Loading...

Knowledge Center

Unable to see both nodes of a cluster in the ePO directory when they share a MAC address
Technical Articles ID:   KB57886
Last Modified:  7/13/2018
Rated:

Environment

McAfee ePolicy Orchestrator (ePO) 5.x, 4.x
McAfee Agent (MA) 4.x

Problem

You are unable to see both nodes of a cluster in the ePO directory when the nodes share a MAC address. A single entry for these systems exists and the properties are regularly overwritten.

System Change

Network Load Balancing (NLB), VPN software, or some other software that allows two computers to share the same MAC address has been installed.

Cause

When an agent communicates with the ePO server, the server first checks whether the agent's GUID already exists in the database:
  • If the agent's GUID exists, ePO already knows this machine and does not need to add it to the database again.
  • If the agent's GUID does not exist, this computer is either completely new, or one whose GUID has been changed (for example, changed by a complete reinstallation of the agent).
To differentiate between these cases, if the GUID is unknown, the server performs an additional step and checks whether the MAC address is already known. If it is, the ePO server assumes that the computer's GUID has been changed, and it associates the new GUID with the database entry that contains the matching MAC address. However, this causes problems when multiple computers legitimately have the same MAC address (for example, in a Network Load Balancing scenario, or with teamed NICs).

In this situation, the first node to communicate will be added to the database correctly. However, when the second node communicates, its properties will replace those of the first node because it has a new GUID, but the same MAC address. When the first node communicates again, its properties will replace those of the second node, and so on. The end result is that only one node displays in ePO at any one time.

Solution

To resolve this situation, disable the additional MAC search on the server long enough to allow all the nodes to be added to the database.

NOTES:
  • If you have remote Agent Handlers, you must carry out this procedure on all Agent Handlers in your environment.
  • You must re-enable the MAC search when all the required nodes have been added to the database; otherwise, duplicate entries will be created in the database for any computers with a changed GUID.
  1. Disable the MAC search:
    1. Click Start, Run, type regedit, and click OK.
    2. If ePO is installed on a 32-bit OS, navigate to and select the following registry key:

      [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]

      If ePO is installed on a 64-bit OS, navigate to and select the following registry key:

      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator]

    3. Right-click the ePolicy Orchestrator key and select New, Key.
    4. Type Options as the name of the new key.
    5. Right-click the new Options key and select New, String Value.
    6. Name the new string DisableMACSearch.
    7. Right-click the DisableMACSearch key and select Modify.
    8. Set the Value data to 1 and click OK.

    IMPORTANT:     Ensure the new value is created in the correct key. Confirm that the new key is either of the following:

    32-bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Options\DisableMACSearch] 
    64-bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432NodeNetwork Associates\ePolicy Orchestrator\Options\DisableMACSearch]

    Value data for DisableMACSearch is specified as     1.
     
  2. Restart the ePO services:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click each of the following services for the version of ePO you are running and select Restart:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
       
  3. Allow the affected nodes to communicate with the ePO server.

    When the agents on the affected nodes communicate with the server, they should be added to the database and display in the relevant group (if sorting rules are enabled) or in the Lost and Found group.

    NOTE:     Either wait for the agents on the affected nodes to make their next scheduled communication, or force a communication by using the CMDAGENT.EXE /P command. For more information, see KB52707.
     
  4. When the affected nodes are correct in ePO:
    1. Enable the MAC search again by changing the value to 0 for the DisableMACSearch key.
       
      NOTE: See Step 1 for detailed instructions on accessing and editing the DisableMACSearch registry key.
       
    2. Restart the ePO services.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.