Problem

Systems running Deep Freeze and McAffe Endpoint Security or Virus Scan will fail to communicate with the ePolicy Orchestrator server resulting in systems not properly updating virus definitions.

To help mitigate against replay attacks against the ePO Server the McAfee Agent and ePO Server maintain a sequence number that incremented each time that a client checks in with the ePO Server. In the event that a client checks in with a lower than expected sequence number the ePO Serer will reject the communication with the client machine resulting in the errors described above.

On the server’s side an error log similar to the following will be shown in the agent_%computername%.log file;

2009-11-12 11:57:34        I       #1492        naInet        Reading acknowledgement from ePO Server
2009-11-12 11:57:34        I       #1492        naInet        Received response [] from ePO Server
2009-11-12 11:57:34        I       #1492        naihttp       Failed to get acknowledgement from Server
2009-11-12 11:57:34        E       #1492        imsite        Error trace:
2009-11-12 11:57:34        E       #1492        imsite        [uploadFile,,/spipe/pkg?AgentGuid={91EEA947-D3FB-4CC2-AEC7-05D15CDB5C6A}Source=Agent_3.0.0,pkg00129024970542750000_12124.spkg,C:\Documents and Settings\All Users\Administrator\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Administrator\McAfee\Common Framework\Unpack\pkg00129024970544780000_2913.spkg]->
2009-11-12 11:57:34        E       #1492        imsite         NaInet library returned code == -14

Solution
To prevent this from occurring the sequence checking feature of the ePO server will need to be disabled. This is done by editing the SERVER.INI file (located in C:\Program Files\McAfee\ePolicy Orchestrator\DB by default)  on the ePO Server to include the following entry;

ConnectionsRequireValidSequenceNumber=0

In some cases, administrators may need to take additional steps to address this issue on machines impacted by the issue by resetting the McAfee Agent GUID used to identify the systems affected. This can be done my removing the following registry keys from the system;

32-Bit:  [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\]
64-Bit:  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent\]

After removing these registry keys the McAfee Framework Service will need to be restarted, or the system will need to be rebooted.

Documentation on this issue can be found on the McAfee Website at the URL’s below;

Sequence number invalid (computers running McAfee Agent fail to connect to the ePolicy Orchestrator server)

https://kc.mcafee.com/corporate/index?page=content&id=KB60776

 

How to reset the McAfee Agent GUID if computers are not displayed in the ePolicy Orchestrator directory

https://kc.mcafee.com/corporate/index?page=content&id=KB56086