2 Replies Latest reply on Jun 10, 2016 11:26 AM by falconevo

    Agent 5.0.2+ IPv6 Collect & Send Props - Loop/CPU time issue

    falconevo

      Hi,

       

      When using the following agent versions, 5.0.2.333 (current) & 5.0.3.272 (eval) a collect and send props loop is caused by IPv6 addressing.  EPO v 5.3


      Configuration that causes this loop

       

      Multiple network interfaces configured

      Primary Network interface - IPv4 routable only with no IPv6 allowed

      Secondary Backup interface - IPv6 unroutable address for backup network only


      Tested with or without firewall connectivity, same problem is present.  Occurs on physical and virtual equipment so is not dependent on hardware.

       

      When IPv6 is enabled on the secondary backup interface, the Mcafee agent will go in to a continuous collect & send props loop every 1-2 seconds.  The moment IPv6 is disabled the problem stops and Mcafee registers the IPv4 address with the EPO.  When the IPv6 address is not routable, the agent just continuously spams the EPO server and uses large amounts of CPU time (masvc.exe) on the server.

       

      Tested and verified on Windows 2008, 2008 R2, Windows 2012 R2 the same behavior is exhibited.

      AgentLoop.JPG

      Disable IPv6 and the problem goes away immediately but this is not viable in this environment as it would prevent backups being taken.  The following also resolves the issue but requires a server restart which is just not viable in the environment I manage.

       

      Add the following registry entry;

       

      HKLM\System\CurrentControlSet\services\Tcpip6\Parameters

      DWORD - DisabledComponents

      Value - 0x20


      Requires a restart but corrects the issue with the Mcafee agent continuously spamming itself and the CPU time to death.  Not a suitable fix for my environment as I cannot just take it upon myself to restart 3000+ servers, this is a problem on the Mcafee agent in Windows when IPv6 is available but unroutable for backup network purposes.  EPO CPU time is dramatically increased due to this issue and it is quite literally causing in excess of 50% CPU time on the EPO server.

       

      Anyone else come across this?  I am able to replicate it on a test EPO server also which is using EPO v5.1 and the current agent version.

        • 1. Re: Agent 5.0.2+ IPv6 Collect & Send Props - Loop/CPU time issue
          falconevo

          Further information to this, the key being populated in the registry that relates to this exact problem is the following;

           

          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\TVD\Shared Components\Framework

          REG_SZ - IPAddress

           

          This item is causing the IPv6 address to be used and displayed in the EPO server.  This registry item gathering an invalid IPv6 unroutable address is what is causing this problem.

           

          Things that have been tested;

           

          Interface metrics modified for IPv4 to take precedent = no difference

          Static routes via IPv4 interface = no difference

          Changed registry key as above with Mcafee agent services stopped = entry modified on next service startup and issue continues

          EPO IPv6 disabled or enabled = no difference

          Disable IPv6 on primary network interface = IPv6 address in EPO changes to alternate interface

           

          Can this be resolved to have a setting in the Mcafee agent to prefer IPv4 over IPv6 or at least give you the option for the network you wish to use rather than it using all network interfaces to latch itself on to.

           

          MACompatSVC log entries are just continual spam

          2016-06-10 16:58:36.443 macompatsvc(8020.7020) plugin.Info: Plugin client = MCDATREP1000, Starting property collection.

          2016-06-10 16:58:36.443 macompatsvc(8020.8764) plugin.Info: Calling get properties(A).

          2016-06-10 16:58:36.451 macompatsvc(8020.7020) plugin.Info: Calling get properties(W).

          2016-06-10 16:58:36.452 macompatsvc(8020.7020) plugin.Info: Property collection finished.

          2016-06-10 16:58:36.903 macompatsvc(8020.8764) plugin.Info: Property collection finished.

          2016-06-10 16:58:37.141 macompatsvc(8020.8764) plugin.Info: Plugin client = MCDATREP1000, Starting property collection.

          2016-06-10 16:58:37.141 macompatsvc(8020.7020) plugin.Info: Plugin client = VIRUSCAN8800, Starting property collection.

          2016-06-10 16:58:37.141 macompatsvc(8020.8764) plugin.Info: Calling get properties(W).

          2016-06-10 16:58:37.141 macompatsvc(8020.7020) plugin.Info: Calling get properties(A).

          2016-06-10 16:58:37.141 macompatsvc(8020.8764) plugin.Info: Property collection finished.

          2016-06-10 16:58:37.593 macompatsvc(8020.7020) plugin.Info: Property collection finished.

          2016-06-10 16:58:37.922 macompatsvc(8020.7020) plugin.Info: Plugin client = MCDATREP1000, Starting property collection.

          2016-06-10 16:58:37.922 macompatsvc(8020.8764) plugin.Info: Plugin client = VIRUSCAN8800, Starting property collection.

          2016-06-10 16:58:37.922 macompatsvc(8020.7020) plugin.Info: Calling get properties(W).

          2016-06-10 16:58:37.922 macompatsvc(8020.8764) plugin.Info: Calling get properties(A).

          2016-06-10 16:58:37.922 macompatsvc(8020.7020) plugin.Info: Property collection finished.

          2016-06-10 16:58:38.375 macompatsvc(8020.8764) plugin.Info: Property collection finished.

          2016-06-10 16:58:38.577 macompatsvc(8020.7020) plugin.Info: Plugin client = MCDATREP1000, Starting property collection.

          2016-06-10 16:58:38.577 macompatsvc(8020.8764) plugin.Info: Plugin client = VIRUSCAN8800, Starting property collection.

          2016-06-10 16:58:38.577 macompatsvc(8020.7020) plugin.Info: Calling get properties(W).

          2016-06-10 16:58:38.577 macompatsvc(8020.8764) plugin.Info: Calling get properties(A).

          2016-06-10 16:58:38.578 macompatsvc(8020.7020) plugin.Info: Property collection finished.

          2016-06-10 16:58:39.029 macompatsvc(8020.8764) plugin.Info: Property collection finished.

          2016-06-10 16:58:39.318 macompatsvc(8020.8764) plugin.Info: Plugin client = VIRUSCAN8800, Starting property collection.

          2016-06-10 16:58:39.318 macompatsvc(8020.7020) plugin.Info: Plugin client = MCDATREP1000, Starting property collection.

          2016-06-10 16:58:39.319 macompatsvc(8020.8764) plugin.Info: Calling get properties(A).

          2016-06-10 16:58:39.319 macompatsvc(8020.7020) plugin.Info: Calling get properties(W).

          2016-06-10 16:58:39.320 macompatsvc(8020.7020) plugin.Info: Property collection finished.

          2016-06-10 16:58:39.800 macompatsvc(8020.8764) plugin.Info: Property collection finished.

          2016-06-10 16:58:40.020 macompatsvc(8020.8764) plugin.Info: Plugin client = MCDATREP1000, Starting property collection.

          2016-06-10 16:58:40.020 macompatsvc(8020.7020) plugin.Info: Plugin client = VIRUSCAN8800, Starting property collection.

          2016-06-10 16:58:40.020 macompatsvc(8020.8764) plugin.Info: Calling get properties(W).

          2016-06-10 16:58:40.020 macompatsvc(8020.7020) plugin.Info: Calling get properties(A).

          2016-06-10 16:58:40.021 macompatsvc(8020.8764) plugin.Info: Property collection finished.

          2016-06-10 16:58:40.471 macompatsvc(8020.7020) plugin.Info: Property collection finished.

          2016-06-10 16:58:40.752 macompatsvc(8020.8764) plugin.Info: Plugin client = MCDATREP1000, Starting property collection.

          2016-06-10 16:58:40.752 macompatsvc(8020.7020) plugin.Info: Plugin client = VIRUSCAN8800, Starting property collection.

          2016-06-10 16:58:40.752 macompatsvc(8020.8764) plugin.Info: Calling get properties(W).

          2016-06-10 16:58:40.753 macompatsvc(8020.7020) plugin.Info: Calling get properties(A).

          2016-06-10 16:58:40.753 macompatsvc(8020.8764) plugin.Info: Property collection finished.

          2016-06-10 16:58:41.207 macompatsvc(8020.7020) plugin.Info: Property collection finished.

          • 2. Re: Agent 5.0.2+ IPv6 Collect & Send Props - Loop/CPU time issue
            falconevo

            Also, this article briefly grazes on the topic but the information in the KB is incorrect.

             

            https://kc.mcafee.com/corporate/index?page=content&id=KB53169

             

            The binding order is not utilised for the IP address assignment on the Mcafee Agent.  I have proven this in my testing, the binding order is ignored if an IPv6 address exists, even if the binding order of the network interfaces is lower.  If IPv6 exists on ANY interface, it over rides the binding order behavior supposedly claimed in the KB article.

             

            To give you an idea of what this is causing, the CPU on this EPO before IPv6 was implemented inside the agent was around 2-3% average.  Due to the amount of machines spamming collect/send props with invalid IPv6 addressing, this is now the CPU usage on this EPO.

             

            CPUUsageEPO.JPG