Clients communicating via VPN disappear from the ePO tree
Last Modified: 2023-07-11 09:55:33 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Clients communicating via VPN disappear from the ePO tree
Technical Articles ID:
KB52949
Last Modified: 2023-07-11 09:55:33 Etc/GMT EnvironmentePolicy Orchestrator (ePO) 5.x
ProblemIf you add a computer to the ePO tree, another computer disappears.
The common factor is that this issue happens with computers that connect via a Virtual Private Network (VPN). CauseYou encounter this problem only when the first connection from a client to the ePO server takes place over a VPN connection.
NOTE: If the computer's first connection is via a Local Area Network (LAN), the correct Media Access Control (MAC) address is added to the table. When a computer communicates with the ePO server via VPN, it uses the VPN virtual computer's MAC address and not its own actual MAC address. This VPN MAC address is usually the same for all computers connecting through the VPN. This issue isn't restricted only to VPN clients. Anything that can cause multiple computers to report the same MAC address can cause this problem. For example, if you clone a virtual machine and don't reset the MAC address, both computers report the same MAC address to ePO. Solution 1Steps for ePO 5.9.x:
If the computers have already connected via a VPN, create an entry in the
The best way to obtain the VPN MAC address is to identify a computer that has connected to the ePO Server for the first time via VPN. Then, remove the previous computer.
If you can't identify a computer using the virtual MAC, you can author a report to identify the computers:
You now have a list of MAC addresses with a count of the number of systems that report that particular MAC address. Ideally, it would be a one-to-one ratio. If you have more than one system sharing the MAC address, that's probably your issue.
Use the following SQL command syntax to add the computer to the tree:
In the above command, ###### is the first six digits of the VPN MAC address collected from the client, in all caps. Example:
For a system with NOTE: After applying the solution, ePO still reports the client's MAC addresses as the Virtual MAC. The solution prevents ePO from using MAC addresses with the vendor ID as valid matching criteria. Solution 2
Steps for ePO 5.10: You can enter details such as the name of the organization. The reason to add the vendor is that you can also enter comments. This field does not accept the following special characters: } ; < > ? To add Vendor ID details:
Previous Document ID (Secured)
615809
Affected ProductsLanguages:This article is available in the following languages: |
|