Loading...

Knowledge Center


Sequence number invalid (computers running McAfee Agent fail to connect to the ePolicy Orchestrator server)
Technical Articles ID:   KB60776
Last Modified:  7/24/2019
Rated:


Environment

McAfee Agent (MA) 5.x
McAfee ePolicy Orchestrator (ePO) 5.x

Problem

One or more of the following symptoms are present:
  • Clients are unable to contact the ePO server because their sequence number is lower than the server expects.
  • Computers using Deep Freeze do not connect to the ePO server.
  • Imaged computers do not connect to the ePO server.
  • Restoring VMware snapshots or images causes the agent to fail to connect to the ePO server.
  • Restoring Microsoft Virtual PC snapshots or images causes the agent to fail to connect to the ePO server.
  • Clients that share a McAfee Agent GUID fail to connect to the ePO server.

Problem

Server.log records the following:
 
E
#7148 EPOServer
 Agent with GUID {XXXXXXXXXX-XXXX-...} sequence number invalid, expected 113 > 3716
E
 #7148   mod_epo 
Failed to process agent request

Problem

Agent_<computer_name>.log records the following messages:
 
I
#1492  
naInet    Reading acknowledgment from ePO Server
I
#1492  
naInet   Received response [] from ePO Server 
I
#1492  
 Naihttp Failed to get acknowledgement from Server 
E
#1492  
 Imsite   Error trace:
E
#1492  
 Imsite   [uploadFile,,/spipe/pkg?AgentGuid={91EEA947-D3FB-4CC2-AEC7-05D15CDB5C6A}&Source=Agent_3.0.0,pkg00129024970542750000_12124.spkg,C:\Documents and Settings\All Users\Administrator\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Administrator\McAfee\Common Framework\Unpack\pkg00129024970544780000_2913.spkg]->
E
#1492  
 Imsite   NaInet library returned code == -14
 

System Change

You deployed McAfee Agent through the ePO Server.

Cause

ePO uses an incremented sequencing algorithm to perform checks on client computers to prevent Replay Attacks. If agents communicate with the ePO server with a lower sequence number than it expects, the ePO server rejects the communication.

Sequence errors most commonly happen in situations where:
  • There are duplicate agent GUIDs
    Or
  • Where computers are restored back to a previous setting. In other words, restored to previous snapshots on a virtual machine that has an agent connected to an ePO server.

Solution

There are several ways for ePO administrators to find sequence error problems in the network.

NOTE: For instructions to reset the agent GUID, see KB56086.

The ePO database contains an EPOAgentSequenceErrorLog table. This table contains the following fields that help ePO administrators track down systems with communication errors related to sequence check errors:
  • AutoID - A unique key for the table.
  • AutoGUID - The agent GUID of the agent that failed the sequence number check.
  • NodeName - The computer name that failed the sequence number check.
  • IPAddress - The IP address of the computer that failed the sequence number check.
  • MACAddress - The MAC address of the computer that failed the sequence number check.
  • TheTimestamp - The server time of the sequence number check failure.
To use the following features, add the needed line to the [Server] section of Server.ini (located in C:\Program Files\McAfee\ePolicy Orchestrator\DB by default), then restart the ePO services.
 
 Feature Description  .INI File Addition  Examples
To set a limit to the sequence errors logged in the database on a per hour basis. Without any value set, the default hourly limit for the number of sequence errors that are tracked in the database is 1000.

NOTE: Regardless of this setting, all sequence errors are logged in the server.log file. This setting is only for the database.
 SequenceNumberErrorLogMaxErrorsPerHour SequenceNumberErrorLogMaxErrorsPerHour=1000
SequenceNumberErrorLogMaxErrorsPerHour=0 

NOTE: Setting this value to zero disables logging to the EPOAgentSequenceErrorLog table.
To set a history length in days for the sequence errors stored by the database.
If missing from server.ini, the default time span for the error sequence history is seven days.

The sequence error purge is run once at service startup, and then once every 24 hours. The purge removes the sequence errors from the EPOAgentSequenceErrorLog database table that are older than the defined time span.
 SequenceNumberErrorLogHistDays  SequenceNumberErrorLogHistDays=1
 SequenceNumberErrorLogHistDays=4
 SequenceNumberErrorLogHistDays=90
To disable sequence error checking on the ePO server. 

NOTE: Disabling this feature is not recommended.
 ConnectionsRequireValidSequenceNumber  ConnectionsRequireValidSequenceNumber=0

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.