Systems with CSA not boot

Answered Question
May 26th, 2010
User Badges:

After update from 6.0.1 to 6.0.2 some systems with CSA cun`t boot.

If manualy delete agent (in safe mode) - everething ok.

Few systems butable, but agent process takes more then 90% processor resourses.

Logs on CSA MC are clean

Any ideas? Manual uninstall agent on few hungreds workstaitions is unreal...

Correct Answer by Scott Fringer about 6 years 11 months ago

There has been a recent bug discovered with interaction of CSA and Windows 7 hosts where a file access control rule which implements digital suignature checking can cause a system to "hang" after entering credentials.  The bug is CSCtg98849.  The following workaround is provided in the bug:


Edit the "Base - Digital Signing of Downloaded Executables" rule module and disable the file access control "Send downloaded executables for scanning if opened for read".

Save the change.

Generate rules and deploy to affected hosts.

[Wrap text]  [Edit this enclosure]
Release-note: Added 05/25/2010  06:26:54 by scfringe

[Unwrap text]  [Edit this enclosure]
Release-note: Added 05/25/2010  06:26:54 by scfringe

[Unwrap text]  [Edit this enclosure]
SS-Review: Added 05/25/2010 06:13:20  by scfringe



[Wrap text]  [Edit this enclosure]
SS-Review: Added 05/25/2010 06:13:20  by scfringe

[Unwrap text]  [Edit this enclosure]
SS-Review: Added 05/25/2010 06:13:20  by scfringe




There has also been an issue seen where agents that have not received the new 6.0.2 binaries, but have had 6.0.2 rules pushed encounter issues.  The workaround in this instance is to schedule an update for the agents.


It would be advatageous to open a service request with TAC to effectively diagnose the issue, and ensure this is the proper bug for the behavior.


Scott

WhatHow BadWhoVersions
Status   A-Assigned
Foundcustomer-use
Original-foundcustomer-use
ProjectCSC.security
Productcsa
Componentclient
Softwarenone
Obs-softwarenone
Hardwarenone
Keywordnone          
PriorityP3
Severity   severe (Sev2)
DE-priority2
Dev-escapeY
BadCodeFlagN
DE-manager ibonias
DTPT-manager vidhya
Engineer bipswain
Submitter scfringe
Assigner pgiang
Version006.000(002.126)          
Original-version006.000(002.126)
To-be-fixed006.000(002)          
History
Histogram of CSCtg98849: Covering 2 days and counting, currently in A-Assigned state.

          N -> A [    0]  |
          A ->   [    2] ------------------------------------A-----------------------------------[100.00%]
                          <-----------------------------------+----------------------------------->
                    25-May-2010                         26-May-2010                         27-May-2010
cdreier05/26/2010  09:52:05  Headline:CSA: Windows Login Hangs or Takes  Excessive Time with CSA Enabled   --> CSA: Windows 7 Login Hangs or  Takes Excessive Time with CSA Enabled
cdetsbsi05/25/2010  10:08:31  Trouble-Tickets:--> 614262487
pgiang05/25/2010  06:35:29  Assigner:--> pgiang
pgiang05/25/2010  06:35:29  Assigned Date:--> 05/25/2010 09:35:29
pgiang05/25/2010  06:35:19  Engineer:--> bipswain
pgiang05/25/2010  06:35:01  Status:N   --> A
pgiang05/25/2010  06:35:29  To-be-fixed:--> 006.000(002)
cdetsbsi05/25/2010  06:29:31  Trouble-Tickets:--> 614327539
cdetsbsi05/25/2010  06:29:31  Urgency-desc:NA   --> P3
scfringe05/25/2010  06:26:54  Note Title:--> Release-note
scfringe05/25/2010  06:14:01  Summary:-->
scfringe05/25/2010  06:13:20  RNE-Approval-Flg:N   -->
scfringe05/25/2010  06:13:20  Note Title:--> SS-Review
scfringe05/25/2010  06:12:14  Defect Created:-->
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Scott Fringer Thu, 05/27/2010 - 05:33
User Badges:
  • Cisco Employee,

There has been a recent bug discovered with interaction of CSA and Windows 7 hosts where a file access control rule which implements digital suignature checking can cause a system to "hang" after entering credentials.  The bug is CSCtg98849.  The following workaround is provided in the bug:


Edit the "Base - Digital Signing of Downloaded Executables" rule module and disable the file access control "Send downloaded executables for scanning if opened for read".

Save the change.

Generate rules and deploy to affected hosts.

[Wrap text]  [Edit this enclosure]
Release-note: Added 05/25/2010  06:26:54 by scfringe

[Unwrap text]  [Edit this enclosure]
Release-note: Added 05/25/2010  06:26:54 by scfringe

[Unwrap text]  [Edit this enclosure]
SS-Review: Added 05/25/2010 06:13:20  by scfringe



[Wrap text]  [Edit this enclosure]
SS-Review: Added 05/25/2010 06:13:20  by scfringe

[Unwrap text]  [Edit this enclosure]
SS-Review: Added 05/25/2010 06:13:20  by scfringe




There has also been an issue seen where agents that have not received the new 6.0.2 binaries, but have had 6.0.2 rules pushed encounter issues.  The workaround in this instance is to schedule an update for the agents.


It would be advatageous to open a service request with TAC to effectively diagnose the issue, and ensure this is the proper bug for the behavior.


Scott

WhatHow BadWhoVersions
Status   A-Assigned
Foundcustomer-use
Original-foundcustomer-use
ProjectCSC.security
Productcsa
Componentclient
Softwarenone
Obs-softwarenone
Hardwarenone
Keywordnone          
PriorityP3
Severity   severe (Sev2)
DE-priority2
Dev-escapeY
BadCodeFlagN
DE-manager ibonias
DTPT-manager vidhya
Engineer bipswain
Submitter scfringe
Assigner pgiang
Version006.000(002.126)          
Original-version006.000(002.126)
To-be-fixed006.000(002)          
History
Histogram of CSCtg98849: Covering 2 days and counting, currently in A-Assigned state.

          N -> A [    0]  |
          A ->   [    2] ------------------------------------A-----------------------------------[100.00%]
                          <-----------------------------------+----------------------------------->
                    25-May-2010                         26-May-2010                         27-May-2010
cdreier05/26/2010  09:52:05  Headline:CSA: Windows Login Hangs or Takes  Excessive Time with CSA Enabled   --> CSA: Windows 7 Login Hangs or  Takes Excessive Time with CSA Enabled
cdetsbsi05/25/2010  10:08:31  Trouble-Tickets:--> 614262487
pgiang05/25/2010  06:35:29  Assigner:--> pgiang
pgiang05/25/2010  06:35:29  Assigned Date:--> 05/25/2010 09:35:29
pgiang05/25/2010  06:35:19  Engineer:--> bipswain
pgiang05/25/2010  06:35:01  Status:N   --> A
pgiang05/25/2010  06:35:29  To-be-fixed:--> 006.000(002)
cdetsbsi05/25/2010  06:29:31  Trouble-Tickets:--> 614327539
cdetsbsi05/25/2010  06:29:31  Urgency-desc:NA   --> P3
scfringe05/25/2010  06:26:54  Note Title:--> Release-note
scfringe05/25/2010  06:14:01  Summary:-->
scfringe05/25/2010  06:13:20  RNE-Approval-Flg:N   -->
scfringe05/25/2010  06:13:20  Note Title:--> SS-Review
scfringe05/25/2010  06:12:14  Defect Created:-->
akorotunov Thu, 05/27/2010 - 06:11
User Badges:

Symptoms are same, but our problem on Windows XP.

Rules were edited as recommended, waiting...

Scott


I have same issue with CSA 6.0.2.126 on Windows Vista x86 Enterprise.

In kernel log, I can see

.......................


csafilt: InitFilters: FwpmEngineOpen0 failed with 0xc0020035

csafilt: InitFilters: FwpmEngineOpen0 failed with 0xc0020036

csafilt: StateChangeCallback: Couldn't initialize filters (start pending)

.......................

And, there are big delay(about 50 minutes) between the first and second message.


I'm using CSA 6.0.2.126 for development, so it is not managed client.

So, can't apply your work around.


Is there workaround to avoid this issue in client side?

And, any plan to fix this issue?


Thanks in advance.

Scott Fringer Fri, 11/19/2010 - 03:36
User Badges:
  • Cisco Employee,

This does not sound like the same issue.  It would be best to open a service request with TAC specific to the Cisco product for which the unmanaged CSAgent was provided (not for CSA itself).  This will ensure the team that was responsible for creating that unmanaged agent can troubleshoot directly.


Scott

Actions

This Discussion

Related Content