Loading...

Knowledge Center


Sequence number invalid (computers running McAfee Agent fail to connect to the ePolicy Orchestrator server)
Technical Articles ID:   KB60776
Last Modified:  7/9/2018
Rated:


Environment

McAfee Agent (MA) 5.x, 4.x
McAfee ePolicy Orchestrator (ePO) 5.x

Problem

One or more of the following symptoms are present:
  • Clients are unable to contact the ePO server because their sequence number is lower than the server expects.
  • Computers using Deep Freeze are not connecting to the ePO server.
  • Imaged computers do not connect to the ePO server.
  • Restoring VMware snapshots/images causes the agent to fail to connect to the ePO server.
  • Restoring Microsoft Virtual PC snapshots/images causes the agent to fail to connect to the ePO server.
  • Clients sharing the same agent GUID fail to connect to the ePO server.

Problem

The following messages are recorded in the Server.log file:

20090101010101   E   #7148   EPOServer     Agent with GUID {XXXXXXXXXX-XXXX-...} sequence number invalid, expected 113 > 3716
20090101010101   E   #7148   mod_epo Failed to process agent request

Problem

The following messages are recorded in the agent_<computer_name>.log:

2009-11-12 11:57:34        I        #1492        naInet        Reading acknowledgement from ePO Server
2009-11-12 11:57:34        I        #1492        naInet        Received response [] from ePO Server
2009-11-12 11:57:34        I        #1492        naihttp       Failed to get acknowledgement from Server
2009-11-12 11:57:34        E       #1492        imsite        Error trace:
2009-11-12 11:57:34        E       #1492        imsite        [uploadFile,,/spipe/pkg?AgentGuid={91EEA947-D3FB-4CC2-AEC7-05D15CDB5C6A}&Source=Agent_3.0.0,pkg00129024970542750000_12124.spkg,C:\Documents and Settings\All Users\Administrator\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Administrator\McAfee\Common Framework\Unpack\pkg00129024970544780000_2913.spkg]->
2009-11-12 11:57:34        E       #1492        imsite         NaInet library returned code == -14

System Change

Deployed McAfee Agent through ePO server.

Cause

ePO performs checks on client computers to prevent Replay Attacks using an incremented sequencing algorithm. If agents communicate with the ePO server with a lower sequence number than it expects, the ePO server rejects the communication.

Sequence errors most commonly happen in situations where there are duplicate agent GUIDs or where computers are restored back to a previous setting (in other words, restoring to previous snapshots on a virtual machine that has an agent connected to an ePO server).

Solution

There are several ways for ePO administrators to find sequence error problems in the network.

NOTE: For instructions to reset the agent GUID, see KB56086.

The ePO database contains an EPOAgentSequenceErrorLog table. This table contains the following fields that help ePO administrators track down systems with communication errors related to sequence check errors:
  • AutoID - A unique key for the table.
  • AutoGUID - The agent GUID of the agent that failed the sequence number check.
  • NodeName - The computer name that failed the sequence number check.
  • IPAddress - The IP address of the computer that failed the sequence number check.
  • MACAddress - The MAC address of the computer that failed the sequence number check.
  • TheTimestamp - The server time of the sequence number check failure.
To use the following features, add the required line to the [Server] section of Server.ini (located in C:\Program Files\McAfee\ePolicy Orchestrator\DB by default), then restart the ePO services.
 
 Feature Description  .INI File Addition  Example(s)
To set a limit to the sequence errors logged in the database on a per hour basis. Without any value set, the default hourly limit for the number of sequence errors that are tracked in the database is 1000.

NOTE: Regardless of this setting, all sequence errors are logged in the server.log file. This setting is only for the database.
 SequenceNumberErrorLogMaxErrorsPerHour SequenceNumberErrorLogMaxErrorsPerHour=1000
SequenceNumberErrorLogMaxErrorsPerHour=0 

NOTE: Setting this value to zero disables logging to the EPOAgentSequenceErrorLog table.
To set a history length for the history (in days) of sequence errors to be stored by the database. If missing from server.ini, the default time span for the error sequence history is seven days.

The sequence error purge is run once at service startup, and then once every 24 hours afterward removing sequence errors from the EPOAgentSequenceErrorLog database table that are older than the defined time span.
 SequenceNumberErrorLogHistDays  SequenceNumberErrorLogHistDays=1
 SequenceNumberErrorLogHistDays=4
 SequenceNumberErrorLogHistDays=90
To disable sequence error checking on the ePO server. 

NOTE: Disabling this feature is not recommended.
 ConnectionsRequireValidSequenceNumber  ConnectionsRequireValidSequenceNumber=0

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.