Agent wake-up call fails for Linux Server
技术文章 ID:
KB82686
上次修改时间: 7/17/2020
环境
McAfee VirusScan Enterprise for Linux (VSEL) 2.x, 1.x
问题
A Linux server managed by ePolicy Orchestrator (ePO) does not respond to an Agent wake-up call from the ePO server.
原因
A firewall rule on the client prevents communication with the ePO server.
解决方案
Disable or modify the client firewall rule that prevents communication with the ePO server. The client must accept traffic on TCP port 8081.
To troubleshoot and verify this issue:
Make sure that the correct IP address for the Linux server is listed in the ePO system tree and that there are no other issues with the Agent:
- Open a command-line session on the Linux server and ePO server.
- Confirm that the correct IP address for the Linux Server is registered in the ePO system tree.
- Ping the ePO server from the Linux Server and ping the Linux Server from the ePO server.
- Confirm if properties information can be sent to ePO by the cmdagent command on Linux Server. Type the following command on the Linux server and press Enter:
/opt/McAfee/cma/bin/cmdagent -P
If the properties are sent to ePO, the Last Communication time is updated.
- Confirm if the agent has logged any communication errors. Type the following command on the Linux server and press Enter:
/opt/McAfee/cma/scratch/etc/log
- Confirm that the agent wake-up communication port is in LISTEN status. Type netstat -an|grep8081 and press Enter.
The output is similar to:
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN
Verify that the client firewall is blocking communication with the ePO server:
- Enable packet capture on the Linux server and perform a wake-up call from the ePO server.
To turn on the packet capture, use one of the following commands:
tcpdump
Or
tcpdump -iethX
Or
tcpdump -w /tmp/packet.pcap -i ethX
On reviewing the network packet capture, you see the following issues:
16:46:53.617566 IP X.X.X.X.60195 > Y.Y.Y.Y.tproxy: Flags [S] seq 1384592987 , win 8192 , options [mss 1460 , nop , wscale 8 , nop , nop , sackOK], lenght 0
16:46:53.617627 IP Y.Y.Y.Y > X.X.X.X: ICMP host Y.Y.Y.Y unreachable -admin prohibited, length 60
16:46:56.625077 IP X.X.X.X.60195 > Y.Y.Y.Y.tproxy: Flags [S] seq 1384592987 , win 8192 , options [mss 1460 , nop , wscale 8 , nop , nop , sackOK], lenght 0
16:46:56.625131 IP Y.Y.Y.Y > X.X.X.X: ICMP host Y.Y.Y.Y unreachable -admin prohibited, length 60
16:46:58.616867 ARP , Request who-has X.X.X.X tell Y.Y.Y.Y , length 28
16:46:58.617158 ARP , Reply X.X.X.X is-at d8:9d:67:19:29:80 (oui unknown) , length 46
16:47:02.630779 IP IP X.X.X.X.60195 > Y.Y.Y.Y.tproxy: Flags [S] seq 1384592987 , win 8192 , options [mss 1460 , nop , nop , sackOK] , length 0
16:47:02.630833 IP Y.Y.Y.Y > X.X.X.X: ICMP host Y.Y.Y.Y unreachable -admin prohibited, length 56
16:47:12.088548 IP X.X.X.X.60197 > Y.Y.Y.Y.tproxy: Flags [S] seq 4262429784 , win 8192 , options [mss 1460 , nop , wscale 8 , nop , nop , sackOK], lenght 0
16:47:12.088601 IP Y.Y.Y.Y > X.X.X.X: ICMP host Y.Y.Y.Y unreachable -admin prohibited, length 60
16:47:15.094336 IP X.X.X.X.60197 > Y.Y.Y.Y.tproxy: Flags [S] seq 4262429784 , win 8192 , options [mss 1460 , nop , wscale 8 , nop , nop , sackOK], lenght 0
16:47:15.094389 IP Y.Y.Y.Y > X.X.X.X: ICMP host Y.Y.Y.Y unreachable -admin prohibited, length 60
- X.X.X.X is the IP address of the ePO server that sends the wake-up call.
- Y.Y.Y.Y is the IP address of the Linux Server.
- Tproxy is the communication port, 8081.
In this example, the ePO server tries to establish the connection to port 8081 on the Linux Server (sending SYN segment repeatedly), but the Linux Server responds with an ICMP error. The error code (unreachable - admin prohibited) indicates that the TCP SYN segment could not be reached due to the firewall rule (-admin prohibited).
-
Locate the rule that prevents the communication. Type iptables -L and press Enter.
The output is similar to:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
After you disable the firewall rule or change it to accept TCP port 8081 TCP, the Linux server will successfully respond to a wake-up call.
|