Unable to see both nodes of a cluster in the ePolicy Orchestrator directory when they share a MAC address

Technical Articles ID: KB57886
Last Modified: 7/31/2019

Environment

McAfee Agent (MA) 5.x
McAfee ePolicy Orchestrator (ePO) 5.x

Problem

You are unable to see both nodes of a cluster in the ePO directory when the nodes share a MAC address. A single entry for these systems exists and the properties are regularly overwritten.

System Change

Network Load Balancing (NLB), VPN software, or some other software that allows two computers to have the same MAC address has been installed.

Cause

When an agent communicates with the ePO server, the server first checks whether the agent's GUID exists in the database:

If the agent's GUID exists, ePO already knows this system and does not need to add it to the database again.
If the agent's GUID does not exist, this computer is either new, or the GUID has been changed. For example, it changed during a complete reinstallation of the agent.

To differentiate between these cases when the GUID is unknown, the server performs another step and checks whether the MAC address is already known. If it is, the ePO server assumes that the computer's GUID changed, and associates the new GUID with the database entry that contains the matching MAC address. But, this causes problems when multiple computers legitimately have the same MAC address, for example, in a Network Load Balancing scenario, or with teamed NICs.

In this situation, the first node to communicate will be added to the database correctly. But, when the second node communicates, its properties will replace those of the first node because it has a new GUID, but the same MAC address. When the first node communicates again, its properties will replace those of the second node, and so on. The end result is that only one node displays in ePO at any one time.

Solution

To resolve this situation, disable the additional MAC search on the server long enough to allow all the nodes to be added to the database.

NOTES:

If you have remote Agent Handlers, you must carry out this procedure on all Agent Handlers in your environment.
You must re-enable the MAC search when all the required nodes have been added to the database; otherwise, duplicate entries will be created in the database for any computers with a changed GUID.

Disable the MAC search:
1. Click Start, Run, type regedit, and click OK.
2. If ePO is installed on a 32-bit OS, navigate to and select the following registry key:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator
  
  If ePO is installed on a 64-bit OS, navigate to and select the following registry key:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator
3. Right-click the ePolicy Orchestrator key and select New, Key.
4. Type Options as the name of the new key.
5. Right-click the new Options key and select New, String Value.
6. Name the new string DisableMACSearch.
7. Right-click the DisableMACSearch key and select Modify.
8. Set the Value data to 1 and click OK.
IMPORTANT: Ensure that the new value is created in the correct key. Confirm that the new key is either of the following:

32-bit:
HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Options\DisableMACSearch

64-bit:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432NodeNetwork Associates\ePolicy Orchestrator\Options\DisableMACSearch

Value data for DisableMACSearch is specified as 1.
Restart the ePO services:
1. Click Start, Run, type services.msc, and click OK.
2. Right-click each of the following services for the version of ePO you are running and select Restart:
  
  McAfee ePolicy Orchestrator Application Server
  McAfee ePolicy Orchestrator Event Parser
  McAfee ePolicy Orchestrator Server
Allow the affected nodes to communicate with the ePO server.

When the agents on the affected nodes communicate with the server, they should be added to the database. They should appear in the relevant group if sorting rules are enabled, or in the Lost and Found group.

NOTE: Either wait for the agents on the affected nodes to make their next scheduled communication, or force a communication by using the CMDAGENT.EXE /P command. For more information, see KB52707.
When the affected nodes are correct in ePO:
1. Enable the MAC search again by changing the value to 0 for the DisableMACSearch key.
  
  NOTE: See step 1 for detailed instructions on accessing and editing the DisableMACSearch registry key.
2. Restart the ePO services.

Workaround

ePO 5.9.x
Add the MAC vendorID to the database using the instructions in KB52949.

ePO 5.10.0 or later.
This version has a new feature to add the MAC vendorID through the ePO console:

Click Menu, Server settings.
Click Virtual Mac Vendors.
Edit and add the following, and then click Save:
- Vendor ID
- Vendor name
- Note

Affected Products

ePolicy Orchestrator 5.9
ePolicy Orchestrator 5.10.x
McAfee Agent 4.8 (EOL)

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Environment

Problem

System Change

Cause

Solution

Workaround

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Knowledge Center

Environment

Problem

System Change

Cause

Solution

Workaround

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title