How to troubleshoot a MOVE SVA Manager displaying [Connecting] status
Technical Articles ID:
KB88944
Last Modified: 12/21/2021
Last Modified: 12/21/2021
Environment
Management for Optimized Virtual Environments (MOVE)
MOVEAntiVirus Multi-Platform (MOVE AV Multi-Platform) 4.x
Security Virtual Appliance (SVA) Manager
Offload Scan Server (OSS)
MOVE
Security Virtual Appliance (SVA) Manager
Offload Scan Server (OSS)
Problem
When you run the Mvadm Status command on a system with a MOVE Client installed, the event below is recorded:
C:\WINDOWS\system32>mvadm status
Scan Configuration: Enabled
On Access Scan: Enabled
On Demand Scan: Disabled
Driver Status: Driver is loaded
Primary Server: XXXX.XXXX.XXXX.XXXX:9053 [Active]/ NONE:9053 [Not Configured]
Secondary Server: NONE:9053 [Not Configured]
SVA Manager: XXXX.XXXX.XXXX.XXXX:8080 [Connecting]
Scan Configuration: Enabled
On Access Scan: Enabled
On Demand Scan: Disabled
Driver Status: Driver is loaded
Primary Server: XXXX.XXXX.XXXX.XXXX:9053 [Active]/ NONE:9053 [Not Configured]
Secondary Server: NONE:9053 [Not Configured]
SVA Manager: XXXX.XXXX.XXXX.XXXX:8080 [Connecting]
Solution
To troubleshoot an SVA Manager Connecting issue:
If a telnet connection or session can be established successfully on all ports listed above, perform the following steps:
Generate a cert file of MOVE from Server Tasks:
If the issue remains unresolved after you generate the certificate file, perform the following steps.
Check to see if manual assignment of OSS is working:
Check to see if the OSS is getting the IP address of the SVA Manager by examining the registry:
Errors that you might see in the logs, and what the errors indicate are listed below:
TheMVAGENT.log records the errors below:
ERROR: svc_curl.c : 199: Got 500 HTTP response from broker try again after 5 sec..
ERROR: svc_curl.c : 199: Got 500 HTTP response from broker try again after 5 sec..
TheMVAGENT.log records the errors below:
ERROR: winhttp.c : 95: Failed : Winhttp request failed with error -1
ERROR: svc_curl.c : 192: Unable to connect with broker
These errors indicate a definite network issue that requires attention.
The OSSMOVESERver.log records the errors below:
ERROR: svc_curl.c : 213: Unable to register oss server with broker. Err = -1 (OS defined error code)
DETAIL: winhttp.c : 79: URL = https://XXX.XXX.XXX.XXX:8443/commands/OSS_INIT
Message = protocolVersion=1&ossGuid=A62E5091-5E19-4B9C-95B6-1B95F4A66153&cmdData={"productVersion":"4.5.0-211","agentGuid":"{fc9cceaa-b94b-11e6-3f2d-00505697e892}","osType":"Microsoft Standard Edition (build 9200), 64-bit, 8 processor(s)","hostName":"AGL-SA-SVR-WIN1","networkAddresses":[{"ip":"10.212.220.64","mask":"255.255.255.0"}],"port":9053,"maxNumberOfClients":"250","lastDisconnectReason":"UNKNOWN"}
ERROR: CWinHttpHelper.cpp: 281: Failed : winhttpsendrequest ,failed with error 12029
ERROR: winhttp.c : 95: Failed : Winhttp request failed with error -1
TheMVserver.log records the errors below:
ERROR: CWinHttpHelper.cpp: 155: Failed : Not a valid certificate data
ERROR: winhttp.c : 97: Failed : Winhttp request failed with error -1
ERROR: svc_curl.c : 233: Unable to register OSS with broker with err: -1, get last error: 0
OR
ERROR: winhttp.c : 97: Failed : Winhttp request failed with error -1
ERROR: svc_curl.c : 233: Unable to register OSS with broker with err: -1, get last error: -2146893017
A mismatch between the SVM and SVM Manager certificates is present. Regenerate the MOVE certificate from ePolicy Orchestrator.
Review the configuration on the SVM Manager device:
Verify that the client system can perform annslookup using the domain name or IP address of the SVM Manager.
NOTE: If nslookup doesn't resolve, verify that the appropriate DNS host A-record is properly configured for the SVM Manager.
For the MOVE SVM Manager, type the commands below:
sudo service mcafee.movesvmmanager status
sudo service mcafee.movesvmmanager stop
sudo service mcafee.movesvmmanager start
For the MA service, type the commands below:
sudo service ma status
sudo service ma stop
sudo service ma start
sudo service movesvamanager status
sudo service movesvamanager stop
sudo service movesvamanager start
sudo service ma status
sudo service ma stop
sudo service ma start
cd /opt/McAfee/agent/bin/
sudo ./cmdagent -c -e
cat /var/McAfee/agent/logs/masvc_<hostName>.log
Output:
Enforcing Policies for EPOAGENT300
Enforcing Policies for DC__AM__4000
Enforcing Policies for LYNXSHLD2000
If themasvc log does not confirm that the above policies are being enforced, then the sva-config script did not run, it failed, or the McAfee Agent is in a broken state. Run that script and scrutinize the output carefully for errors. If the services still do not start, collect a MER from the system and contact Technical Support.
Do not try to deploy a new McAfee Agent to the device.
cd /opt/McAfee/movesvamanager/etc/
cat svamanagerpolicy.xml
Output:
<EPOPolicySettings featureid="DC__AM__4000" categoryId="DC_Threat_Prevention_Policy_SVM_Manager" typeid="DC_Threat_Prevention_Policy_SVM_Manager" name="My Default">
<Setting name="clientPort" value="8082"/>
<Setting name="ossConnectionPort" value="8443"/>
If the policy file does not reflect the correct ports as assigned by policy, the policy in ePO might be corrupt or the Agent might be corrupting them during enforcement. Do the following:
cat /etc/init.d/sva-firewall
Output:
# Allow incomming packets from OSS & Endpoints
$IPTABLES -A INPUT -i $eth -p -tcp --dport 8443 -j LOGACCEPT #OSS_Port
$IPTABLES -A INPUT -i $eth -p -tcp --dport 8080 -j LOGACCEPT #Endpoint_Port
Thesva-firewall config file is changed by the movesvamanager service based on policy information it gets from the Agent. The file is used by the /opt/McAfee/movesvamanger/sva-firewall script to update the Ubuntu firewall with the ports listed in policy.
If step 4 is verified good, themovesvamanager service is not reading policy correctly. The greatest likelihood is the /home/movesvamanager/sva-config script has not been run or failed. Run that script, scrutinize the output carefully for errors, and then check this file again.
If it is still not displaying the correct ports, destroy the existing SVM Manager device, delete that system from the ePO System Tree, and deploy a new one.
Run through thesva-config script and verify this file again. If it is still not displaying the correct ports, collect a MER from the system and contact Technical Support.
- Telnet from the client to the SVA Manager on port 8080.
- Telnet from OSS to the SVA Manager on port 8443.
- Telnet from the client to OSS on port 9053.
If a telnet connection or session can be established successfully on all ports listed above, perform the following steps:
Generate a cert file of MOVE from Server Tasks:
- Log on to the ePO console as an administrator.
- Click Menu and go to Automation, Server Tasks.
- Run the MOVE
AntiVirus : Generate Certificates task. - Perform a wake-up call to the agent and verify the status of the issue.
If the issue remains unresolved after you generate the certificate file, perform the following steps.
Check to see if manual assignment of OSS is working:
- Go to Options, Policy.
- Select Assign SVM manually from the SVM Assignment policy.
- Wake up the agent on the client and see if
Mvadm status shows the OSS server as being assigned or not. - When the SVM Assignment policy has been changed back to its original setting from Assign SVM manually, check the SVA Manager connection, per
Mvadm status. If the connection is not present, perform the following steps.
Check to see if the OSS is getting the IP address of the SVA Manager by examining the registry:
- Go to Start, Run, type
regedit, and then click Run. - In
regedit , go toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters . - Examine the value for the
SVAManagerAddress STRING. It must contain the IP address of the SVA Manager.
Errors that you might see in the logs, and what the errors indicate are listed below:
The
ERROR: svc_curl.c : 199: Got 500 HTTP response from broker try again after 5 sec..
If you see these errors, go to KB87391 - Offload Scan Server assignment fails for a MOVE Multi-Platform client with an IP assignment rule.
The
ERROR: svc_curl.c : 192: Unable to connect with broker
These errors indicate a definite network issue that requires attention.
The OSS
DETAIL: winhttp.c : 79: URL = https://XXX.XXX.XXX.XXX:8443/commands/OSS_INIT
Message = protocolVersion=1&ossGuid=A62E5091-5E19-4B9C-95B6-1B95F4A66153&cmdData={"productVersion":"4.5.0-211","agentGuid":"{fc9cceaa-b94b-11e6-3f2d-00505697e892}","osType":"Microsoft Standard Edition (build 9200), 64-bit, 8 processor(s)","hostName":"AGL-SA-SVR-WIN1","networkAddresses":[{"ip":"10.212.220.64","mask":"255.255.255.0"}],"port":9053,"maxNumberOfClients":"250","lastDisconnectReason":"UNKNOWN"}
ERROR: CWinHttpHelper.cpp: 281: Failed : winhttpsendrequest ,failed with error 12029
ERROR: winhttp.c : 95: Failed : Winhttp request failed with error -1
These errors indicate a definite network issue between OSS to SVA-Manager.
The
ERROR: winhttp.c : 97: Failed : Winhttp request failed with error -1
ERROR: svc_curl.c : 233: Unable to register OSS with broker with err: -1, get last error: 0
OR
ERROR: svc_curl.c : 233: Unable to register OSS with broker with err: -1, get last error: -2146893017
A mismatch between the SVM and SVM Manager certificates is present. Regenerate the MOVE certificate from ePolicy Orchestrator.
Review the configuration on the SVM Manager device:
Verify that the client system can perform an
NOTE: If nslookup doesn't resolve, verify that the appropriate DNS host A-record is properly configured for the SVM Manager.
- Verify if the SVM and Client ports are listening by running the following command:
netstat -tnl
The output must show that the SVM and Client ports (default TCP 8443 and 8080) are listening. If they are not, continue to the next step.
- From the SVM Manager, run the following service status commands. Make sure that the output indicates Active (running):
NOTES:- If the status is anything other than Active (running), stop and restart the service. Rerun the status command and verify Active (running).
- If restarting the service does not produce an Active (running) status, reboot the system and verify the service status.
For MOVE MP 4.9, the service changed from movesvamanager to mcafee.movesvmmanager . But, there was not a change to ma service .
Check the status, and then stop and start the services using the commands below:
For the MOVE SVM Manager, type the commands below:
sudo service mcafee.movesvmmanager stop
sudo service mcafee.movesvmmanager start
For the MA service, type the commands below:
sudo service ma stop
sudo service ma start
For MOVE MP 4.8 and earlier, check the status, and stop and start the services using the commands below:
For the MOVE SVM Manager, type the commands below:
sudo service movesvamanager stop
sudo service movesvamanager start
For the MA service, type the commands below:
sudo service ma stop
sudo service ma start
If the services above do not start at boot, it is likely that the /home/movesvamanager/sva-config script has not been run or failed. Run that script and scrutinize the output carefully for errors. If the services still do not start, collect a MER from the system and contact Technical Support.
- Run the commands below, and then capture the log. Validate the output:
sudo ./cmdagent -c -e
cat /var/McAfee/agent/logs/masvc_<hostName>.log
Output:
Enforcing Policies for DC__AM__4000
Enforcing Policies for LYNXSHLD2000
If the
Do not try to deploy a new McAfee Agent to the device.
- Capture the below XML file using the
cat command. Validate that the following lines show the name of your SVM Manager Settings policy and the ports listed there for SVM and Client.
This example shows default values:
cat svamanagerpolicy.xml
Output:
<Setting name="clientPort" value="8082"/>
<Setting name="ossConnectionPort" value="8443"/>
If the policy file does not reflect the correct ports as assigned by policy, the policy in ePO might be corrupt or the Agent might be corrupting them during enforcement. Do the following:
- Duplicate the McAfee Default SVM Manager Settings policy in ePO and reconfigure the new policy as needed.
- Reassign all policy applied to the SVM Manager system to the McAfee Default.
- Run an agent wake-up call with forced policy update.
- Revert the device to the previous policy, except for the SVM Manager Settings policy.
- Assign the newly created SVM Manager Settings policy and repeat the Agent wake-up call with a forced policy update.
- Capture the config file using the
cat command and make sure that the following lines display:
Output:
$IPTABLES -A INPUT -i $eth -p -tcp --dport 8443 -j LOGACCEPT #OSS_Port
$IPTABLES -A INPUT -i $eth -p -tcp --dport 8080 -j LOGACCEPT #Endpoint_Port
The
If step 4 is verified good, the
If it is still not displaying the correct ports, destroy the existing SVM Manager device, delete that system from the ePO System Tree, and deploy a new one.
Run through the
Related Information
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Affected Products
Languages:
This article is available in the following languages:
English United StatesSpanish Spain
French
Italian
Portuguese Brasileiro