Agents fail to communicate to ePO after using the /forceinstall switch upgrading to MA 5.7

Technical Articles ID: KB94195
Last Modified: 2021-04-28 15:46:35 Etc/GMT

Environment

McAfee Agent (MA) 5.7.2, 5.7.1, 5.7.0

Problem

Communication to the ePolicy Orchestrator server fails when you upgrade MA from a previous major version. Specifically, when you upgrade from MA 5.5.x or 5.6.x to MA 5.7.0 or 5.7.2.

You see the issue after you use the /install=agent /forceinstall switch and you installed using either:

FramePkg.exe
Or
The -f switch when installing via the McAfee Smart Installer

Specifically, the issue is seen after you use the /install=agent /forceinstall switch.

You see errors in the masvc<computer_name>.log similar to:

masvc(4268.8008) ahclient.Debug: Spipe connection to site https://10.10.10.10:443/spipe/pkg?AgentGuid={4c5446e2-72c7-11eb-17f6-00505697b05a}&Source=Agent_3.0.0 succeeded.
masvc(4268.8008) ahclient.Debug: Cache current site for further spipe connection.
masvc(4268.8008) ahclient.Info: Spipe connection response received, network return code = 1008, response code 503.
masvc(4268.8008) property.Debug: Spipe handler, props send failure(response 503)

If you log on to the ePO server or Remote Handler and view the server.log, it shows that the communication fails because of a sequence error:

E #03828 NAIMSERV servdal.cpp(1485): Agent TRAININGEPO with GUID {4C5446E2-72C7-11EB-17F6-00505697B05A} and IP 10.57.4.190 and MAC 00505697B05A has an invalid sequence number; expecting 4 > 13
E #03828 NAIMSERV servdal.cpp(1574): Rejecting agent due to an invalid or duplicate sequence number

You see errors in the maconfig.log similar to the following:

maconfig(3632.3108) maconfig.Info: Keeping agent GUID as {4c5446e2-72c7-11eb-17f6-00505697b05a} with sequence no: 0

Solution

This issue is resolved in McAfee Agent 5.7.3. This version is available from either the ePO Software Manager or the Product Downloads site.

NOTE: You need a valid Grant Number to access the update.

To view other known and resolved issues, see KB93773 - Trellix Agent 5.7.x Known Issues.

Workaround 1

To remediate the issue with a larger number of endpoints

IMPORTANT:

First, confirm that all use of the /forceinstall or -f switches has been disabled in the environment.
You might need to look at your configured Server Tasks, Automatic Responses, or even third-party deployment options.
This action is an important step, and prevents the issue from being reintroduced on endpoints in the future.

Execute a SQL query below against the ePO database. The query resets the sequence count of nodes with greater than zero sequence errors. The query allows all impacted nodes to communicate from this point onward.

Log on to SQL Server Management Studio.
Right-click the McAfee ePO database, and select New Query.
Copy the SQL script provided below and paste it into the SQL query window.
Click Execute.

NOTE: Replace the string: ePO_XXXXXXXX for the actual name of ePO core database.

UPDATE [ePO_XXXXXXXX].[dbo].[EPOLeafNodeMT]
SET LastCommSeqNum=0, SequenceErrorCount=0
WHERE SequenceErrorCount > 0

Workaround 2

To remediate the issue on a few endpoints

From the ePO console's System Tree, identify an impacted system and select the checkbox next to it.
Click Actions, Agent, Wake Up Agents.
Within the Wake Up configuration, select the checkbox next to the option titled Force complete policy and task update.

NOTE: It's not necessary for the client systems to actually receive the wakeup call, for the workaround to be effective. The action of sending the wakeup updates to the systems the SQL database allows the next communication to succeed. The action resyncs the sequence count shared between client and server.

IMPORTANT: Be careful to only apply the above workaround to a few systems at a time. Doing so avoids excessive traffic and long-running Server Tasks created by Wake Up Agent connections to selected endpoints.

Related Information

IMPORTANT:

The McAfee Agent /forceinstall switch must not be used unless indicated in a KB article to resolve an issue.
Using the /forceinstall switch as a regular process can cause issues with the McAfee Agent, which leads to duplicate entries in the ePolicy Orchestrator system tree. It might lead to systems getting an incorrect policy assignment.

The standard use case as mentioned in the McAfee Agent product guide is to use the /forceinstall switch only to either:

Change the installation directory
Or
Downgrade the McAfee Agent

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Agents fail to communicate to ePO after using the /forceinstall switch upgrading to MA 5.7

Environment

Problem

Solution

Workaround 1

Workaround 2

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Agents fail to communicate to ePO after using the /forceinstall switch upgrading to MA 5.7

Environment

Problem

Solution

Workaround 1

Workaround 2

Related Information

Affected Products

Languages:

Choose your region

Title

Title