7.2r1 Host Checker Issue

jspanitz_ · ‎03-30-2012

Upgraded MAG 4610s from 7.1r7 to 7.2r1. Since then we are having constant host checker problems. Clients are Windows 7 Sp1 64bit.

The only host check policies that fail seems to be the ones dealing with AV. These policies functioned correctly right up until we upgraded. We are using ESAP 2.1.2.

In the Admin UI, Active Users shows "Partially Compliant" and the logs on the appliances show "Host Checker policy 'All_Allowed_AV_Check' failed on host xxx.xxx.xxx.xxx . Reason: ''."

Have uninstaller host checker and removed %username%\AppData\Roaming\Juniper Networks\Host Checker folder. The reinstall did not solve the problem.

Opened a support case as well. Anyone else seeing the issue?

SVK_ · ‎04-01-2012

Is this behaviour noticed all the Client Windows xp/ vista/windows 7 (32/64bit)?

With which AV product/version are you facing this issue.

jspanitz_ · ‎04-02-2012

So far WIndows 7 64 bit clients running Trendmicro Officescan and Mac OS X 10.7 clients running Trendmicro as well.

Other host check policies work fine, only the AV policies are having issues. We built two new AV policies, one containing everything and another only trendmicro and both still fail.

zanyterp_ · ‎04-02-2012

Is it _all_ AV or specifically TrendMicro as it looks like above?

How are you logging in: browser, Pulse, or Network Connect?

jspanitz_ · ‎04-03-2012

We've tried a policy with just Trend and we've tried a policy with all AV both fail. We've tried logging in via web portal and via NC. We've tried this on WinXP, Win7 and OS X.

Support had us upgrade ESAP to a newer, unpublished release. That was this past Saturday. We still do not have a solution, so we've had to modify our host checks in order to allow people to connect.

AJA_ · ‎04-03-2012

Yes, if you have tried the latest ESAP and if you are still encountering the problem, I feel - the client versions / client engines may have been upgraded silent which we are not aware off?

If the host checker was able to detect these AV before the IVE OS upgrade, could you please check the AV logs and see if there was any automatic upgrade on the application? - If the engine has been upgraded on the AV automatically, then it could be a co-incidence that the IVE OS upgrade was also done at the same time and this is misleading us to believe that the upgrade broke the host check?

Please ask the JTAC to file a BUG at the earliest on this regard. Normally, the logs required by JTAC are:

1) debuglog.log file from the client computer.

2) Oesisdaginose tool needs to be executed from the host checker folder and you need to get the output to the JTAC.

3) Take a screenshot of the application which is failing.

(Important: Take the exact version detail and also the engine version if available)

zanyterp_ · ‎04-03-2012

Why did they ask you to upgrade to a newer release: was it for this issue or something else?

tbehrens_ · ‎04-04-2012

This must be related to Trend Micro, possibly even the specific version of Trend Micro you use, and ESAP's test for that.

I just tried checking for Kaspersky on 7.2r1 ESAP 2.1.2 and 2.1.3, and that works.

If you'd like to test your system against 2.1.3, send me a PM, and I'll give you the link to our lab device.

ghuber_ · ‎04-04-2012

I'm having the same issue... 7.2r1 / Win7 64 bit. Host checker does not seem to detect AV properly. Won't let users in... rolling back to 7.1 until fixed.

zanyterp_ · ‎04-04-2012

ghuber, are you seeing this with all AVs or just some?

for others with this: are you configuring "all AV" or "specified AV?"

7.2r1 Host Checker Issue

7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue

Re: 7.2r1 Host Checker Issue