8 Replies Latest reply on Aug 18, 2013 7:51 PM by jackb

    RSD sensors passive

    kmcin11

      Hi,

       

      I just upgraded the ePO server to 4.6.6 and the RSD sensors to 4.7.1.120. Before this upgrade, all sensors were operating without issues.

       

      Now, most sensors are in a passive state most of the time, but the exact numbers constantly change.

       

      The policy sets RSD to active, the Sever IP address is correct, and DHCP monitoring is enabled with device details detection checked. I have tried both "Use ePO server to determine active sensors" and "Use Local Sensor Election" with all sensors active, to no avail.

       

      Within the Server Settings, all sensors are active.

       

      SensorStatus.jpg

      RSD_ServerSettings.jpg

      Is there a bug with RSD version 4.7.1.120? I did notice that the package's distribution type states "evaluation" within the master repository, which I can't seem to change.

       

      I appreciate any info concerning this issue.

       

      Thanks,

       

      K

        • 1. Re: RSD sensors passive
          kmcin11

          By the way, this is what the log file says:

           

          2013/07/12 09:13:00: I #01648 sensor   Starting Sensor.

          2013/07/12 09:13:00: I #01648 asdk     Initializing the data channel manager.

          2013/07/12 09:13:00: I #01648 asdk     Successfully loaded LPC runtime C:\Program Files (x86)\McAfee\Common Framework\LpcRT_4R6UYALZ\mfelpc.dll

          2013/07/12 09:13:00: I #01648 asdk     Initializing lpc data

          2013/07/12 09:13:00: I #01648 asdk     Registering software id RSD_____4700 with a hash value of 844830868

          2013/07/12 09:13:00: I #01648 asdk     Starting lpc connection manager

          2013/07/12 09:13:00: I #01648 asdk     Setting up watchdog component

          2013/07/12 09:13:00: I #04076 asdk     Running scheduled health check

          2013/07/12 09:13:00: I #04076 asdk     Signalling lpc availability to registrants.

          2013/07/12 09:13:00: I #04076 asdk     Invoking lpc revalidation on lpc available

          2013/07/12 09:13:00: I #04076 asdk     Cleaning up message queue

          2013/07/12 09:13:00: I #03268 asdk     starting poll thread for message queue

          2013/07/12 09:13:00: I #03268 asdk     signalled start to message queue

          2013/07/12 09:13:00: I #03268 asdk      Registering client channel for message type 844830868 extended id 1272854982 client id 2088252486

          2013/07/12 09:13:00: I #03268 asdk     Registering  client software id RSD_____4700:2256_1648:0001 with lpc server

          2013/07/12 09:13:00: I #03268 asdk     Adding channel for message queue 844830868 extended software id hash 1272854982 client id 2088252486

          2013/07/12 09:13:00: I #03268 asdk     Channel added to message queue successfully

          2013/07/12 09:13:00: I #03268 asdk     Getting message from message queue

          2013/07/12 09:13:00: I #04076 asdk     Done signalling lpc availability to registrants.

          2013/07/12 09:13:00: I #01648 asdk     Waiting LPC server availability

          2013/07/12 09:13:00: I #01648 asdk     LPC server is now available

          2013/07/12 09:13:00: I #01648 asdk     Subscribing to the data channel.

          2013/07/12 09:13:00: I #01648 asdk     Data message listener service initialized.

          2013/07/12 09:13:00: I #01648 asdk     Policy enforcement service initialized.

          2013/07/12 09:13:00: I #01648 asdk     Property Collector service initialized.

          2013/07/12 09:13:00: I #00444 asdk     Starting LPC runtime monitor

          2013/07/12 09:13:00: I #01648 sensor   Loading WinPcap

          2013/07/12 09:13:00: W #01648 sensor   The sensor is now in a disabled state. (by policy).

          2013/07/12 09:13:01: I #03268 asdk     Received reverse connect notification

          2013/07/12 09:13:01: I #03268 asdk     Getting message from message queue

          2013/07/12 09:13:01: W #03732 asdk     Service not available

          2013/07/12 09:13:01: I #03268 asdk     Received reverse connect notification

          2013/07/12 09:13:01: I #03268 asdk     Getting message from message queue

          2013/07/12 09:13:01: E #00556 asdk     Failed to find the password for the multicast certificate.  Continuing to wait for a valid message.

          2013/07/12 09:13:21: I #00444 asdk     Invalid method call

           

          Which policy is setting this sensor into disabled state? I have checked and re-checked the policy and I can't find any setting that I may have missed.

           

          Thanks,

           

          K

          • 2. Re: RSD sensors passive
            kmcin11

            Ok, I will answer this one myself since I found the solution and it may help others.

             

            The problem seemed to have stemmed from the "ePO Agent Key Updater" package in the master repository. Once I updated it to the newest available (matching the new Agent version 4.8.0.887), all sensors switched into active mode after a wakeup call was issued. So far none have switched back into passive mode and so I am hopeful that the outdated Key Updater package was the problem.

            • 3. Re: RSD sensors passive
              kmcin11

              Well, unfortunately the joy only lasted for a few hours. Now all of the sensors are passive again.

               

              Any help will certainly be appreciated.

               

              The logs say:

               

              2013/07/12 13:19:54: I #04068 sensor   Starting Sensor.

              2013/07/12 13:19:54: I #04068 asdk     Initializing the data channel manager.

              2013/07/12 13:19:54: I #04068 asdk     Successfully loaded LPC runtime C:\Program Files (x86)\McAfee\Common Framework\LpcRT_4R6UYALZ\mfelpc.dll

              2013/07/12 13:19:54: I #04068 asdk     Initializing lpc data

              2013/07/12 13:19:54: I #04068 asdk     Registering software id RSD_____4700 with a hash value of 844830868

              2013/07/12 13:19:54: I #04068 asdk     Starting lpc connection manager

              2013/07/12 13:19:54: I #04068 asdk     Setting up watchdog component

              2013/07/12 13:19:54: I #03952 asdk     Running scheduled health check

              2013/07/12 13:19:54: I #03952 asdk     Signalling lpc availability to registrants.

              2013/07/12 13:19:54: I #03952 asdk     Invoking lpc revalidation on lpc available

              2013/07/12 13:19:54: I #03952 asdk     Cleaning up message queue

              2013/07/12 13:19:54: I #00012 asdk     starting poll thread for message queue

              2013/07/12 13:19:54: I #00012 asdk     signalled start to message queue

              2013/07/12 13:19:54: I #00012 asdk      Registering client channel for message type 844830868 extended id 52258700 client id 2088252486

              2013/07/12 13:19:54: I #00012 asdk     Registering  client software id RSD_____4700:2776_4068:0001 with lpc server

              2013/07/12 13:19:54: I #00012 asdk     Adding channel for message queue 844830868 extended software id hash 52258700 client id 2088252486

              2013/07/12 13:19:54: I #00012 asdk     Channel added to message queue successfully

              2013/07/12 13:19:54: I #00012 asdk     Getting message from message queue

              2013/07/12 13:19:54: I #03952 asdk     Done signalling lpc availability to registrants.

              2013/07/12 13:19:54: I #04068 asdk     Waiting LPC server availability

              2013/07/12 13:19:54: I #04068 asdk     LPC server is now available

              2013/07/12 13:19:54: I #04068 asdk     Subscribing to the data channel.

              2013/07/12 13:19:54: I #04068 asdk     Data message listener service initialized.

              2013/07/12 13:19:54: I #04068 asdk     Policy enforcement service initialized.

              2013/07/12 13:19:54: I #04068 asdk     Property Collector service initialized.

              2013/07/12 13:19:54: I #03576 asdk     Starting LPC runtime monitor

              2013/07/12 13:19:54: I #04068 sensor   Loading WinPcap

              2013/07/12 13:19:54: W #04068 sensor   The sensor is now in a disabled state. (by policy).

              2013/07/12 13:19:58: I #00012 asdk     Received reverse connect notification

              2013/07/12 13:19:58: I #00012 asdk     Getting message from message queue

              2013/07/12 13:19:58: W #02420 asdk     Service not available

              2013/07/12 13:19:58: I #00012 asdk     Received reverse connect notification

              2013/07/12 13:19:58: I #00012 asdk     Getting message from message queue

              2013/07/12 13:19:58: I #02600 asdk     Recieved Acknowledgement message. (5)

              2013/07/12 13:19:58: I #00012 asdk     Received reverse connect notification

              2013/07/12 13:19:58: I #00012 asdk     Getting message from message queue

              2013/07/12 13:19:58: I #02420 asdk     Recieved Acknowledgement message. (3)

              2013/07/12 13:19:58: I #00012 asdk     Received reverse connect notification

              2013/07/12 13:19:58: I #00012 asdk     Getting message from message queue

              2013/07/12 13:19:58: I #00012 asdk     Received reverse connect notification

              2013/07/12 13:19:58: I #00012 asdk     Getting message from message queue

              2013/07/12 13:19:58: I #02420 sensor   Putting sensors to sleep!  Reason: Recvd a stop event

              2013/07/12 13:19:58: I #00012 asdk     Received reverse connect notification

              2013/07/12 13:19:58: I #00012 asdk     Getting message from message queue

              2013/07/12 13:20:15: I #03576 asdk     Invalid method call

              2013/07/12 13:20:16: I #00012 asdk     Received reverse connect notification

              2013/07/12 13:20:16: I #00012 asdk     Getting message from message queue

              2013/07/12 13:20:16: I #00012 asdk     Received reverse connect notification

              2013/07/12 13:20:16: I #00012 asdk     Getting message from message queue

              2013/07/12 13:20:16: I #02600 asdk     Getting Rogue Sensor properties.

              • 4. Re: RSD sensors passive
                JoeBidgood

                Check the Rogue System Sensor configuration page under Server Settings - I suspect you may have the Sensors Per Subnet set to two active sensors (which is the default.)

                 

                HTH -

                 

                Joe

                • 5. Re: RSD sensors passive
                  kmcin11

                    Hi Joe,

                   

                  Thanks for your response.

                   

                  If you look at one of the screenshots I added to my first post, you will see that I set this area to activate all sensors. I also tried adding the number 43 (the amount of sensors we have), to no avail. Most sensors still appear passive, but the exceptions area does include rogues which were detected this morning, so apparently RSD is still somehow functioning. I can't tell though how well at the moment.

                   

                  One or two sensors do switch into active mode every once in a while, but out of 45, that is quite a low number. I had zero issues with these sensors until I upgraded to ePO 4.6.6 and sensor version 4.7.1.

                   

                  Thanks again and I will be very happy about any further comments/suggestions you can give,

                   

                  K

                   

                  Message was edited by: kmcin11 on 7/15/13 7:24:29 PM CDT
                  • 6. Re: RSD sensors passive

                    Hi Joe/Kmcin,

                     

                    Did you manage to fix a fix/workaround?

                     

                    I am having similiar issue. Is there any bug for using 4.6.6 and sensor 4.7.1 ? Any way of force an passive RSD to show as active?

                     

                    Thanks.

                     

                    J

                    • 7. Re: RSD sensors passive
                      kmcin11

                      Hi Jack,

                       

                      As a matter of fact, yes, I found the solution (in my case anyway).

                       

                      The Client Task which installs RSD on all machines with a certain tag had a checkmark in for "

                       

                      Thanks,

                       

                      K

                       

                      Message was edited by: kmcin11 on 8/18/13 7:34:31 PM CDT
                      • 8. Re: RSD sensors passive

                        Hi Km,

                         

                        Thanks for the information, unfortunately i do not have a client task for installing RSD on machine with Tag, I was doing it as a test to one assigned server by (right click - deploy rogue sensor). I have check the product deployment task and that isnt tick too.

                         

                        The weird thing is it is showing up as passive but it is picking up rogue machines on that subnet.

                         

                        J