NAC CAM - Agent upgrade URLs

Similar Messages

• NAC CAM HA not working since upgrade to 4.8

  Hi,
  I have just upgraded my two NAC CAM servers to 4.8. They were previously running on 4.6. They are configured with eth0 on one LAN (fully routed), and eth1 and eth2 sitting on totally private LANs, each with a small /30 subnet to use. These are just a couple of small VLANs between two 4848 switches. It's basically configured as:
  Server -- Switch -- Portchannel group -- Switch -- Server. Other VLANs also traverse the link and are fine. Portchannel is up and happily passing traffic. The VLANs appear active too (they are simply layer 2 VLANs - no routing or anything. Literally point to point).
  I followed the upgrade instructions as per the release notes. However, since they have been unable to see eachother for HA. Pings between the HA interfaces produce no reply. I have found if I run tcpdump on one server, and fire a ping at it from the other, a ARP will arrive asking who has the IP, and it will reply, but it goes no further. Nothing has changed on the network side, so I'm a little flummoxed now.
  Consequentially, one box will load up happily, the second will always tell me:
  [root@xxxxxxxx bin]# ./fostate.sh
  My node is dead, peer node is unknown
  The 'working' node will show:
  [root@xxxxxxxx bin]# ./fostate.sh
  My node is active, peer node is dead
  Ifconfig shows the interfaces as up - they can ping themselves after all.
  Any help most gratefully received!

  Hi:
  I have an iPhone 3G (16GB) that I upgraded a couple weeks ago with the iOS 4.0 and although I haven't had any problems with those applications that I use regularly, I have not tried out the ones I don't use regularly. The problem I've been experiencing is that when I use the start button on the front to boot up, the slider to unlock won't move--I have to use the top edge button to boot up and slide/unlock. Even then, sometimes the application icons won't respond and I have to start all over again. Anyone else have this irritating deficiency?
  Medren

• SCOM 2012 R2 agent upgrade fails crippling agents

  Running into a large amount of SCOM agents that are failing the upgrade from 2012 SP1 to R2 and would appreciate any feedback from my SCOM community colleagues.  Warning this issue is not for the faint of heart. 
  Plan:
  I am in the process of upgrading 1900 manually installed SCOM 2012 SP1 agents to R2.  I am using SCCM to deliver the upgrade using the standard sanctioned upgrade parameters. 
  Momagent.msi /qn /l*v %SystemDrive%\SCOM2012AgentUpgrade.log AcceptEndUserLicenseAgreement=1
  Problem:
  I have run into a problem where on a larger group of systems, 165 servers, where the upgrade fails and leaves the agent in a crippled state.  At this point the agent cannot be removed cleanly via add remove, nor can a straight install of the agent
  be done.  What is required is a manual removal of registry keys and then a clean install of the agent can be performed to remediate.  This is no problem and I am able to do this.  (Note: all other methods of agent removal did not work ie:
  Cleanmom.exe utility or add remove)
  Task:
  Seeing that we need to do agent upgrades in the future it would be great to know why this happened so we can plan for this in the future.
  Notes:
  Seems like a random sample of servers (2003/2008) with different applications running on them so that doesn't help in narrowing things down. 
  Looking at the MSI log, I see a common issue among systems that had this problem.
  ******* Product: {387306D9-78CE-4E0E-B952-28A50CC8B3EE}
             ******* Action:
             ******* CommandLine: **********
  MSI (s) (7C:7C) [08:08:43:668]: User policy value 'SearchOrder' is 'nmu'
  MSI (s) (7C:7C) [08:08:43:668]: User policy value 'DisableMedia' is 0
  MSI (s) (7C:7C) [08:08:43:668]: Machine policy value 'AllowLockdownMedia' is 0
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Media enabled only if package is safe.
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Looking for sourcelist for product {387306D9-78CE-4E0E-B952-28A50CC8B3EE}
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Adding {387306D9-78CE-4E0E-B952-28A50CC8B3EE}; to potential sourcelist list (pcode;disk;relpath).
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Now checking product {387306D9-78CE-4E0E-B952-28A50CC8B3EE}
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Media is enabled for product.
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Attempting to use LastUsedSource from source list.
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Trying source C:\WINDOWS\SysWOW64\CCM\Cache\LFG00446.1.System\i386\.
  MSI (s) (7C:7C) [08:08:43:668]: Note: 1: 2203 2: C:\WINDOWS\SysWOW64\CCM\Cache\LFG00446.1.System\i386\MOMAgent.msi 3: -2147287037
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.
  MSI (s) (7C:7C) [08:08:43:668]: Note: 1: 1706 2: -2147483647 3: MOMAgent.msi
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Processing net source list.
  MSI (s) (7C:7C) [08:08:43:668]: Note: 1: 1706 2: -2147483647 3: MOMAgent.msi
  MSI (s) (7C:7C) [08:08:43:668]: SOURCEMGMT: Processing media source list.
  MSI (s) (7C:7C) [08:08:44:744]: Note: 1: 2203 2:  3: -2147287037
  MSI (s) (7C:7C) [08:08:44:744]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.
  MSI (s) (7C:7C) [08:08:44:744]: Note: 1: 1706 2: -2147483647 3: MOMAgent.msi
  MSI (s) (7C:7C) [08:08:44:744]: SOURCEMGMT: Processing URL source list.
  MSI (s) (7C:7C) [08:08:44:744]: Note: 1: 1402 2: UNKNOWN\URL 3: 2
  MSI (s) (7C:7C) [08:08:44:744]: Note: 1: 1706 2: -2147483647 3: MOMAgent.msi
  MSI (s) (7C:7C) [08:08:44:744]: Note: 1: 1706 2:  3: MOMAgent.msi
  MSI (s) (7C:7C) [08:08:44:744]: SOURCEMGMT: Failed to resolve source
  MSI (s) (7C:8C) [08:08:44:744]: Note: 1: 1714 2: Microsoft Monitoring Agent 3: 1612
  CustomAction  returned actual error code 1612 (note this may not be 100% accurate if translation happened inside sandbox)
  MSI (s) (7C:8C) [08:08:44:744]: Product: Microsoft Monitoring Agent -- Error 1714.The older version of Microsoft Monitoring Agent cannot be removed. Contact your technical support group. System Error 1612.
  Error 1714.The older version of Microsoft Monitoring Agent cannot be removed. Contact your technical support group. System Error 1612.
  Action ended 8:08:44: RemoveExistingProducts. Return value 3.
  Action ended 8:08:44: INSTALL. Return value 3.
  Ok so the obvious is that the installer is looking for original source installation files and not able to find them. What is surprising to me however is that the product references a 32 bit scom agent guid
  387306D9-78CE-4E0E-B952-28A50CC8B3EE, however this is a 64 bit machine.  Our build process dictates that a 64 bit machine only receive a 64 bit SCOM agent. 
  Doing a search on this product guid I realized I skipped some other references at the top of the MSI log that might offer some more explanation...
  MSI (s) (7C:8C) [08:08:11:896]: PROPERTY CHANGE: Adding OM_OM12_SP1_AGENT_FOUND property. Its value is '{8B21425D-02F3-4B80-88CE-8F79B320D330}'.
  MSI (s) (7C:8C) [08:08:11:896]: PROPERTY CHANGE: Modifying OM_OM12_SP1_AGENT_FOUND property. Its current value is '{8B21425D-02F3-4B80-88CE-8F79B320D330}'. Its new value: '{8B21425D-02F3-4B80-88CE-8F79B320D330};{387306D9-78CE-4E0E-B952-28A50CC8B3EE}'.
  MSI (s) (7C:8C) [08:08:11:896]: Skipping action: _StopCoreServices.80B659D9_F758_4E7D_B4FA_E53FC737DCC9 (condition is false)
  MSI (s) (7C:8C) [08:08:11:896]: Skipping action: _KillOMProcesses.80B659D9_F758_4E7D_B4FA_E53FC737DCC9 (condition is false)
  MSI (s) (7C:8C) [08:08:11:896]: Doing action: _Set_OM_AGENT_FOUND
  Action ended 8:08:11: FindRelatedProducts. Return value 1.
  MSI (s) (7C:8C) [08:08:11:896]: PROPERTY CHANGE: Adding OM_AGENT_FOUND property. Its value is '{8B21425D-02F3-4B80-88CE-8F79B320D330};{387306D9-78CE-4E0E-B952-28A50CC8B3EE}'.
  Action start 8:08:11: _Set_OM_AGENT_FOUND.
  MSI (s) (7C:8C) [08:08:11:896]: Doing action: _Set_MOMV3_AGENT_FOUND
  Action ended 8:08:11: _Set_OM_AGENT_FOUND. Return value 1.
  MSI (s) (7C:8C) [08:08:11:896]: PROPERTY CHANGE: Adding MOMV3_AGENT_FOUND property. Its value is '{8B21425D-02F3-4B80-88CE-8F79B320D330};{387306D9-78CE-4E0E-B952-28A50CC8B3EE}'.
  Action start 8:08:11: _Set_MOMV3_AGENT_FOUND.
  Well that is interesting, seems to me that in the first line the MSI installer reads the OM_OM12_SP1_AGENT_FOUND property and identifies this with a  64 bit agent guid (8B21425D-02F3-4B80-88CE-8F79B320D330), but then appends
  the 32 bit guid at the end (387306D9-78CE-4E0E-B952-28A50CC8B3EE).  This is the point of my confusion and my suspicion as the cause of the problem I am having. 
  Concluding thoughts:
  Why does the installer seems to first recognizes a 64 bit agent, but then later changes it's property to include a 32 bit agent guid.  Could a 32 bit agent have got on this 64 bit server based on the details of this log?  Would this
  cause my agents to fail the upgrade?  I think so, but looking to bounce this over to another fellow SCOM colleague who may have wrestled with this before.
  Thanks in advance if you took the time to read this and think about it.  Extra points if you have any extra thoughts!
  Keith

  Hi,
  Have you used Requirement to limit the platform when you deploy application with SCCM.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• NAC web agent question

  Hi,
  I need to know when can i use the NAC web agent???  is it used for guests or visitors only????
  If i used NAC web agent for guests , can i perform posture assessment for the guest users ( i mean check windows update , AV/AS or certain services)?? or network scanning will be only applied to the guests who are using NAC web agent???? 
  i read the userguide of 4.7.1 of CAM and CAS but i have some conflicts regarding the above topic , so please i need your help.
  Mohamed

  Mohamed,
  You can use it for any kind of users (guest/regular) and can do posture assessment, but no remediation. Remediation requires the full agent. The other limitation is that the web agent is only valid on Windows machines and cannot run on Mac/Linux etc.
  HTH,
  Faisal

• NAC CAM/CAS Temporary Certificate expired

  Hello Guys,
  I have a high availability pairs of NAC(CAM/CAS), Last 3 months I generate temporary certificate and now it is expired.
  Do I need to generate again a new temporary certificate and delete the old one? Is there any certificate that can give me lifetime certificate?

  Hi,
  Yes, 4.8 has been out for a bit now. Download it here: http://bit.ly/dwaXlc
  Release notes, including the new features, the bug fixes and the upgrade instructions for 4.8 are here: http://bit.ly/9inkeW
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Cisco NAC Web Agent + Windows 8

  Hello,
  I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
  All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
  Follow are some informations about my Environment:
  ISE 1.2 Patch 3
  OS: Windows 8 Enterprise
  IE: 10 (In Desktop Mode w and w/o Compatibility View)
  NAC Web Agent: 4.9.0.1007
  Could you help me ?
  Best Regards,
  Daniel Stefani

  Hi Charles,
  I can download all this files, but I can’t import it in ISE Resourses.
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.9.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.9.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.9.tar.gz
  Mac Agent Installation Package for MacOSX
  CCAAgentMacOSX-4.9.3.803.tar.gz
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.5.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.5.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.5.tar.gz
  In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
  But in the follow yes…
  http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  Best Regards,
  Daniel Stefani

• NAC Cisco Agent cannot connect to LAN (Requirement Mandatory SCCM 2012 agent installed - ccmexec services)

  hi Support, 
  we have a problem, our NAC Cisco Agent cannot detect SCCM Agent Service (ccmexec).  here the snapshot:
  the configuration as following:
  here the NAC Cisco Agent Logs, download here:
  https://drive.google.com/file/d/0B9ShGyy3UzoeejlvZ2MwVVo2V1U/edit?usp=sharing 
  Whether the NAC 4.8 support integration with SCCM 2012?
  Thanks
  Endrik

  Wow, no responses?
  Was I too long winded?

• 2012 Upgrade to R2 - Client Protection Agent Upgrade - Reboot?

  MSFT states in their upgrade doc for DPM 2012 R2 "You must upgrade all of the protection agents. This might require a restart of the protected computer."
  What has been your experience reboot/no reboot as I know agent upgrades during past couple years (updates) haven't required a reboot?
  If have to do reboot not good as I have over 175+ production machines.
  Thanks,

  Hi,
  DPM 2012 R2 UR3 agent update does a require a reboot and it is documented several places in the UR3
  article.
  Note This UR3 agent update requires you to restart protected servers in order to create or change protection groups. VM backups may fail in Windows Server 2012 R2 until the server is restarted.
  Important information
  We recommend that you restart the protected computer after you apply the Update Rollup 3 Agent update.
  If Protected Computers are not restarted after you apply Update Rollup 3, the following things can occur:
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  It says recommend, not required. Like I said, at least 1 agent I updated using the DPM Console went straight to OK, no reboot required. The others went to reboot required, but after removing the registry flag, worked fine. I pointed the servers are the new
  DPM install (new datacenter) and was able to recreate all of the protection groups with no issues. We are only backing up Server 2012/Server 2012 R2 servers though (both hyperV and SQL clusters), so maybe the issues are for 2k8 servers.

• Use NAC Web Agent login with Ipad

  Hello Guys,
  I'm using NAC 4.8, and I'd like to login using NAC Web Agent on Ipad.
  When I'm trying to do that, I'm receiving a message on Ipad that I need to install Java Plug-In, but there is no JavaPlug-in available for Ipad.
  Does anyone know if there is any aditional configuration that I have to do on NAC Manager to be able to access the network using NAC Web Login on Ipad ?
  Best Regards

  Hi Luciano,
  Unfortunately, the NAC Web Agent and the persistant Agent are not supported for the iPad operating system. (It is called iOS). The following table documents this fact under footnote 3:
  http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp125630
  Only normal Web Login with Safari browser is enabled.
  Hope this helps.
  -Shrikant
  P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

• Cisco NAC web agent failure

  Is there a list somewhere that shows what the status's mean?  I have a few users getting this error, while others are working fine -
  Failed to download  Cisco NAC Web Agent ( status = -2 ) !
  Thanks!

  For the web agent, there are three error states
  -1 means that it was unable to launch the control at all,
  -2 means it failed to download the agent executable,
  -3 means there was an error running the web agent
  Are you using the Java or ActiveX version of the web agent?  Definitely check the browser settings for both and make sure that it's either allowing or prompting the user for the applets.  If you're using the ActiveX version, you could try forcing the Java version, as most users seem to have more lenient browser settings by default for it.

• Management agent upgraded to 10.2.0.4 - getting error Failed to start LSNR

  Hi all,
  I have just upgraded the management agent upgradation to 10.2.0.4. I am getting this error error 'Failed to start HTTP listener.'
  I had killed the agent process at the o/s level and restarted it but again after a while it shuts down automatically.
  Also my emctl status agent still shows the agent version as 10.2.0.2 ??? Please let me know what to do in this scenario.
  Will appreciate your early response. ... Thanks & Regards, Deepak

  can you report the status of this command and screen output
  ./emctl status agent
  Ss

• Where I can find Camera RAW upgrade that supports Nikon D600 ?

  Where I can find Camera RAW upgrade that supports Nikon D600 ?

  mmeles wrote:
  I omitted to mention I have CS5 version of Photoshop. Using a new camera Nikon D600 produces "Nikon Electronic File" (.NEF) this is my RAW file I need to process.
  Uh huh...and you'll need to convert those NEF files to DNG files using the free DNG Converter in order to use them with Photoshop CS5. Either that or upgrade to Photoshop CS6. BTW, it's prolly not a great idea to post your personal information on a forum...you might want to edit that out.

• 3rd parties Cert import to NAC, CAM

  I generate the cert request from NAC CAM and give the file to the customer. Then customer give me back several file including "CAM.key, CAM.crt and CAM_DigiCertCA.crt".
  When I import to the NAC, it fail and got the message "Must include end entity certificate .."
  What is problem? Any step I missing?

  It looks like you have a chained cert and need to build a single certificate file from this. Review these docs and you should be good to go:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/461/cam/m_admin.html#wp1078189
  Which should tell you to look at:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/461/cam/m_admin.html#wp1040438
  Hope that helps.

• CPP - NAC agent upgrade issue - NAC to ISE migration

  Hi,
  I am currently working on a project to migraate NAC to ISE. Existing version of NACagent running on client macine is 4.8.2.1. CPP is pushing upgarde to required version 4.9.4.3. I can't locate upgrade matrix for this version. Could anyone guide me on this?

  You can directly download the nac agent 4.9.4.3 from the below download link
  http://software.cisco.com/download/release.html?mdfid=283801620&softwareid=283802505&release=1.2&flowid=26081

• Cisco NAC web agent Network Security Policy

  I have a computer with an installed McAfee Antivirus that us up to date. However, each time try to access one of my client's server via VPN, I successfully connect to VPN using Cisco Anyconnnect but whenever I try to download the web agent and the device security check is being run, I get the feedback "Host is not compliant with network security policy". It also tells me a Remediation description of "please update your antivirus". (see attached screenshot)
  Please note that I already have my McAfee antivirus updated and I have done everything to keep my computer in good shape in terms of security.
  What is the possible cause for this?

  That means the CAM hasn't received an SNMP trap for that MAC address.  Double-check that the WLC is set up to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626
  You can see if the CAM's received a trap for a specific MAC by looking under OOB Management > Devices > Discovered Clients.