This article provides background information about how communication works between McAfee Agent and ePolicy Orchestrator (ePO). It also provides some useful troubleshooting steps that you can take to diagnose communication failures. Agent-server communication is commonly abbreviated as ASCI.
High-level overview of an ASCI workflow:
This section outlines the workflow for a successful ASCI session, and provides log file examples from the
masvc_<MA_Client_Name>.log on the endpoint and the s
erver_<ePO_Server_Name>.log on the McAfee ePO server. In the examples given, the name of the client is
MAClient and the name of the McAfee ePO server is
EPOServer.
MA begins an ASCI session by collecting properties from all products installed on the endpoint. In this example, MA is the only product installed on the endpoint.
The log
masvc_MAClient.log on the endpoint shows:
masvc(1228.1240) property.Info: Collecting Properties
masvc(1228.1240) publisher.Info: message <ma.property.collect> will be sent after <0> seconds.
masvc(1228.1240) property.Info: Property collection session initiated for PropsVersion with session id 5696.
masvc(1228.1240) property.Info: Properties received from EPOAGENT3000 provider
masvc(1228.1240) property.Info: Properties received from SYSPROPS1000 provider
masvc(1228.1240) property.Info: Finished Collecting Properties
Next, MA generates a Property Version (
PropsVersion) consumed by ePO to determine if the client needs to send up a full property package.Or, if the incremental package sent by MA is acceptable.
The log
masvc_MAClient.log on the endpoint shows:
masvc(1228.1240) property.Info: Agent started performing ASCI
masvc(1228.1240) ahclient.Info: Scheduling spipe connection with "immediate" priority.
masvc(1228.1240) ahclient.Info: Start processing spipe connection request.
masvc(1228.1240) property.Info: Agent is sending PROPS VERSION package to McAfee ePO server
masvc(1228.1240) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for: { PropsVersion }
MA interrogates the
MA.DB file which contains the list of available Agent Handlers (AH) and tries to connect to the AH with the highest priority.
The log
masvc_MAClient.log on the endpoint shows:
masvc(1228.1240) ahclient.Info: Agent communication session started
masvc(1228.1240) ahclient.Info: Agent is connecting to ePO Server
masvc(1228.1240) ahclient.Info: Initiating spipe connection to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) crypto.Info: Negotiated Cipher : EDH-RSA-AES256-SHA256
masvc(1228.1240) ahclient.Info: connection initiated to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) ahclient.Info: Network library rc = <1008>, Agent Handler reports response code <202>.
masvc(1228.1240) ahclient.Info: Agent Handler doesn't have anything to send. Response code 202.
masvc(1228.1240) ahclient.Info: Spipe connection response received, network return code = 1008, response code 202.
masvc(1228.1240) property.Info: Package uploaded to ePO Server successfully
masvc(1228.1240) xml_generator.Info: ma_property_xml_generator_save_props_to_datastore
masvc(1228.1240) property.Info: Published property collect and send status message
masvc(1228.1240) ahclient.Info: Agent communication session closed
The Agent Handler receives the props version and, if it is accepted, sends the client an HTTP 202 (accepted) response. Or, the handler might request that the client sends up a full property package.
For example if the computer was deleted from the System Tree in ePO, it would have no properties and it would request MA to send up a full property package.
Example:
Server_EPOServer.log file on the Agent Handler shows the server accepting the incremental props:
I #04412 NAIMSERV Received [PropsVersion] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB}
I #04412 NAIMSERV Using attached Props.xml props from node MACLIENT
I #04412 NAIMSERV Processing agent props for MACLIENT(AB7E05EC-51EA-11E7-3E72-005056011DFB)
I #04412 EPODAL System attribute change - Old value: 20180517180553 to New value: 20180517181443
I #04412 NAIMSERV Sending props response for agent MACLIENT, agent has up-to-date policy
I #04412 NAIMSERV Processed [PropsVersion] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB} in 31ms
I #04412 MOD_EPO epo request processed, rc=202, session ID=9, session time=31m
MA then generates a Policy Manifest Request and sends it to the Agent Handler. The policy manifest is used by the AH to determine if the agent has up-to-date policies. Or, if it needs a new policy package for one or more products.
The log
masvc_MAClient.log on the endpoint shows:
masvc(1228.1240) io.service.Info: Next collect and send properties in 51 minutes and 10 seconds.
masvc(1228.1240) ahclient.Info: Scheduling spipe connection with "immediate" priority.
masvc(1228.1240) ahclient.Info: Start processing spipe connection request.
masvc(1228.1240) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for : { PolicyManifestRequest }
masvc(1228.1240) ahclient.Info: Agent communication session started
masvc(1228.1240) ahclient.Info: Agent is connecting to ePO Server
masvc(1228.1240) ahclient.Info: Initiating spipe connection to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
McAfee Agent sends up any events which might be waiting to be forwarded to ePO. In this example, the endpoint log shows that no events are waiting to be forwarded.
The log
masvc_MAClient.log on the endpoint shows:
masvc(1228.1240) event.Info: Agent is looking for events to upload
masvc(1228.1240) event.Info: Agent did not find any events to upload
Agent Handler reviews the Policy Manifest Request and provides its response to MA.
The log
Server_EPOServer.log on the handler shows:
I #04412 NAIMSERV Received [PolicyManifestRequest] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB}
I #04412 NAIMSERV Processed [PolicyManifestRequest] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB} in 31ms
I #04412 NAIMSERV Signing agent response package with key Z0IONRUNRak+x0h273mXbWi4OFxCjysQyUhdunCsBbM=
I #04412 MOD_EPO epo request processed, rc=0, session ID=10, session time=47ms
McAfee Agent receives the response to the Policy Manifest Request in the form of a new policy package. Then, it ends the ASCI session.
The log
masvc_MAClient.log on the endpoint shows:
masvc(1228.1240) ahclient.Info: connection initiated to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) ahclient.Info: Network library rc = <1008>, Agent Handler reports response code <200>.
masvc(1228.1240) ahclient.Info: Agent Handler reports spipe package received. Response code 200.
masvc(1228.1240) ahclient.Info: Spipe connection response received, network return code = 1008, response code 200.
masvc(1228.1240) policy.Info: Agent received POLICY package from ePO Server
masvc(1228.1240) ahclient.Info: Agent communication session closed
Identifying ASCI failures in the masvc_<computer_name>.log file
:
If an ASCI session is failing, the first step to resolve the issue is to identify the error condition in the log file on the client. The log that needs to be examined on the client is the
masvc_<computer_name>.log. The default location of this log is
C:\ProgramData\McAfee\Agent\Logs.
Use the following approach to isolate the error:
- Open the masvc_<computer_name>.log on the client failing the ASCI.
- Navigate to the bottom of the log file.
- Search for Agent is connecting to ePO Server.
- Scroll down from this point and look for a log entry that shows MA trying to connect to a handler. It writes a few lines that are covered above. To view that section, click here.
The sections below cover some examples of common issues and errors you might encounter. After you identify the error, use the solution sections to guide you through troubleshooting the error.
Each problem section below highlights a specific error condition an ASCI session might fail, and gives some common causes and solutions.
It is useful to note that MA uses the
libcurl library to establish its connection to the Agent Handler, so many ASCI sessions fail with a curl error code.
For a complete list of CURL error codes, see
https://curl.haxx.se/libcurl/c/libcurl-errors.html