7 Replies Latest reply on Jun 1, 2010 12:32 AM by Attila Polinger

    Agents Cannot Update from a SADR

    epository

      We have several distributed repositories and replication is fine.

       

      Machines at these sites are getting a "Valid Repository Could not be Found" whenever they try to manually update their AV defs.

       

      age_MachineName.log on the Distributed Repository is showing

       

      2010-01-23 21:41:51 I #4084 LstnSvr CAsyncSocket::DoAccept for event: FD_ACCEPT

      LstnSvr [Port Blocking] Connection from 22.22.53.174 rejected

       

      for several hundred IP's

       

      SiteStat.xml is set to Enabled

       

      SiteList.xml is all in order on the machines.

       

      Set Logging to Level 8 and got:

       

      2010-01-23 21:40:12 X #7096 SiteHlp Getting Spipe site
      2010-01-23 21:40:12 X #7096 SiteHlp Free memory for Sitelist
      2010-01-23 21:40:12 X #7096 SiteHlp Free memory for Sitelist
      2010-01-23 21:40:12 X #7096 LstnSvr CAsyncSocket::Accept() hTemp=1552, rConnectedSocket=0x020d0f90
      2010-01-23 21:40:12 X #7096 LstnSvr CAsyncSocket::AttachHandle hSocket=1552 ,pSocket = 0x020d0f90, bRet=1
      2010-01-23 21:40:12 X #7096 LstnSvr [Port Blocking] port blocking feature is ON
      2010-01-23 21:40:12 X #7096 LstnSvr [Port Blocking] ePO server IP address: 22.22.20.122, Peer IP address: 22.35.38.145
      2010-01-23 21:40:12 X #7096 LstnSvr Leave CAsyncSocket::Release() hSocket=1080,nRef=1, Reason=0
      2010-01-23 21:40:12 X #7096 LstnSvr Inside SocketWndProc...
      2010-01-23 21:40:12 X #4248 LstnSvr WQThreadProc:  Calling CAsyncSocket::DoCallBack...
      2010-01-23 21:40:12 X #4248 LstnSvr CAsyncSocket::DoCallBack for event: FD_READ
      2010-01-23 21:40:12 X #4248 LstnSvr [Port Blocking] port blocking feature is ON
      2010-01-23 21:40:12 X #4248 LstnSvr [Port Blocking] ePO server IP address: 22.22.20.122, Peer IP address: 22.35.38.145
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - new request (t=4248,s=1552,r=2)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - receiving (t=4248,s=1552,r=2)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - received (t=4248,s=1552,r=2,b=93)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - request status (t=4248,s=1552,r=2,rs=0)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - process line (t=4248,s=1552,r=2,b=93,i=38)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - process line (t=4248,s=1552,r=2,b=93,i=78)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - process line (t=4248,s=1552,r=2,b=93,i=91)
      2010-01-23 21:40:12 I #4248 LstnSvr [Port Blocking] Connection from 22.35.38.145 rejected
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - request status != 2 (t=4248,s=1552,r=2,rs=5)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - request status == 5 (t=4248,s=1552,r=2,rs=5)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - AsyncSelect:  FD_WRITE | FD_CLOSE (t=4248,s=1552,r=2,rs=5)
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive -End Process (t=4248,s=1552,r=2)
      2010-01-23 21:40:12 X #7096 LstnSvr Inside SocketWndProc...
      2010-01-23 21:40:12 X #4248 LstnSvr OnReceive - Exit  (t=4248,s=1552,r=2)
      2010-01-23 21:40:12 X #4248 LstnSvr CAsyncSocket::DoCallBack:  Calling Release(0)...
      2010-01-23 21:40:12 X #5736 LstnSvr WQThreadProc:  Calling CAsyncSocket::DoCallBack...
      2010-01-23 21:40:12 X #4248 LstnSvr Leave CAsyncSocket::Release() hSocket=1552,nRef=1, Reason=0
      2010-01-23 21:40:12 X #4248 LstnSvr CAsyncSocket::DoCallBack:  Returned from Release(0)...
      2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket::DoCallBack for event: FD_WRITE
      2010-01-23 21:40:12 X #4248 LstnSvr WQThreadProc:  Returned from CAsyncSocket::DoCallBack...
      2010-01-23 21:40:12 X #5736 LstnSvr OnSend - Enter (t=5736,s=1552,r=2)
      2010-01-23 21:40:12 X #5736 LstnSvr OnSend - process (t=5736,s=1552,r=2)
      2010-01-23 21:40:12 X #5736 LstnSvr OnSend - bytes left to send (t=5736,s=1552,r=2,b=0)
      2010-01-23 21:40:12 X #5736 LstnSvr OnSend - End Process (t=5736,s=1552,r=2)
      2010-01-23 21:40:12 X #5736 LstnSvr OnSend - total sent (t=5736,s=1552,r=2,b=0)
      2010-01-23 21:40:12 X #5736 LstnSvr OnSend - Setting killed (t=5736,s=1552,r=2)
      2010-01-23 21:40:12 X #5736 LstnSvr OnSend - Setting Release = TRUE (t=5736,s=1552,r=2)
      2010-01-23 21:40:12 X #5736 LstnSvr OnSend - Releasing:  RELEASE_REASON_ONSEND (t=5736,s=1552,r=2)
      2010-01-23 21:40:12 X #5736 LstnSvr Leave CAsyncSocket::Release() hSocket=1552,nRef=1, Reason=2
      2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket::DoCallBack:  Calling Release(0)...
      2010-01-23 21:40:12 X #5736 LstnSvr Delete AsyncSocket object 0x020d0f90, reason=0, m_hSocket=1552
      2010-01-23 21:40:12 X #5736 LstnSvr  Enter ~CRequestSocket()
      2010-01-23 21:40:12 X #5736 LstnSvr  ~CRequestSocket()--m_pRequest->Release() iRefCount=0
      2010-01-23 21:40:12 X #5736 LstnSvr  ~CRequestSocket()--RequestSocket object 0x020d0f90 destructed
      2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket::~CAsyncSocket m_hSocket=1552
      2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket::KillSocket hSocket=1552
      2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket::DetachHandle hSocket=1552
      2010-01-23 21:40:12 X #5736 LstnSvr Leave CAsyncSocket::Release() hSocket=1552,nRef=0, Reason=0
      2010-01-23 21:40:12 X #5736 LstnSvr CAsyncSocket::DoCallBack:  Returned from Release(0)...
      2010-01-23 21:40:12 X #5736 LstnSvr WQThreadProc:  Returned from CAsyncSocket::DoCallBack...
      2010-01-23 21:40:12 X #7096 LstnSvr Inside SocketWndProc...
      2010-01-23 21:40:12 I #7096 LstnSvr CAsyncSocket::DoAccept for event: FD_ACCEPT
      2010-01-23 21:40:12 X #7096 SiteHlp Constructing sites helper object
      2010-01-23 21:40:12 X #7096 SiteHlp Getting Sitelist file name
      2010-01-23 21:40:12 X #7096 SiteHlp Getting Sitelist versions
      2010-01-23 21:40:12 X #7096 IPLock readLock - providing read lock
      2010-01-23 21:40:12 X #7096 IPLock readUnLock - unlocking the read lock successful
      2010-01-23 21:40:12 X #7096 SiteHlp Get EPO Server IP Address
      2010-01-23 21:40:12 X #7096 SiteHlp Reading Sitelist
      2010-01-23 21:40:12 X #7096 IPLock readLock - providing read lock
      2010-01-23 21:40:12 X #7096 IPLock readUnLock - unlocking the read lock successful
      2010-01-23 21:40:12 X #7096 SiteHlp Reading site from SiteList
      2010-01-23 21:40:12 X #7096 SiteHlp Reading site from SiteList
      2010-01-23 21:40:12 X #7096 SiteHlp Reading site from SiteList

       

      Disabled IPS on the SADR - did not fix

      Restarted Framework service - did not fix

      Rebooted server - did not fix

      Forced a new incremental replication - did not fix

      Nothing showing up in the AV logs for the Distributed Repository

      Nothing showing up in the IPS logs on the Distributed Repository

      Checked settings on network management even

       

       

      Any ideas on how to shut off this port blocking feature?

       

      Distributed Repositories are running Agent 4.0

       

      Running ePo 4.0 on the main server

       

      Able to RDP into the server with no issues.

       

       

       

       

      NOTE:  Upgraded agent to 4.5 on the SADR Repository and now the [Port Blocked] messages have disappeared.  Agent on the ePo server was 4.0 as well............odd.

       

       

      Message was edited by: epository on 1/24/10 5:40:16 AM CST
        • 1. Re: Agents Cannot Update from a SADR

          Has your issue been resolved? I'm not a product expert but I've moved it to the ePO area.

          • 2. Re: Agents Cannot Update from a SADR
            epository

            Issue not resolved, but it is working now.........

             

            Not sure what the issue was.

            • 3. Re: Agents Cannot Update from a SADR
              Attila Polinger

              Hi,

               

              Just a vague idea: could you check if the "Accept connections from ePO server only" checkbox in the McAfee agent policy for those clients is set?

              Perhaps it has to do with "port blocking" feature activated on the client...

               

              Attila

              • 4. Re: Agents Cannot Update from a SADR
                epository

                Here is basically what is now happening.

                 

                SADR's wont replicate if agent 4.5 is installed on the SADR.

                 

                Downgrade the SADR's agent to 4.0 and replication is fine, but

                 

                start getting the port blocking messages in the SADR's agent log again.

                 

                Upgrade the SADR agent to 4.5 and the port blocking messages go away, but client still cannot update.

                 

                McScript log notes that they connect on the AgentPingPort to the local SADR.

                 

                Reinstall the agent on machines and they updating normally.

                 

                Why? I dont know.  McAfee has had the logs for analysis for 4 days now, but radio silence after spending 4 hours on the phone with them.

                 

                The result of the 4 hours was to that I was to send them more agent logs.

                • 5. Re: Agents Cannot Update from a SADR
                  epository

                  We have 2 networks with 2 separate ePo's, both were set to accept connections only from ePO for the SADR policy.

                   

                  Changed the policy for the ones for problem SADR's to accept connections from anywhere and now AV defs are fine.

                   

                  The other network still has the checkbox checked, but no issues with machines receiving AV defs.

                   

                  No consistency and no idea why one network has no issues with this issues and the other one does.

                   

                  BTW, when it says "connections" does it mean every type of connection?  I could access all of these SADR's via RDP from my workstation with no issues.

                   

                  No idea ....

                  • 6. Re: Agents Cannot Update from a SADR
                    Attila Polinger

                    Hi,

                     

                    can you tell what host is on IP 22.22.53.174? ..and on 22.22.38.145 ?

                     

                    Is SADR a "superagent distributed repository" ?

                     

                    What is the ePO server version and patch level?

                     

                    ..just trying to position myself within the  environment.

                     

                    Also, what does the mcscript.log say on one client when update failing? Post a section around the error message with log level 8, please...

                     

                    Attila

                    • 7. Re: Agents Cannot Update from a SADR
                      Attila Polinger

                      Important: what type of access is set in the distributed repositories for agents to download signatures? FTP, HTTP or UNC or other?

                       

                      A.