NAC Agent WSUS Checking time too long

Attila Horvath · ‎06-24-2010

Hi,

Trying to implement the NAC Appliance 4.7.2 with NAC Agent (same version of course - 4.7.2.10).

One of our Reqirements is based local WSUS check, with Severity validation /Custom(All) settings.

Is it normal that all of our Windows XP client have to wait about 2 minutes for a successful WSUS Checking?

(Only checking, not for remediation).

The Windowsupdate.log shows the following:

2010-06-22 09:58:52:507 1112 888 Agent *************
2010-06-22 09:58:52:507 1112 888 Agent ** START ** Agent: Finding updates [CallerId = ]
2010-06-22 09:58:52:507 1112 888 Agent *********
2010-06-22 09:58:52:507 1112 888 Agent   * Online = Yes; Ignore download priority = No
2010-06-22 09:58:52:507 1112 888 Agent   * Criteria = "(IsInstalled=0 and Type='Software')"
2010-06-22 09:58:52:507 1112 888 Agent   * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2010-06-22 09:58:52:507 1112 888 Agent   * Search Scope = {Machine}
2010-06-22 09:58:54:679 1112 888 PT +++++++++++ PT: Synchronizing server updates   +++++++++++
2010-06-22 09:58:54:679 1112 888 PT   + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://xxxxxxx:8540/ClientWebService/client.asmx
2010-06-22 09:59:53:417 1112 888 PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2010-06-22 09:59:53:417 1112 888 PT   + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://xxxxx:8540/ClientWebService/client.asmx
2010-06-22 09:59:57:324 1112 888 Agent   * Found 0 updates and 52 categories in search; evaluated appl. rules of 571 out of 1088 deployed entities
2010-06-22 09:59:57:339 1112 888 Agent *********
2010-06-22 09:59:57:339 1112 888 Agent ** END ** Agent: Finding updates [CallerId = ]
2010-06-22 09:59:57:339 1112 888 Agent *************
2010-06-22 10:00:02:340 1112 888 Report REPORT EVENT: {EAFC536E-8216-45D5-8511-823FA7F90445} 2010-06-22 09:59:57:339+0200 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 Success Software Synchronization Windows Update Client successfully detected 0 updates.
2010-06-22 10:00:02:340 1112 888 Report REPORT EVENT: {9F87ACB2-8A4A-42E1-A056-41F8A8848341} 2010-06-22 09:59:57:339+0200 1 156 101 {00000000-0000-0000-0000-000000000000} 0 0 Success Pre-Deployment Check Reporting client status.

We are trying to rebuild the %WinDIR%/SoftwareDitribution/DataStore database (delete, wuaucult/detectnow) according some reference founded in web,

but no success.

Any tip, or working example with lower checking time is wellcome.

Thanks in advance

Attila

Tiago Andrade de Paula · ‎05-12-2011

Hi Attila

,

How are you doing?

So, my experience about WSUS requeriments are the same.

I recommend you to the WSUS requeriment with cisco rules, cuz the Severy the Agent do not have any policies to go to check Until the WSUS, check files, and download the KBXXXXX.

* Severity - Until today I do not know how to check differential criticism.
I know the way using Cisco Agent Severity lacks clearly what to check or not. Cisco Agent then sends the Windows Update Agent to go to the WSUS server and compare what you have on your machine. If something has to be installed, is downloaded and installed automatically.

But you imagine if the customer has a WSUS server with 2000 + files (KBs). The Agent will have to read the whole basis of the WSUS server, compare with the machine and see if some file is missing or not.

It takes too long. A LOT. About 2 minutes even.

I advise you use the mode "Cisco Rules. Much more efficient and fast.
Requires better management than the way "severity" but you will have better performances in check.

Create a check, create a Rule (put one or more checks within the Rule), put the Rule in Requeriment. Test this.

Report if you test this or another way.

Tiago Andrade

tonyp8581 · ‎06-01-2011

Hi Tiago,

I don't know if you're using v 4.7.2 like Attila, but you should consider upgrading to v4.8.0.

Your checking time will be reduced to around 30 seconds using your WSUS.

Tony