This article provides background information about how communication works between TA and ePolicy Orchestrator (ePO). It also provides some useful troubleshooting steps that you can take to diagnose communication failures. Agent-server communication is commonly abbreviated as ASCI.
High-level overview of an ASCI workflow:
This section outlines the workflow for a successful ASCI session, and provides log file examples from the
masvc_<MA_Client_Name>.log on the endpoint and the s
erver_<ePO_Server_Name>.log on the ePO server. In the examples given, the name of the client is
MAClient and the name of the server is
EPOServer.
TA begins an ASCI session by collecting properties from all products installed on the endpoint. In this example, TA is the only product installed on the endpoint.
The log
masvc_MAClient.log on the endpoint shows the following:
masvc(1228.1240) property.Info: Collecting Properties
masvc(1228.1240) publisher.Info: message <ma.property.collect> will be sent after <0> seconds.
masvc(1228.1240) property.Info: Property collection session initiated for PropsVersion with session id 5696.
masvc(1228.1240) property.Info: Properties received from EPOAGENT3000 provider
masvc(1228.1240) property.Info: Properties received from SYSPROPS1000 provider
masvc(1228.1240) property.Info: Finished Collecting Properties
Next, TA generates a Property Version (
PropsVersion) consumed by ePO to determine if the client needs to send up a full property package, or if the incremental package sent by TA is acceptable.
The log
masvc_MAClient.log on the endpoint shows the following:
masvc(1228.1240) property.Info: Agent started performing ASCI
masvc(1228.1240) ahclient.Info: Scheduling spipe connection with "immediate" priority.
masvc(1228.1240) ahclient.Info: Start processing spipe connection request.
masvc(1228.1240) property.Info: Agent is sending PROPS VERSION package to McAfee ePO server
masvc(1228.1240) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for: { PropsVersion }
TA interrogates the
MA.DB file, which contains the list of available Agent Handlers (AHs) and tries to connect to the AH with the highest priority.
The log
masvc_MAClient.log on the endpoint shows the following:
masvc(1228.1240) ahclient.Info: Agent communication session started
masvc(1228.1240) ahclient.Info: Agent is connecting to ePO Server
masvc(1228.1240) ahclient.Info: Initiating spipe connection to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) crypto.Info: Negotiated Cipher : EDH-RSA-AES256-SHA256
masvc(1228.1240) ahclient.Info: connection initiated to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) ahclient.Info: Network library rc = <1008>, Agent Handler reports response code <202>.
masvc(1228.1240) ahclient.Info: Agent Handler doesn't have anything to send. Response code 202.
masvc(1228.1240) ahclient.Info: Spipe connection response received, network return code = 1008, response code 202.
masvc(1228.1240) property.Info: Package uploaded to ePO Server successfully
masvc(1228.1240) xml_generator.Info: ma_property_xml_generator_save_props_to_datastore
masvc(1228.1240) property.Info: Published property collect and send status message
masvc(1228.1240) ahclient.Info: Agent communication session closed
The AH receives the props version and, if it's accepted, sends the client an HTTP 202 (accepted) response. Or, the handler might request that the client sends up a full property package.
For example, if the computer is deleted from the System Tree in ePO, it would have no properties and would request TA to send up a full property package.
Example:
Server_EPOServer.log file on the AH shows the server accepting the incremental props:
I #04412 NAIMSERV Received [PropsVersion] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB}
I #04412 NAIMSERV Using attached Props.xml props from node MACLIENT
I #04412 NAIMSERV Processing agent props for MACLIENT(AB7E05EC-51EA-11E7-3E72-005056011DFB)
I #04412 EPODAL System attribute change - Old value: 20180517180553 to New value: 20180517181443
I #04412 NAIMSERV Sending props response for agent MACLIENT, agent has up-to-date policy
I #04412 NAIMSERV Processed [PropsVersion] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB} in 31ms
I #04412 MOD_EPO epo request processed, rc=202, session ID=9, session time=31m
TA then generates a Policy Manifest Request and sends it to the AH. The policy manifest is used by the AH to determine if the agent has up-to-date policies, or if it needs a new policy package for one or more products.
The log
masvc_MAClient.log on the endpoint shows the following:
masvc(1228.1240) io.service.Info: Next collect and send properties in 51 minutes and 10 seconds.
masvc(1228.1240) ahclient.Info: Scheduling spipe connection with "immediate" priority.
masvc(1228.1240) ahclient.Info: Start processing spipe connection request.
masvc(1228.1240) DataChannel.Manager.Info: DataChannel Service ignoring decoration of SPIPE package for : { PolicyManifestRequest }
masvc(1228.1240) ahclient.Info: Agent communication session started
masvc(1228.1240) ahclient.Info: Agent is connecting to ePO Server
masvc(1228.1240) ahclient.Info: Initiating spipe connection to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
TA sends up any events that might be waiting to be forwarded to ePO. In this example, the endpoint log shows that no events are waiting to be forwarded.
The log
masvc_MAClient.log on the endpoint shows the following:
masvc(1228.1240) event.Info: Agent is looking for events to upload
masvc(1228.1240) event.Info: Agent did not find any events to upload
The AH reviews the Policy Manifest Request and provides its response to TA.
The log
Server_EPOServer.log on the handler shows the following:
I #04412 NAIMSERV Received [PolicyManifestRequest] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB}
I #04412 NAIMSERV Processed [PolicyManifestRequest] from MACLIENT:{AB7E05EC-51EA-11E7-3E72-005056011DFB} in 31ms
I #04412 NAIMSERV Signing agent response package with key Z0IONRUNRak+x0h273mXbWi4OFxCjysQyUhdunCsBbM=
I #04412 MOD_EPO epo request processed, rc=0, session ID=10, session time=47ms
TA receives the response to the Policy Manifest Request in the form of a new policy package. Then, it ends the ASCI session.
The log
masvc_MAClient.log on the endpoint shows the following:
masvc(1228.1240) ahclient.Info: connection initiated to site https://192.168.1.1:443/spipe/pkg?AgentGuid={ab7e05ec-51ea-11e7-3e72-005056011dfb}&Source=Agent_3.0.0&TenantId=E46AF86C-AA4A-4243-B4D5-5BA313376CC4.
masvc(1228.1240) ahclient.Info: Network library rc = <1008>, Agent Handler reports response code <200>.
masvc(1228.1240) ahclient.Info: Agent Handler reports spipe package received. Response code 200.
masvc(1228.1240) ahclient.Info: Spipe connection response received, network return code = 1008, response code 200.
masvc(1228.1240) policy.Info: Agent received POLICY package from ePO Server
masvc(1228.1240) ahclient.Info: Agent communication session closed
Identifying ASCI failures in the masvc_<computer_name>.log file
:
If an ASCI session is failing, the first step to resolve the issue is to identify the error condition in the log file on the client. The log that needs to be examined on the client is
masvc_<computer_name>.log. The default location of this log is
C:\ProgramData\McAfee\Agent\Logs.
Use the following approach to isolate the error:
- Open the masvc_<computer_name>.log on the client failing the ASCI.
- Navigate to the bottom of the log file.
- Search for Agent is connecting to ePO Server.
- Scroll down from this point and look for a log entry that shows TA trying to connect to a handler. It writes a few lines that are shown above.
The sections below cover some examples of common issues and errors that you might encounter. After you identify the error, use the Solution sections to guide you through troubleshooting the error.
Each problem section below highlights a specific error condition that an ASCI session might fail, and gives some common causes and solutions.
It's useful to note that TA uses the
libcurl library to establish its connection to the AH, so many ASCI sessions fail with a curl error code. See the
complete list of CURL error codes.