and it has reversed this issue (this is not as preferred as I now have no visibility of events/compliance etc and our environment is still not fixed 100%).

             

            Would you recomend trying to restore the old Apache server keys and run through the same process 8-12, is there any risk with corrupting the database in doing this?

            • 3. Re: Agent to Server Communication Fails [Parent error: NaInet library returned code == -88]
              jstanley

              To answer your question yes you should try restoring your old apache SSL certs and going through steps 8-12 again. Worst case scenario would be you would have to remove the certs and re-run the the command to generate new ones and be right back where you are now. It should not corrupt the DB but if you are concerned about that you should make sure you have a recent backup of the EPO DB. This is a good idea in general

               

              If I understand your response above your agents were successfully communicating with the ePO server on the secure port and you re-generated the certs to resolve an agent wakeup call problem? This does not make sense because if your certs were broken (i.e. the last entry in the server.log was the ePO server has stopped) and this was the cause of your agent wakeup call problem (which it could have been) then none of your agents would have been able to communicate successfully. If that was not the root-cause of your agent wakeup call problem then re-generating the certs would not have helped. I think we are missing a piece of the puzzle. How did the ePO server arrive in this situation to begin with? Was the server migrated/renamed? Did a patch install fail? It may be helpful to know this to determine the solution.

              • 4. Re: Agent to Server Communication Fails [Parent error: NaInet library returned code == -88]

                Hmm I have restored the Apache certs and recieved the same issue. I have now tried to re-generate the certificates by leaving a blank ssl.crt folder and when executing the command I recieve error

                 

                20100106165040 I #5788 AHSETUP  Creating Agent Handler Certs.
                20100106165040 I #5788 MCUPLOAD Successfully disabled CA trust options.
                20100106165042 E #5788 MCUPLOAD Failed to process the secure communication request.  Error=The thread is not in background processing mode.

                20100106165042 E #5788 AHSETUP  Received an error from the server.  Error=401.

                 

                We re-generated the certificates to hopefully resolve the agent to server issue becasue this is what McAfee support told me to do but didn't work. The issue started nearly 3 weeks ago, we were recieving an error within the system tree and Orion log file

                 

                2009-12-23 14:57:00,013 ERROR [http-8443-Processor18] query.dashboardResult_jsp]  - Servlet.service() for servlet org.apache.jsp.query.dashboardResult_jsp threw exception

                com.mcafee.orion.core.query.sexp.SerializationException: could not find all of the foreign keys necessary to join EPOLeafNode with EPOLeafNodeEPOProdPropsView_VIRUSCANEPOProdPropsView_EPOAGENT

                 

                This issue also stopped updates, reporting basically the entire ePO was un-managable. We uploaded the DB to McAfee support who said it was fine and were unable to find any corrupt system files. We re-installed ePO 4.5 and re-attached a working version of the database before we encountered issues, re-generated the certificates and this has got us in the position we have today being a semi working ePO 4.5 with agent not able to communicate to ePO.

                 

                Any ideas, a lot of us are scratching our heads including McAfee support and why I'm trying to reach a wider audience on here for any ideas. If not resolved shortly I will need to re-build the environment and point all agents to a new ePO server.

                 

                • 5. Re: Agent to Server Communication Fails [Parent error: NaInet library returned code == -88]

                  I have restored to the previous keys and the server log file has the ePO server stopped, can you please advise the steps to re-generate these keys again...

                   

                  20100106162933 I #5608 NAIMSRV  ePolicy Orchestrator server stopped.
                  20100106171033 I #11860 NAISIGN  Loading fips module, current folder: D:\epolicy orchestrator\Apache2
                  20100106171033 I #11860 NAISIGN  Checking for fips module in D:\EPOLIC~1
                  20100106171033 I #11860 NAISIGN  Found fips module: D:\EPOLIC~1\cryptocme2.dll
                  20100106171033 I #11860 NAISIGN  FIPS library initialized successfully
                  20100106171033 I #11860 RULEENG  Starting EPO RuleEngine
                  20100106171033 I #11860 NAISIGN  Loading fips module, current folder: D:\EPOLIC~1
                  20100106171033 I #11860 NAISIGN  Checking for fips module in D:\EPOLIC~1
                  20100106171033 I #11860 NAISIGN  Found fips module: D:\EPOLIC~1\cryptocme2.dll
                  20100106171033 I #11860 NAISIGN  FIPS library initialized successfully
                  20100106171033 I #11860 NAIMSRV  Initializing server...
                  20100106171033 I #11860 NAIMSRV  Initializing DAL Connection Pool...
                  20100106171033 I #11860 NAIMSRV  DAL Connection Pool Initialized.
                  20100106171033 I #11860 NAISIGN  Loading fips module, current folder: D:\EPOLIC~1
                  20100106171033 I #11860 NAISIGN  Checking for fips module in D:\EPOLIC~1
                  20100106171033 I #11860 NAISIGN  Found fips module: D:\EPOLIC~1\cryptocme2.dll
                  20100106171033 I #11860 NAISIGN  FIPS library initialized successfully
                  20100106171033 I #11860 NAIMSRV  Server state at startup: Enabled
                  20100106171033 E #11860 NAISIGN  Failed to decrypt data.  Error=-2146893819
                  20100106171033 E #11860 NAISIGN  Failed to decrypt data.  Error=Bad Data (-2146893819)
                  20100106171033 E #11860 NAIMSRV  Failed to decrypt using the certificate.
                  20100106171033 E #11860 NAIMSRV  Failed to process server key information
                  20100106171033 I #11860 NAIMSRV  Shutting down server...
                  20100106171033 I #11860 NAIMSRV  Releasing DAL Connection Pool...
                  20100106171033 I #11860 NAIMSRV  Releasing File Locks...
                  20100106171033 I #11860 NAIMSRV  Releasing Agent Cache...
                  20100106171033 I #11860 NAIMSRV  Releasing Task Cache...
                  20100106171033 I #11860 NAIMSRV  Cleaning up temp directory...
                  20100106171033 I #11860 NAIMSRV  ePolicy Orchestrator server stopped.

                  • 7. Re: Agent to Server Communication Fails [Parent error: NaInet library returned code == -88]

                    Hi,

                     

                    I wanted to make a few comments about this issue.

                     

                    1.  First I would like to point out that if you get a -88 error that does not mean there is a certificate problem.  The -88 error means that there was a generic problem communicating to the ePO server.  In order to determine if you are having a certificate issue then you should turn on log level 8 on the agent and re-try the communication.  If there is a certificate problem then the agent log will show a lib curl error 60 i.e. "2009-11-03 15:56:31 X #21992 naInet curl returned 60".


                    2.  When you tried regenerating the certificates you received a 401 error.  This error means access denied.  Did you enter your user name and password in correctly?  The user must be a global admin for this to work.  Also make sure the ePO server is fully running when trying to do this.


                    3.  The Failed to decrypt data error message means that there was a certificate problem when starting up the Agent Handler.  This does mean you need to regenerate the certificates (as you tried doing in patch 2).  In ePO 4.5 patch 1, the Agnet Handler will try to regenerate the certificates automatically when the it gets into this state.

                     

                    Hope this helps,

                    Andy

                    • 8. Re: Agent to Server Communication Fails [Parent error: NaInet library returned code == -88]
                      jstanley

                      Correct "Parent error: NaInet library returned code == -88" does not directly indicate a problem with the apache certs (its an error returned when error did not match any of the known curl errors); however, if you have a problem with the apache certs on the ePO server that is exactly the error you will receive in the agent log on the client machine. Also if you read the original post it indicates that ALL agents are failing to communicate which points to a server-side problem not a client side problem.

                       

                      That said this error in the server.log DOES indicate a problem with the apache certs:

                      20100106171033 I #11860 NAIMSRV  ePolicy Orchestrator server stopped.

                       

                      As for point 3...that is true but he is not using EPO 4.5 patch 1 and the patch install has a high probability to fail if the server is not currently in a working state.

                       

                       

                      Message was edited by: Jeremy Stanley on 1/6/10 2:19:46 PM CST

                       

                       

                      Message was edited by: Jeremy Stanley on 1/6/10 2:20:47 PM CST