本文提供有关 McAfee Agent 和 ePolicy Orchestrator (ePO)之间的通信工作原理的背景信息。它还提供了一些有用的故障排除步骤,您可以采取这些措施来诊断通信故障。代理和服务器通信通常缩写为 ASCI。
ASCI 工作流的高层次概述:
此部分概述了成功 ASCI 会话的工作流,并提供了来自
masvc_<MA_Client_Name>.log 于端点的日志文件示例,以及 McAfee ePO 服务器上的 s
erver_<ePO_Server_Name>.log 。在给定的示例中,客户端的名称为
MAClient ,并且 McAfee ePO 服务器的名称为
EPOServer 。
MA 通过从安装在端点上的所有产品中收集属性来开始 ASCI 会话。在此示例中,MA 是端点上安装的唯一产品。
端点上的日志
masvc_MAClient.log 显示:
masvc(1228.1240) property.Info: Collecting Properties
masvc(1228.1240) publisher.Info: message <ma.property.collect> will be sent after <0> seconds.
masvc(1228.1240) property.Info: Property collection session initiated for PropsVersion with session id 5696.
masvc(1228.1240) property.Info: Properties received from EPOAGENT3000 provider
masvc(1228.1240) property.Info: Properties received from SYSPROPS1000 provider
masvc(1228.1240) property.Info: Finished Collecting Properties
接下来,MA 生成由 ePO 使用的属性版本(
PropsVersion ),以确定客户端是否需要发送完整属性包。或者,如果 MA 发送的增量包是可接受的。
端点上的日志
masvc_MAClient.log 显示:
masvc(1228.1240) property.Info: Agent started performing ASCI
masvc(1228.1240) ahclient.Info: Scheduling spipe connection with "immediate" priority.
masvc(1228.1240) ahclient.Info: Start processing spipe connection request.
masvc(1228.1240) property.Info: Agent is sending PROPS VERSION package to McAfee ePO server
masvc(1228.1240) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for: { PropsVersion }
MA interrogates 包含可用代理处理程序列表(AH)的
MA.DB 文件,并尝试连接到具有最高优先级的 AH。
端点上的日志
masvc_MAClient.log 显示:
masvc(1228.1240) ahclient.Info: Agent communication session started
masvc(1228.1240) ahclient.Info: Agent is connecting to ePO Server
masvc(1228.1240) ahclient.Info: Initiating spipe connection to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) crypto.Info: Negotiated Cipher : EDH-RSA-AES256-SHA256
masvc(1228.1240) ahclient.Info: connection initiated to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) ahclient.Info: Network library rc = <1008>, Agent Handler reports response code <202>.
masvc(1228.1240) ahclient.Info: Agent Handler doesn't have anything to send. Response code 202.
masvc(1228.1240) ahclient.Info: Spipe connection response received, network return code = 1008, response code 202.
masvc(1228.1240) property.Info: Package uploaded to ePO Server successfully
masvc(1228.1240) xml_generator.Info: ma_property_xml_generator_save_props_to_datastore
masvc(1228.1240) property.Info: Published property collect and send status message
masvc(1228.1240) ahclient.Info: Agent communication session closed
代理处理程序接收属性版本,如果接受,则向客户端发送 HTTP 202(已接受)响应。或者,处理程序可能会请求客户端发送完整属性包。
例如,如果计算机已从 ePO 中的系统树中删除,它将没有属性,它会请求 MA 发送完整的属性包。
示例:
Server_EPOServer.log 文件在代理处理程序显示接受增量属性的服务器:
I #04412 NAIMSERV Received [PropsVersion] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB}
I #04412 NAIMSERV Using attached Props.xml props from node MACLIENT
I #04412 NAIMSERV Processing agent props for MACLIENT(AB7E05EC-51EA-11E7-3E72-005056011DFB)
I #04412 EPODAL System attribute change - Old value: 20180517180553 to New value: 20180517181443
I #04412 NAIMSERV Sending props response for agent MACLIENT, agent has up-to-date policy
I #04412 NAIMSERV Processed [PropsVersion] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB} in 31ms
I #04412 MOD_EPO epo request processed, rc=202, session ID=9, session time=31m
MA 随后会生成策略清单请求并将其发送至代理处理程序。AH 使用策略清单来确定代理是否具有最新策略。或者,如果它需要一个或多个产品的新策略包。
端点上的日志
masvc_MAClient.log 显示:
masvc(1228.1240) io.service.Info: Next collect and send properties in 51 minutes and 10 seconds.
masvc(1228.1240) ahclient.Info: Scheduling spipe connection with "immediate" priority.
masvc(1228.1240) ahclient.Info: Start processing spipe connection request.
masvc(1228.1240) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for : { PolicyManifestRequest }
masvc(1228.1240) ahclient.Info: Agent communication session started
masvc(1228.1240) ahclient.Info: Agent is connecting to ePO Server
masvc(1228.1240) ahclient.Info: Initiating spipe connection to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
McAfee Agent 会发送可能正等待转发到 ePO 的任何事件。在此示例中,端点日志显示没有事件正在等待转发。
端点上的日志
masvc_MAClient.log 显示:
masvc(1228.1240) event.Info: Agent is looking for events to upload
masvc(1228.1240) event.Info: Agent did not find any events to upload
代理处理程序会查看策略清单请求并提供对 MA 的响应。
处理程序上的日志
Server_EPOServer.log 显示:
I #04412 NAIMSERV Received [PolicyManifestRequest] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB}
I #04412 NAIMSERV Processed [PolicyManifestRequest] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB} in 31ms
I #04412 NAIMSERV Signing agent response package with key Z0IONRUNRak+x0h273mXbWi4OFxCjysQyUhdunCsBbM=
I #04412 MOD_EPO epo request processed, rc=0, session ID=10, session time=47ms
McAfee Agent 会以新策略包的形式接收对策略清单请求的响应。然后,它结束 ASCI 会话。
端点上的日志
masvc_MAClient.log 显示:
masvc(1228.1240) ahclient.Info: connection initiated to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) ahclient.Info: Network library rc = <1008>, Agent Handler reports response code <200>.
masvc(1228.1240) ahclient.Info: Agent Handler reports spipe package received. Response code 200.
masvc(1228.1240) ahclient.Info: Spipe connection response received, network return code = 1008, response code 200.
masvc(1228.1240) policy.Info: Agent received POLICY package from ePO Server
masvc(1228.1240) ahclient.Info: Agent communication session closed
识别文件中 ASCI 失败masvc_<computer_name>.log :
如果 ASCI 会话失败,第一步解决该问题是确定客户端上的日志文件中的错误情况。需要在客户端上检查的日志为
masvc_<computer_name>.log 。此日志的默认位置为
C:\ProgramData\McAfee\Agent\Logs 。
使用以下方法隔离错误:
- masvc_<computer_name>.log打开 ASCI 上客户端失败。
- 导航到日志文件的底部。
- Agent is connecting to ePO Server搜索。
- 从该位置向下滚动,并查找显示 MA 尝试连接处理程序的日志条目。它写入了 上面显示的几行。
以下部分涵盖了您可能遇到的常见问题和错误的一些示例。识别错误后,请使用解决方案部分指导您对错误进行故障排除。
下面的每个问题部分都会突出显示 ASCI 会话可能会失败的特定错误情况,并提供一些常见原因和解决方案。
请注意,MA 使用
libcurl 库建立与代理处理程序的连接,因此许多 ASCI 会话均会失败,并显示卷曲错误代码。
有关 CURL 错误代码的完整列表,请参阅
https://curl.haxx.se/libcurl/c/libcurl-errors.html
