Clients communicating with ePolicy Orchestrator via VPN disappear from the ePolicy Orchestrator tree

Technical Articles ID: KB52949
Last Modified: 2/6/2020

Environment

McAfee ePolicy Orchestrator (ePO) 5.x.

Problem

If you add a computer to the ePO tree, another computer disappears.

The common factor is that this issue happens with computers that connect via a Virtual Private Network (VPN).

Cause

You encounter this problem only when the first connection from a client to the ePO server takes place over a VPN connection.

NOTE: If the computer's first connection is via a Local Area Network (LAN), the correct Media Access Control (MAC) address is added to the table.

When a computer communicates with the ePO server via VPN, it uses the VPN virtual computer's MAC address and not its own actual MAC address. This VPN MAC address is usually the same for all computers connecting through the VPN.

This issue is not restricted only to VPN clients. Anything that could cause multiple computers to report the same MAC address can cause this problem. For example, if you clone a virtual machine and do not reset the MAC address, both computers report the same MAC address to ePO.

Solution

Steps for ePO 5.9.x:
If the computers have already connected via a VPN, create an entry in the ePOVirtualMacVendor table with the Organization Unique Identifier (OUI), which is part of the VPN MAC address:

Determine the VPN MAC address that must be added to the ePO VendorID field:

The best way to obtain the VPN MAC address. Identify a computer that has connected to the ePO Server for the first time via VPN. Then, remove the previous computer.

From the client, use the agent Status Monitor to Collect and Send Props.
Log on to the ePO console.
Click Systems.
Click the System Tree.
Locate the computer that has connected via VPN.
To view its properties, double-click the computer.
To the right of System Information, click More. You see the VPN MAC address collected from the client.
Scroll down and locate the MAC address. Make a note of the first six digits of this MAC address in the next step (for example, 00123F21ECED).

If you can't identify a computer using the virtual MAC, you can author a report to identify the computers:

Log on to the ePO console.
Click Menu, Reporting, Queries.
Click New Query.
Click System Management, Managed Systems and click Next.
Select Single Group Summary Table for Display Results As.
From the "Labels Are" drop-down list, select MAC Address under Computer Properties, click Next, and then click Next again.
Click Managed State under Managed Systems, select Equals from the Comparison drop-down list, and select Managed from the Value drop-down list.
Click Run.

You now have a list of MAC addresses with a count of the number of systems that report that particular MAC address. Ideally, it would be a one-to-one ratio. If you have more than one system sharing the MAC address, that is probably your issue.

To add the computer to the tree, modify the SQL script:

NOTE: For more information about running SQL scripts using OSQL for ePO, see KB67591.

The referenced article is available only to registered ServicePortal users.

To view registered articles:

Log on to the ServicePortal at http://support.mcafee.com.
Type the article ID in the search field on the home page.
Click Search or press Enter.

Use the following SQL command syntax to add the computer to the tree:

INSERT INTO ePOVirtualMacVendor (VendorID) values ('######')

In the above command, ###### is the first six digits of the VPN MAC address collected from the client, in all caps.

Example:
For a system with 00123F as the first six digits of the MAC address obtained in step 1:

INSERT INTO ePOVirtualMacVendor (VendorID) values ('00123F')

NOTE: After applying the solution, ePO still reports the clients MAC addresses as the Virtual MAC. The solution prevents ePO from using MAC addresses with the vendor ID as valid matching criteria.

Solution

Steps for ePO 5.10:
You can enter details such as the name of the organization, the reason to add the vendor, is you can also enter comments. This field does not accept the following special characters:

{
}
;
<
>
?

To add Vendor ID details:

Navigate to Menu, Configuration, Server Settings.
In the Server Settings page, click Virtual MAC Vendors in the Setting Categories pane. You see a list of vendors and their respective ID.
Click Edit.
In the Add New Virtual MAC Vendor area, enter a value in the Vendor ID field.

IMPORTANT:
- The Vendor ID must consist of six characters.
- It can be numeric (0–9), alphabetical (A to Z), or alphanumeric (combination of numbers and alphabets).
- A Vendor ID can't have special characters.

Enter the details in the Vendor Name/Note field.
To add more vendors, click Add MAC Vendor.
Click Save.

Previous Document ID

615809

Affected Products

ePolicy Orchestrator 5.9
ePolicy Orchestrator 5.10.x
Install/Uninstall

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Clients communicating with ePolicy Orchestrator via VPN disappear from the ePolicy Orchestrator tree

Environment

Problem

Cause

Solution

Solution

Previous Document ID

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Clients communicating with ePolicy Orchestrator via VPN disappear from the ePolicy Orchestrator tree

Environment

Problem

Cause

Solution

Solution

Previous Document ID

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title