We recently upgraded to 7.2R9 and ESAP 2.3.7 on a SA6500. We have received a number of host check failure with no "Reason" information. What would cause this? Attached is a segment from the user access log.
Info AUT22925 2013-05-30 - 09:47:44 - XX.102.38.XXX- System - () - Host Checker policy 'Anti-Virus Check' failed on host XX.102.38.XXX . Reason: ''. -
Info AUT22925 2013-05-30 - 09:47:44 - XX.102.38.XXX- System - () - Host Checker policy 'OS Check' failed on host 67.102.38.XXX . Reason: ''. -
Info AUT22925 2013-05-29 - 12:33:45 - XX.150.2.XX- System - () - Host Checker policy 'Anti-Virus Check' failed on host XX.150.2.XX . Reason: 'PccNTMon.exe not found; avgfws9.exe not found; msseces.exe not found; McAfee VirusScan Enterprise 220.127.116.110 does not comply with policy. Compliance requires real time protection enabled.'. -
The "XX" was added by me. There were valid IPs there.
It is really hard to say without the client debug log data.
I have seen this before as well immediately following ESAP update. One thing I noticed when these failures occur is that if you review your rules, and you look at the listing of AV/FW products you check for, the lists are blank. Reverting and re-ugrading esap seems to have fixed the problem. We never found the root cause, but ever since then, I always check the product drop-down list as soon as the new ESAP plug in goes active.
I think I jinxed myself after the last post. Updated ESAP this morning then started getting a ton of Host Checker policy XXX failed on host... "Reason Internal error while evaluating rule XXXX"
What I had noticed is that issue was isolated to a single cluster member. The remaining 3 appliances seemed to have no problems after the update, and all the errors were coming from one box. I disabled him on the ltm and will see about rebooting him later. May open a ticket with Juniper to dee what happened, this is a new one by me.
Thanks for your reply. I have a ticket open with Juniper Support. When I get this resolved I will post the solution.
This cluster is running 7.1R10.
I have rebooted the box this morning and re-enabled it, still seeing the same problem. Looks like its time for a ticket.
We are using 7.2R9. Prior to that we were at 7.2R5.
This is an unrelated question, but how do I change my settings so my something other than my email appears in the posting? In other words show something like "vcb" instead of my email address.