Jump to content
doug.northcote@gmail.com

Cant get policy to apply [In progress]

Recommended Posts

Doing a build out of new machines and I cannot get the policy to apply to the new computers. Please see attached screenshots.

 

Installation was clean, license is good, I’ve made sure it’s in the right OU in Active Directory as well. Client updates fully to current. Management console is at 10.2.434.

 

I tried a reinstall of software onto the machine but still no response.

 

I’ve tried reinstalling from the console push 2 times. It is on the machine in question EQUIP563, but wont implement the policy and does not report back to the console that it has the management tools. I have built quite a few computers with exactly the same "Task for Specific Computers" over the years. No changes I know of in the task.

 

I’m pretty stumped here. Thoughts?

post-542835-1456272840_thumb.png

post-542835-1456272869_thumb.png

Share this post


Link to post
Doing a build out of new machines and I cannot get the policy to apply to the new computers. Please see attached screenshots.

 

Installation was clean, license is good, I’ve made sure it’s in the right OU in Active Directory as well. Client updates fully to current. Management console is at 10.2.434.

 

I tried a reinstall of software onto the machine but still no response.

 

I’ve tried reinstalling from the console push 2 times. It is on the machine in question EQUIP563, but wont implement the policy and does not report back to the console that it has the management tools. I have built quite a few computers with exactly the same "Task for Specific Computers" over the years. No changes I know of in the task.

 

I’m pretty stumped here. Thoughts?

 

Hello.

 

Please clarify what the first screenshot indicates. The left pane is of standalone KES, the right one is KES working under policy.

To troubleshoot policy applicability, please check the following:

 

1. Network Agent needs to be installed on KES hosts and successfully managed by your KSC server. To check, run klnagchk in command line.

2. The policy and KES need to be of the same version. Note that, for example, KES 10 SP1 and KES 10 SP1 MR2 need separate policies (and use separate management plug-ins).

 

Thank you.

Share this post


Link to post
Hello.

 

Please clarify what the first screenshot indicates. The left pane is of standalone KES, the right one is KES working under policy.

To troubleshoot policy applicability, please check the following:

 

1. Network Agent needs to be installed on KES hosts and successfully managed by your KSC server. To check, run klnagchk in command line.

2. The policy and KES need to be of the same version. Note that, for example, KES 10 SP1 and KES 10 SP1 MR2 need separate policies (and use separate management plug-ins).

 

Thank you.

 

 

Hi Kirill, in the two screenshots the left machine is the new one that is not working and wont go under policy. The right one is one that IS under the policy and working normally. I pushed the install to it from my KSC Server. I've not made any changes to the package and it works just fine for other machines in the past. For example in the 2nd screenshot where it shows the machines that are working and have the agent installed.

 

I've also found that the KLNAGCHK tool is not available on the new machine. I copied it over but its missing the .dll for it to run. Also none of the Kaspersky firewall rules on the new machine. This is a freshly built Dell desktop, windows 7, factory installed. I've tried doing the installation a 2nd time without domain firewall on and no change there either.

 

For question 1. please see the above, I cant get the Network Agent to install on the new machines. I've tried this on a second new machine as well.

Question 2. I've not implemented KES 10 SP1 MR2, only MR1. I frankly didn't know that MR2 was available.

 

Thanks for your help!

Edited by Winterborn

Share this post


Link to post

Hi,

 

Can you please provide us a GSI 6.0 report from the problem machine?

How many computers have this problem?

What happens if you install NAgent over the current installation? Is there any error message?

 

BR

Share this post


Link to post
Hi,

 

Can you please provide us a GSI 6.0 report from the problem machine?

How many computers have this problem?

What happens if you install NAgent over the current installation? Is there any error message?

 

BR

 

 

I've got GSI reports for both machines, I've built another of the new computers and both EQUIP563 and 564 will not accept policy. I tried to attach the logs but could not with the system logs attached as well. Tried with and without the system event logs for making the files but its about 5 meg either way. Is there some other way to upload it? Or a specific file out of the report that would help?

 

I did the NAgent install again to both 563 and 564, the 563 machine is not allowing connections to Kaspersky console even though its up, domain firewall is off etc, I can remote desktop to it from either my machine, a server or the management server as well. 564 did the NAgent installation and it shows Agent installed etc, all 3 Green check mark.

 

post-542835-1456449798_thumb.png

Edited by Winterborn

Share this post


Link to post

Hi,

 

I've also found that the KLNAGCHK tool is not available on the new machine. I copied it over but its missing the .dll for it to run.

The thing is that klnagchk is a standard utility and a part of network agent.

Since you failed to find it there should be some installation issues.

 

Could you please provide us with Nagent installation logs? - http://support.kaspersky.com/9320

 

Thank you!

Share this post


Link to post
Doing a build out of new machines and I cannot get the policy to apply to the new computers. Please see attached screenshots.

 

Installation was clean, license is good, I’ve made sure it’s in the right OU in Active Directory as well. Client updates fully to current. Management console is at 10.2.434.

 

I tried a reinstall of software onto the machine but still no response.

 

I’ve tried reinstalling from the console push 2 times. It is on the machine in question EQUIP563, but wont implement the policy and does not report back to the console that it has the management tools. I have built quite a few computers with exactly the same "Task for Specific Computers" over the years. No changes I know of in the task.

 

I’m pretty stumped here. Thoughts?

 

Hello,

what the exact versions of KSC, agents and KES do you use ?

What parches were installed on KSC, agents and KES ?

Thank you.

Share this post


Link to post
Hello,

what the exact versions of KSC, agents and KES do you use ?

What parches were installed on KSC, agents and KES ?

Thank you.

 

Kasp Sec Center Network Agent: 10.2.434.0

Kasp Endpoint Sec 10, Service pack 1, version: 10.2.2.10535 (installed updates: mr1)

 

No other patches that I know of other than the patching up to current database, for example right now is signature count: 7296486

Share this post


Link to post
Kasp Sec Center Network Agent: 10.2.434.0

Kasp Endpoint Sec 10, Service pack 1, version: 10.2.2.10535 (installed updates: mr1)

 

No other patches that I know of other than the patching up to current database, for example right now is signature count: 7296486

 

Please attach klnagcheck report from the problem host.

Thank you.

Share this post


Link to post
Please attach klnagcheck report from the problem host.

Thank you.

 

 

Please look up towards the top of the post Dmitry, the network agent wont install. I can't run KLNAGCHECK on the machine as it doesn't exist, just get the dll errors.

 

The 2nd machine "564" does have the agent installed and it wont work under policy EITHER. See attached picture

post-542835-1456950861_thumb.png

Share this post


Link to post
Please look up towards the top of the post Dmitry, the network agent wont install. I can't run KLNAGCHECK on the machine as it doesn't exist, just get the dll errors.

 

The 2nd machine "564" does have the agent installed and it wont work under policy EITHER. See attached picture

 

Hi,

 

What about a local installation, have you tried it?

 

Thank You!

Share this post


Link to post
Hi,

 

What about a local installation, have you tried it?

 

Thank You!

 

 

I'd love to do that, but I dont have the Network Agent package. Is there a way to download/extract an installation package from my in house Kasperky Security center to do so? And would I have to redo the settings for the installation of the Network Agent each time I installed it?

Edited by Winterborn

Share this post


Link to post
I'd love to do that, but I dont have the Network Agent package. Is there a way to download/extract an installation package from my in house Kasperky Security center to do so? And would I have to redo the settings for the installation of the Network Agent each time I installed it?

 

This can be done by executing Kaspersky Security Center distributive which will bring up the menu displayed on the attached screenshot.

 

Thank You!

post-207942-1456971845_thumb.jpg

Share this post


Link to post
This can be done by executing Kaspersky Security Center distributive which will bring up the menu displayed on the attached screenshot.

 

Thank You!

 

 

 

So got the network agent installed, thank you for the help on that, had to do that as an installation package from "remote Installation" worked fine. Awesome...

 

However, we are still back at square one. Yes the machine shows up in my managed console but it and the 2nd machine I built, 563 and 564, both will NOT take the system policy.

 

Picture attached as well. KLnagchk log attached....

 

well it was going to be attached until I got a "you are not permitted to upload this type of file."

 

563:

C:\Users\administrator>"C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagc

hk.exe"

Starting utility 'klnagchk'...

Checking command line options...OK

Initializing basic libraries...OK

Current computer is 'POWER\EQUIP563'

Network Agent version is '10.2.434 (a)'

 

 

Reading the settings...OK

Settings verification...OK

Network Agent settings:

Administration Server address: '172.16.16.17'

Use SSL connection: 1

Compress traffic: 1

Numbers of the Administration Server SSL ports: '13000'

Numbers of the Administration Server ports: '14000'

Use proxy server: 0

Administration Server certificate: available

Open UDP port: 1

Numbers of UDP ports: '15000'

 

Synchronization interval (min): 15

Connection timeout (sec): 30

Send/receive timeout (sec): 180

Host ID: b5105641-15b9-43db-ba02-d68d67fe39be

 

 

Attempt to connect to the Administration Server...OK

 

Attempt to connect to the Network Agent...OK

Network Agent is running

Receiving the Network Agent's statistical data...OK

Network Agent's statistical data:

Total number of synchronization requests: 2

The number of successful synchronization requests: 2

Total number of synchronizations: 1

The number of successful synchronizations: 1

Date/time of the last request for synchronization:3/8/2016 12:18:24 AM G

MT (3/7/2016 3:18:24 PM)

 

 

Deinitializing basic libraries...OK

 

 

564:

 

C:\Users\administrator>"C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagc

hk.exe"

Starting utility 'klnagchk'...

Checking command line options...OK

Initializing basic libraries...OK

Current computer is 'POWER\EQUIP564'

Network Agent version is '10.2.434 (a)'

 

 

Reading the settings...OK

Settings verification...OK

Network Agent settings:

Administration Server address: '172.16.16.17'

Use SSL connection: 1

Compress traffic: 1

Numbers of the Administration Server SSL ports: '13000'

Numbers of the Administration Server ports: '14000'

Use proxy server: 0

Administration Server certificate: available

Open UDP port: 1

Numbers of UDP ports: '15000'

 

Synchronization interval (min): 15

Connection timeout (sec): 30

Send/receive timeout (sec): 180

Host ID: fcc273cf-1ac3-4a3f-a9a8-64edb58cade4

 

 

Attempt to connect to the Administration Server...OK

 

Attempt to connect to the Network Agent...OK

Network Agent is running

Receiving the Network Agent's statistical data...OK

Network Agent's statistical data:

Total number of synchronization requests: 5

The number of successful synchronization requests: 5

Total number of synchronizations: 2

The number of successful synchronizations: 2

Date/time of the last request for synchronization:3/8/2016 1:12:58 AM GM

T (3/7/2016 4:12:58 PM)

 

 

Deinitializing basic libraries...OK

post-542835-1457400134_thumb.png

Edited by Winterborn

Share this post


Link to post

Hi,

 

You need to use KSC 10.2.434 patch D and also network agent should be 10.2.434 patch D on the managed host.

Please upgrade KSC and network agent and provide us result?

 

BR

Share this post


Link to post
Hi,

 

You need to use KSC 10.2.434 patch D and also network agent should be 10.2.434 patch D on the managed host.

Please upgrade KSC and network agent and provide us result?

 

BR

 

Upgraded the KSC server to 10.2.434 Patch D, network agent on the server shows good too. However. Both of the machines show as having Network agent 10.2.480.

 

See attached photo.

post-542835-1457469401_thumb.png

Share this post


Link to post
Hi,

 

Please use kavremover utility with "-nodetect" key or at OS safe mode to delete Network agent 10.2.480.

 

Thank you!

 

Both machines now on 10.2.434 (A; D). Both have been rebooted multiple times, and will talk to the console on the admin server... great. Still will not pickup or go under "policy" How can I push the Policy to them new computers?

 

C:\Users\administrator>"C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagc

hk.exe"

Starting utility 'klnagchk'...

Checking command line options...OK

Initializing basic libraries...OK

Current computer is 'POWER\EQUIP563'

Network Agent version is '10.2.434 (a; d)'

 

 

Reading the settings...OK

Settings verification...OK

Network Agent settings:

Administration Server address: '172.16.16.17'

Use SSL connection: 1

Compress traffic: 1

Numbers of the Administration Server SSL ports: '13000'

Numbers of the Administration Server ports: '14000'

Use proxy server: 0

Administration Server certificate: available

Open UDP port: 1

Numbers of UDP ports: '15000'

 

Synchronization interval (min): 15

Connection timeout (sec): 30

Send/receive timeout (sec): 180

Host ID: b5105641-15b9-43db-ba02-d68d67fe39be

 

 

Attempt to connect to the Administration Server...OK

 

Attempt to connect to the Network Agent...OK

Network Agent is running

Receiving the Network Agent's statistical data...OK

Network Agent's statistical data:

Total number of synchronization requests: 1

The number of successful synchronization requests: 1

Total number of synchronizations: 2

The number of successful synchronizations: 2

Date/time of the last request for synchronization:3/10/2016 1:35:35 AM G

MT (3/9/2016 4:35:35 PM)

 

 

Deinitializing basic libraries...OK

 

C:\Users\administrator>"C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagc

hk.exe"

Starting utility 'klnagchk'...

Checking command line options...OK

Initializing basic libraries...OK

Current computer is 'POWER\EQUIP564'

Network Agent version is '10.2.434 (a; d)'

 

 

Reading the settings...OK

Settings verification...OK

Network Agent settings:

Administration Server address: '172.16.16.17'

Use SSL connection: 1

Compress traffic: 1

Numbers of the Administration Server SSL ports: '13000'

Numbers of the Administration Server ports: '14000'

Use proxy server: 0

Administration Server certificate: available

Open UDP port: 1

Numbers of UDP ports: '15000'

 

Synchronization interval (min): 15

Connection timeout (sec): 30

Send/receive timeout (sec): 180

Host ID: 53f95b05-9333-4669-870b-57df95975341

 

 

Attempt to connect to the Administration Server...OK

 

Attempt to connect to the Network Agent...OK

Network Agent is running

Receiving the Network Agent's statistical data...OK

Network Agent's statistical data:

Total number of synchronization requests: 3

The number of successful synchronization requests: 3

Total number of synchronizations: 1

The number of successful synchronizations: 1

Date/time of the last request for synchronization:3/10/2016 1:44:22 AM G

MT (3/9/2016 4:44:22 PM)

 

 

Deinitializing basic libraries...OK

Share this post


Link to post
Both machines now on 10.2.434 (A; D). Both have been rebooted multiple times, and will talk to the console on the admin server... great. Still will not pickup or go under "policy" How can I push the Policy to them new computers?

 

C:\Users\administrator>"C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagc

hk.exe"

Starting utility 'klnagchk'...

Checking command line options...OK

Initializing basic libraries...OK

Current computer is 'POWER\EQUIP563'

Network Agent version is '10.2.434 (a; d)'

Reading the settings...OK

Settings verification...OK

Network Agent settings:

Administration Server address: '172.16.16.17'

Use SSL connection: 1

Compress traffic: 1

Numbers of the Administration Server SSL ports: '13000'

Numbers of the Administration Server ports: '14000'

Use proxy server: 0

Administration Server certificate: available

Open UDP port: 1

Numbers of UDP ports: '15000'

 

Synchronization interval (min): 15

Connection timeout (sec): 30

Send/receive timeout (sec): 180

Host ID: b5105641-15b9-43db-ba02-d68d67fe39be

Attempt to connect to the Administration Server...OK

 

Attempt to connect to the Network Agent...OK

Network Agent is running

Receiving the Network Agent's statistical data...OK

Network Agent's statistical data:

Total number of synchronization requests: 1

The number of successful synchronization requests: 1

Total number of synchronizations: 2

The number of successful synchronizations: 2

Date/time of the last request for synchronization:3/10/2016 1:35:35 AM G

MT (3/9/2016 4:35:35 PM)

Deinitializing basic libraries...OK

 

C:\Users\administrator>"C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagc

hk.exe"

Starting utility 'klnagchk'...

Checking command line options...OK

Initializing basic libraries...OK

Current computer is 'POWER\EQUIP564'

Network Agent version is '10.2.434 (a; d)'

Reading the settings...OK

Settings verification...OK

Network Agent settings:

Administration Server address: '172.16.16.17'

Use SSL connection: 1

Compress traffic: 1

Numbers of the Administration Server SSL ports: '13000'

Numbers of the Administration Server ports: '14000'

Use proxy server: 0

Administration Server certificate: available

Open UDP port: 1

Numbers of UDP ports: '15000'

 

Synchronization interval (min): 15

Connection timeout (sec): 30

Send/receive timeout (sec): 180

Host ID: 53f95b05-9333-4669-870b-57df95975341

Attempt to connect to the Administration Server...OK

 

Attempt to connect to the Network Agent...OK

Network Agent is running

Receiving the Network Agent's statistical data...OK

Network Agent's statistical data:

Total number of synchronization requests: 3

The number of successful synchronization requests: 3

Total number of synchronizations: 1

The number of successful synchronizations: 1

Date/time of the last request for synchronization:3/10/2016 1:44:22 AM G

MT (3/9/2016 4:44:22 PM)

Deinitializing basic libraries...OK

 

Hello,

which KES version did you create a policy and which group ? Please attach a screen shot.

Thank you.

Share this post


Link to post
Hello,

which KES version did you create a policy and which group ? Please attach a screen shot.

Thank you.

 

Not quite sure how to answer your question... I think this policy was imported from Kaspersky 6.0 some time back. Which is why it says Converted I think.

 

Please see the attached. Same policy that has been working for 67 other computers.

post-542835-1457661213_thumb.png

Share this post


Link to post
Not quite sure how to answer your question... I think this policy was imported from Kaspersky 6.0 some time back. Which is why it says Converted I think.

 

Please see the attached. Same policy that has been working for 67 other computers.

 

Hi,

 

What is the Fresh policy with no converted text in its name? Did you try to re-create from scratch the policy instead of converting it, does it help?

 

Thank You!

 

 

Share this post


Link to post
Hi,

 

What is the Fresh policy with no converted text in its name? Did you try to re-create from scratch the policy instead of converting it, does it help?

 

Thank You!

 

 

The policy no converted text in the name is one we use for a specific group of computers. Working on making a test policy for the 2 computers right now.

Share this post


Link to post

Hi,

 

Can you please clarify how many computers of 67 that are enforced are not working under this policy?

 

BR

Share this post


Link to post
Hi,

 

Can you please clarify how many computers of 67 that are enforced are not working under this policy?

 

BR

 

I've turned on/off the Test policy, and getting the same results. Wont affect/enforce policy on 563 or 564. I've made sure that they are in the same OU in Active Directory as many of the other computers (and the ones that these new machines will replace once the policy works) are in this same OU. Just not making any sense to me.

 

Picture is attached as well. The machines that are Pending are off/disconnected from the network right now. Please see attached picture.

 

Test policy picture attached as well.

post-542835-1458157522_thumb.png

post-542835-1458157763_thumb.png

Edited by Winterborn

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.