NAC Agent WSUS Checking time too long

Unanswered Question
Jun 24th, 2010
User Badges:

Hi,

Trying to implement the  NAC Appliance 4.7.2 with  NAC Agent (same version of course - 4.7.2.10).

One  of our Reqirements is based local WSUS check, with Severity validation  /Custom(All) settings.

Is it normal that all of our Windows XP  client have to wait about 2 minutes for a successful WSUS Checking?

(Only  checking, not for remediation).


The Windowsupdate.log shows the following:


2010-06-22  09:58:52:507 1112 888 Agent *************
2010-06-22 09:58:52:507  1112 888 Agent ** START **  Agent: Finding updates [CallerId = ]
2010-06-22  09:58:52:507 1112 888 Agent *********
2010-06-22 09:58:52:507 1112  888 Agent   * Online = Yes; Ignore download priority = No
2010-06-22  09:58:52:507 1112 888 Agent   * Criteria = "(IsInstalled=0 and  Type='Software')"
2010-06-22 09:58:52:507 1112 888 Agent   *  ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2010-06-22  09:58:52:507 1112 888 Agent   * Search Scope = {Machine}
2010-06-22  09:58:54:679 1112 888 PT +++++++++++  PT: Synchronizing server updates   +++++++++++
2010-06-22 09:58:54:679 1112 888 PT   + ServiceId =  {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://xxxxxxx:8540/ClientWebService/client.asmx
2010-06-22  09:59:53:417 1112 888 PT +++++++++++  PT: Synchronizing extended update  info  +++++++++++
2010-06-22 09:59:53:417 1112 888 PT   + ServiceId =  {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://xxxxx:8540/ClientWebService/client.asmx
2010-06-22  09:59:57:324 1112 888 Agent   * Found 0 updates and 52 categories in  search; evaluated appl. rules of 571 out of 1088 deployed entities
2010-06-22  09:59:57:339 1112 888 Agent *********
2010-06-22 09:59:57:339 1112  888 Agent **  END  **  Agent: Finding updates [CallerId = ]
2010-06-22  09:59:57:339 1112 888 Agent *************
2010-06-22 10:00:02:340  1112 888 Report REPORT EVENT: {EAFC536E-8216-45D5-8511-823FA7F90445}  2010-06-22 09:59:57:339+0200 1 147 101  {00000000-0000-0000-0000-000000000000} 0 0  Success Software  Synchronization Windows Update Client successfully detected 0 updates.
2010-06-22  10:00:02:340 1112 888 Report REPORT EVENT:  {9F87ACB2-8A4A-42E1-A056-41F8A8848341} 2010-06-22 09:59:57:339+0200 1  156 101 {00000000-0000-0000-0000-000000000000} 0 0  Success  Pre-Deployment Check Reporting client status.


We are  trying to rebuild the %WinDIR%/SoftwareDitribution/DataStore database  (delete, wuaucult/detectnow) according some reference founded in web,

but  no success.


Any  tip, or working example with lower checking time is wellcome.


Thanks in  advance


Attila

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tiago Andrade d... Thu, 05/12/2011 - 11:29
User Badges:

Hi Attila

,


How are you doing?



So, my experience about WSUS requeriments are the same.

I recommend you to the WSUS requeriment with cisco rules, cuz the Severy the Agent do not have any policies to go to check Until the WSUS, check files, and download the KBXXXXX.


* Severity - Until today I do not know how to check differential criticism.
I know the way using Cisco Agent Severity lacks clearly what to check or not. Cisco Agent then sends the Windows Update Agent to go to the WSUS server and compare what you have on your machine. If something has to be installed, is downloaded and installed automatically.

But you imagine if the customer has a WSUS server with 2000 + files (KBs). The Agent will have to read the whole basis of the WSUS server, compare with the machine and see if some file is missing or not.

It takes too long. A LOT. About 2 minutes even.

I advise you use the mode "Cisco Rules. Much more efficient and fast.
Requires better management than the way "severity" but you will have better performances in check.

Create a check, create a Rule (put one or more checks within the Rule), put the Rule in Requeriment. Test this.

Report if you test this or another way.

Tiago Andrade

tonyp8581 Wed, 06/01/2011 - 12:42
User Badges:
Hi Tiago,
I don't know if you're using v 4.7.2 like Attila, but you should consider upgrading to v4.8.0.
Your checking time will be reduced to around 30 seconds using your WSUS.
Tony

Actions

This Discussion