1 2 Previous Next 14 Replies Latest reply: Jul 13, 2013 7:16 AM by aloubert RSS

    4.8 P1 Agents not updating from ePO 5.0

    fr0st

      Hi,

       

      My environment is ePO 5.0, VSE 8.8 P2 on Windows XP/7 and Mcafee agent 4.8 P1 and some older versions still remaining.

       

      The problem - newly installed agents (both fresh install and upgrade from previous versions) arent updating policies, tasks etc. from ePO server. Agent communication seems fine, the agents are reporting properly and I can see them in the ePO console but no policies are enforced, no tasks, nothing...

      Something I've noticed is that the SiteStat.xml and catalog.z files are missing on the problematic agents. The older agents are working fine, but I'm afraid to upgrade them.

      Part of the anegt log on a problematic agent:

      2013-07-10 11:13:10.202    I    #46584    Agent    Sending the next batch of immediate events

      2013-07-10 11:13:10.202    i    #46584    Agent    Agent is looking for events to upload

      2013-07-10 11:13:10.202    I    #46584    Agent    Agent did not find any events to upload

      2013-07-10 11:14:39.342    i    #46592    Agent    Agent Started Enforcing policies

      2013-07-10 11:14:39.342    I    #46592    Agent    Thread time-out occurred

      2013-07-10 11:14:39.342    I    #46592    Manage    Enforcing policies

      2013-07-10 11:14:39.342    i    #46592    Manage    Enforcing Policies for McAfee Agent

      2013-07-10 11:14:39.342    I    #46592    Agent    CePOAgent::EnforcePolicy priority=-2

      2013-07-10 11:14:39.342    I    #46592    Agent    Enforcing policies

      2013-07-10 11:14:39.342    I    #46592    LstnSvr    Enforcing Policies

      2013-07-10 11:14:39.342    I    #46592    Datastore    Did not find setting bEnableRelayService in section AgentListenServer for software ID EPOAGENT3000

      2013-07-10 11:14:39.342    I    #46592    Datastore    Did not find setting bEnableP2PService in section AgentListenServer for software ID EPOAGENT3000

      2013-07-10 11:14:39.342    I    #46592    Datastore    Did not find setting AgtServiceMgrPort in section AgentListenServer for software ID EPOAGENT3000

      2013-07-10 11:14:39.342    I    #46592    LstnSvr    Relay policy is disabled, hence, shutting down the service manager.

      2013-07-10 11:14:39.342    I    #46592    LstnSvr    EnforcePolicies--Service Manager stopped.

      2013-07-10 11:14:39.342    I    #46592    Logging    Enforcing policies

      2013-07-10 11:14:39.342    I    #46592    Manage    Enforcing policies

      2013-07-10 11:14:39.352    I    #46592    Datastore    Did not find setting LicenseKey in section EPOAGENT3000META for software ID EPOAGENT3000META

      2013-07-10 11:14:39.352    I    #46592    UsrSpCt    Enforcing policies

      2013-07-10 11:14:39.362    I    #46592    Sched    >>--CSchedule::EnforcePolicy

      2013-07-10 11:14:39.362    I    #46592    Sched    <<--CSchedule::EnforcePolicy

      2013-07-10 11:14:39.362    I    #46592    Datastore    Did not find section Telemetry for software ID EPOAGENT3000

      2013-07-10 11:14:39.362    I    #46592    Datastore    Did not find section Telemetry for software ID EPOAGENT3000

      2013-07-10 11:14:39.362    I    #46592    Datastore    Did not find section Telemetry for software ID EPOAGENT3000

      2013-07-10 11:14:39.362    I    #46592    Datastore    Did not find section Telemetry for software ID EPOAGENT3000

      2013-07-10 11:14:39.362    I    #46592    Manage    Policy enforcement is currently enabled

      2013-07-10 11:14:39.362    I    #46592    Manage    PIP task was not scheduled- PIP Package might not be avilable in repository or PIP deployment was opt out by policies

      2013-07-10 11:14:39.362    I    #46592    Manage    Initializing Event Interface

      2013-07-10 11:14:39.362    I    #46592    Manage    EpoEventInf Interface: Initialization succeeded.

      2013-07-10 11:14:39.362    i    #46592    Manage    Enforcing Policies for EPOAGENT3000META

      2013-07-10 11:14:39.372    i    #46592    Manage    Enforcing Policies for EPOAGENT3000

      2013-07-10 11:14:39.382    I    #46592    Manage    DeInitializing Event Interface

      2013-07-10 11:14:39.382    I    #46592    Manage    EpoEventInf Interface: Deinitialization succeeded.

      2013-07-10 11:14:39.382    i    #46592    Agent    Agent finished Enforcing policies

      2013-07-10 11:14:39.382    i    #46592    Agent    Next policy enforcement in 5 minutes

      2013-07-10 11:18:10.206    I    #46584    Agent    Sending the next batch of immediate events

      2013-07-10 11:18:10.206    i    #46584    Agent    Agent is looking for events to upload

      2013-07-10 11:18:10.206    I    #46584    Agent    Agent did not find any events to upload

       

      Part of the error log:

      2013-07-09 16:36:56.717    E    #2884    ServiceMgr    Error trace:

      2013-07-09 16:36:56.727    E    #2884    ServiceMgr      Not persisting SAHU_SERVER stat data. It is either invalid or not running currently

       

      The ePO server log shows no errors.

       

      Message was edited by: fr0st on 7/10/13 4:15:24 AM CDT
        • 1. Re: 4.8 P1 Agents not updating from ePO 5.0
          rackroyd

          Hard to say from that alone, the snippet shows the locally cached policies seem to be enforced but does not include the time when the agent talks to the ePO server.

           

          I found three prior instances of similar behaviour where all seemed ok but nothing actually got enforced in the product(s) managed.

           

          (1) was resolved by redeploying the agent a second time.

          (2) was down to an excessive number of locally defined HIPs product rules. Removing them resolved things.

          (3) was down to the Windows service pack version in the registry containing non-standard characters (for some reason).

               For that you'd check:

               HKLM\system\CurrentControlSet\control\windows   
               HKLM\system\controlset001\control\windows
               HKLM\system\controlset002\control\windows
               HKLM\software\Microsoft\Windows NT\CurrentVersion

               Value: CSDVersion

           

          Largely guesswork for the above, you might be better opening a support case with McAfee to have it fully inspected.

          • 2. Re: 4.8 P1 Agents not updating from ePO 5.0
            Tristan

            Could this be related to the issue that was in an SNS message i got the other day

             

            -- ========================================

             

            ePolicy Orchestrator (ePO) 5.0 servers installed with valid license key stop sending policies and tasks to agents after 90 days. 

            This issue occurs only with ePO 5.0.0.1160 and will be resolved in ePO 5.0.1. A hotfix and additional information are available in KnowledgeBase article KB78686.

            This article is available only to registered users. To view it, log into the McAfee ServicePortal at http://mysupport.mcafee.com and search for the article ID.

             

            -- ===================================

             

            Although i tried to veiw it with my service portal login but it's not there

            • 3. Re: 4.8 P1 Agents not updating from ePO 5.0
              fr0st

              That's exactly the problem Tristan, thank you.

               

              I've managed to find the KB78686 - here's the link https://kc.mcafee.com/corporate/index?page=content&id=KB78686&actp=search&viewlo cale=en_US&searchid=1373524116759

               

              The solution (other than to wait for new version of ePO) is to change one registry key:

               

              To verify that you require this hotfix, on the ePO 5.0.0.1160 server with a valid license (not evaluation), check the value of the following registry key.

               

              [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\NaiLite]
              @=""

              "Data"=hex:00

              If the key does not contain the value '00' as shown, apply the registry key fix, or upgrade to ePO 5.0.1 or later.

               

              Changgint the registry key and restarting ePO services fixed everything.

              • 4. Re: 4.8 P1 Agents not updating from ePO 5.0
                alphoenix

                Where did you find this article ?

                I followed the link above for the article KB78686, but I get a "article not found"...

                 

                Do you have a link to directly download the hotfix ?

                 

                ePO 5.0.1 isn't available till now, isn't it ?

                • 5. Re: 4.8 P1 Agents not updating from ePO 5.0
                  rackroyd

                  Hm, seems it's been classified as a 'registered' article, so you'd need to log in to acess it.

                  This means i can't post it here i'm afraid, nor can I post a link on a public forum - sorry.

                   

                  ePO 5.0.1 is not available yet.

                   

                  i suggest you contact McAfee support, as I said before.

                  • 6. Re: 4.8 P1 Agents not updating from ePO 5.0
                    aloubert

                    I need to login where ?

                    On the ServicePortal ?

                    That's what I did...

                     

                    But I found the article nowhere into the knowledge base, neither in the ePO section, nor in the McAfee Agent section...

                     

                    It's somewhere a shame such problems are "classified" !

                    This could simply completely "block" ePO, and there are protections to download corrections to YOUR bugs ???

                    We have paid to buy the software and that's still not sufficient to obtain hotfixes ? Unbelievable !

                    • 7. Re: 4.8 P1 Agents not updating from ePO 5.0
                      Tristan

                      I don't see the 'classified' issue as a problem. Like i said i got the notification from an SNS notice so it's not as if it's top secret.

                       

                      I managed to find the article in the end via my ServicePortal login but must admit it wasn't easy.

                       

                      As long as you've got a valid grant number then access to the fix via the website or calling support isn't an issue.

                      • 8. Re: 4.8 P1 Agents not updating from ePO 5.0
                        fr0st

                        Yes, you need to login to the service portal and search for ePolicy Orchestrator (ePO) 5.0 servers installed with valid license key stop sending policies and tasks to agents after 90 days

                         

                        Anyway, aloubert, I've posted the solution in my previous post - make the registry change on the ePO server and restart the services. I don't care if the hotfix is classified since every new version of McAfee software is breaking more things than fixing old issues... On top of this we (or our companies) are paying for this software.

                        • 9. Re: 4.8 P1 Agents not updating from ePO 5.0
                          rackroyd

                          'Registered' just means it's an article only visible to customers with a current McAfee grant id, it's not 'classified' in the sense it's secret.

                          This is a public forum, ergo as an employee I cannot post it directly here, or I would. That's all !

                          1 2 Previous Next