Hello Brian,

We finally have the LOG because you have a MAX Password length and it did truncate all our password each time that keypass generated...

----------

tieserver.log modified names:

JsonEpoPolicySection[TIE,[JsonEpoPolicySettingValue[EnabledFileTypes,2097152,8,1,143360,2,524288,301989888,167772160,512,16384,16,134250496,134217728,1048576,12288,16777232,0,8388608,8192,144,128,34,272,18,33587200]]], JsonEpoPolicySection[Telemetry,[JsonEpoPolicySettingValue[SendGTITelemetryData,0]]]]]]], JsonEpoPolicyObject[TieServers,My Default,TieServers,TIEMGMT_META,[JsonEpoPolicySetting[My Default,0,,[JsonEpoPolicySection[TieServers,[JsonEpoPolicySettingValue[{a2b1c136-53c6-11ed-017f-0050568a0d4c},{a2b1c136-53c6-11ed-017f-0050568a0d4c};TREtie01.TRE.ch;192.168.5.152;MASTER;TREtie01.TRE.ch;true;A7172480-5CC7-4BEA-9B92-0FEDB65A66A5], JsonEpoPolicySettingValue[{eaf67460-bd1f-11ed-16ac-0050568cf9c1},{eaf67460-bd1f-11ed-16ac-0050568cf9c1};tieserver;192.168.5.16;SLAVE;TREtie01.TRE.ch;true;A7172480-5CC7-4BEA-9B92-0FEDB65A66A5]]]]]]]]]
INFO {2023-03-07 20:01:45,483} [Thread-3] (PolicyListenerService.java:178) - Operating mode from ePO: -1
INFO {2023-03-07 20:01:45,483} [Thread-3] (PolicyListenerService.java:179) - TIE operating mode: UNASSIGNED
INFO {2023-03-07 20:01:45,483} [Thread-3] (PolicyListenerService.java:183) - Need to change the operation mode
INFO {2023-03-07 20:01:45,483} [Thread-3] (ReconfigCommandCreator.java:63) - Creating the reconfig tie command
INFO {2023-03-07 20:01:45,483} [Thread-3] (ReconfigCommandCreator.java:92) - Building command with: TREtie01.TRE.ch|192.168.5.152|0|true,tieserver|192.168.5.16|2|true
INFO {2023-03-07 20:01:45,483} [Thread-3] (ReconfigCommandCreator.java:103) - Done with building the command as [sudo, reconfig-tie-unattended, -t, TREtie01.TRE.ch|192.168.5.152|0|true,tieserver|192.168.5.16|2|true]
INFO {2023-03-07 20:01:45,483} [Thread-3] (PolicyListenerService.java:186) - Got reconfig command as : [sudo, reconfig-tie-unattended, -t, TREtie01.TRE.ch|192.168.5.152|0|true,tieserver|192.168.5.16|2|true]
INFO {2023-03-07 20:01:45,519} [Thread-3] (PolicyListenerService.java:190) - Command response is : false
INFO {2023-03-07 20:01:45,519} [Thread-3] (PolicyListenerService.java:202) - Command not successfull. Trying again with retry : 1
INFO {2023-03-07 20:01:45,554} [Thread-3] (PolicyListenerService.java:190) - Command response is : false
INFO {2023-03-07 20:01:45,554} [Thread-3] (PolicyListenerService.java:202) - Command not successfull. Trying again with retry : 2
INFO {2023-03-07 20:01:45,591} [Thread-3] (PolicyListenerService.java:190) - Command response is : false
INFO {2023-03-07 20:01:45,591} [Thread-3] (PolicyListenerService.java:202) - Command not successfull. Trying again with retry : 3
INFO {2023-03-07 20:01:45,625} [Thread-3] (PolicyListenerService.java:190) - Command response is : false
INFO {2023-03-07 20:01:45,626} [Thread-3] (PolicyListenerService.java:202) - Command not successfull. Trying again with retry : 4
INFO {2023-03-07 20:01:45,659} [Thread-3] (PolicyListenerService.java:190) - Command response is : false
INFO {2023-03-07 20:01:45,659} [Thread-3] (PolicyListenerService.java:202) - Command not successfull. Trying again with retry : 5

Hello SWISS, 

Unfortunately the previous log request was for the previously described issue of 
"DXL not connected" and "Not connected to any broker" errors you shared in your screenshots. 

The current log status would have me believe you are no longer encountering that error but rather an error getting the role change to complete successfully. More detailed messages on the role change itself can often be found in the /tmp/reconfig-tie.log

Were you able to successfully replicate to a new 4.x secondary?

Was that server then promoted to a 4.x primary and the previous primary stopped?

Is the secondary you are currently attempting to add correctly targeting the 4.x primary as its source::
The logs would indicate the current policy has TREtie01 set as primary. However I also see it trying to reconfigure to a primary simply named "tieserver" however that does not exist in the policy. 

It almost seems like the current policy on the device is not representative of the current configuration you have outlined in the UI. 

Thanks

Brian

When 3.x is there and you install the 4.x the new one comes at some point in EPO. All TAGS are applied how they should auto by the setup of the 4.x. I then have to move the account of the new TIE 4.X to upper OU where the OTHER TIE is so he gets the policy.

* EPO 5.10 LATEST U Trellix

* in EPO i see the old 3.x TIE and UNDER in as child the new one 4.X

* I see all DXL connected we have

Sorry here we go:

Truncated part. to remove sens. info:

--------------------------------

[2023-03-07 19:41:45.766] Creating rep user to enable secondaries to replicate primary database...
CREATE ROLE
[2023-03-07 19:41:45.774] Revoke unneeded privileges to rep ...
REVOKE
REVOKE
[2023-03-07 19:41:45.791] Stopping PostgreSQL service after installation is complete...
[2023-03-07 19:41:45.828] Adding Security libraries to jre/lib/ext
'/opt/Trellix/tieserver/securityLibs/bc-fips-1.0.2.3.jar' -> '/opt/Trellix/tieserver/zulu8.65.0.14/lib/ext/bc-fips-1.0.2.3.jar'
'/opt/Trellix/tieserver/securityLibs/bcpkix-fips-1.0.5.jar' -> '/opt/Trellix/tieserver/zulu8.65.0.14/lib/ext/bcpkix-fips-1.0.5.jar'
'/opt/Trellix/tieserver/securityLibs/bctls-fips-1.0.12.3.jar' -> '/opt/Trellix/tieserver/zulu8.65.0.14/lib/ext/bctls-fips-1.0.12.3.jar'
'/opt/Trellix/tieserver/securityLibs/certj.jar' -> '/opt/Trellix/tieserver/zulu8.65.0.14/lib/ext/certj.jar'
'/opt/Trellix/tieserver/securityLibs/cryptojce-6.2.5.jar' -> '/opt/Trellix/tieserver/zulu8.65.0.14/lib/ext/cryptojce-6.2.5.jar'
'/opt/Trellix/tieserver/securityLibs/cryptojcommon-6.2.5.jar' -> '/opt/Trellix/tieserver/zulu8.65.0.14/lib/ext/cryptojcommon-6.2.5.jar'
'/opt/Trellix/tieserver/securityLibs/jcmFIPS-6.2.5.jar' -> '/opt/Trellix/tieserver/zulu8.65.0.14/lib/ext/jcmFIPS-6.2.5.jar'
'/opt/Trellix/tieserver/securityLibs/sslj.jar' -> '/opt/Trellix/tieserver/zulu8.65.0.14/lib/ext/sslj.jar'
[2023-03-07 19:41:45.832] Adding Bouncy Castle Security Provider configuration in Java.security file
[2023-03-07 19:41:45.838] Setting urandom as source of seed data
[2023-03-07 19:41:45.842] Creating keystore password
[2023-03-07 19:41:45.844] Updating tie.properties with keystore password
[2023-03-07 19:41:52.072] Enabling port binding rules
[2023-03-07 19:42:02.156] TIE Server Successfully Installed
[2023-03-07 19:42:02.168] Cleaning /opt/Trellix/tieserver/conf/tie.properties
[2023-03-07 19:42:02.172] Removing tie_master_info.conf and pg_readonly.conf
[2023-03-07 19:42:02.175] Removing symlink to old reconfig-tie script
[2023-03-07 19:42:13.014] Finalizing Trellix Agent startup
[2023-03-07 19:42:44.851] Trellix Agent is up and running
[2023-03-07 19:42:44.853] Starting the service dxlbroker
[2023-03-07 19:42:44.858] Waiting for the file /var/McAfee/dxlbroker/marker/BROKER_NOT_FOUND
[2023-03-07 19:43:14.862] The file /var/McAfee/dxlbroker/marker/BROKER_NOT_FOUND has been found
[2023-03-07 19:43:14.864] Collecting properties with Trellix Agent
[2023-03-07 19:44:20.052] Waiting for the file /var/McAfee/dxlbroker/marker/BROKER_FOUND
[2023-03-07 19:44:20.056] Collecting properties with Trellix Agent
[2023-03-07 19:44:25.210] Collecting properties with Trellix Agent
[2023-03-07 19:44:45.470] Collecting properties with Trellix Agent
[2023-03-07 19:44:50.625] The file /var/McAfee/dxlbroker/marker/BROKER_FOUND has been found
[2023-03-07 19:45:05.724] Waiting for TIE Server handshake and for the policies from ePO
[2023-03-07 19:45:05.726] Waiting for the file /var/Trellix/tieserver/keystore/tie_server.crt
[2023-03-07 19:45:55.741] Forcing Policy Listener service restart
[2023-03-07 19:46:45.786] Forcing Policy Listener service restart
[2023-03-07 19:47:35.821] Forcing Policy Listener service restart
[2023-03-07 19:47:45.897] Waiting for the file /var/Trellix/tieserver/keystore/tie_server.crt
[2023-03-07 19:47:58.541] #################################################################################
[2023-03-07 19:47:58.543] Running the reconfig script at Tue Mar 7 19:47:58 UTC 2023...
[2023-03-07 19:47:58.544] Inside main() fn
[2023-03-07 19:47:58.545] Checking for firstboot completion...
[2023-03-07 19:47:58.546] Firstboot has not been completed yet.
[2023-03-07 19:47:58.547] Firstboot process not completed yet. TIE Server can be reconfigured once firstboot completes.
[2023-03-07 19:47:58.575] #################################################################################
[2023-03-07 19:47:58.577] Running the reconfig script at Tue Mar 7 19:47:58 UTC 2023...
[2023-03-07 19:47:58.578] Inside main() fn
[2023-03-07 19:47:58.579] Checking for firstboot completion...
[2023-03-07 19:47:58.580] Firstboot has not been completed yet.
[2023-03-07 19:47:58.581] Firstboot process not completed yet. TIE Server can be reconfigured once firstboot completes.
[2023-03-07 19:47:58.609] #################################################################################

Hello SWISS, 

Those messages would indicate the firstboot process never completed? Did you have to recover from a failed firstboot on this server in the past? For instance for an exit of the wizard through some manual intervention?

I am afraid I have not seen this reported yet and will try to reproduce. 

Thanks

Brian

1) OV Template Imported all configured

2) Machine > Snapshot VMWARE made

3) All further test also now AFTER the 1st try weeks ago where done with GOIN back to the snapshot so start-up was if the machine was never connected. Also before these TRIES today the FULL enviroment was set back to snapshots last fail (EPO, ALL DXL, TIE etc. > Machines OFF/DOWN/Halt)

NOW. Except there is something going on with SAME "MAC-adddress" and "IP-address" in the CERT process which is special that could have an affect? 

I still have the same error as when we first tried first time setup all new the TIE 4.x machine..

* Start machine VM from OV first time

* Manual, IP, NTP, Enter EPO info and ports, Enter DXL Port,

* Accept the key from EPO

* Move the machine in EPO to the other TIE server

* And we never got PAST this error any time:

@bbarnes 

Hello Brian,

Thank you very much Brian for the help you spent today and the longer session in helping us solve this problem and taking it serious.

It's one of the times, where we as long term Mcafee/Trellix Partner, had someone who could really help us at a technical level we needed.

You helped us also understand the unique DXL network and how it works together better. Also the statement the the DXL Brokers work together, no matter which Version level the Broker runs, is an important information.

Merci for all the work and time.

Regards

A happy Trellix Partner

Just wanted to check... Did you need to upgrade TIE or DXL appliances first?

I need to go through this process to upgrade our TIE & DXL appliances (4 of each, all deployed via OVA) and kinda hesistant haha...

From what i understand... I should do TIE first? And follow this process:

1.  check in new extension
2. remove 1 of our secondary TIE servers
3. build new from OVA with same IP
4. join as secondary to replace removed one
5. wait for sync & promote to primary
6. repeat 2-4 for remaining TIE servers

Cheers!

Hello Jason, 

So long as you are on a current version of DXL, preferably 6.x, you can handle the TIE upgrade prior to the DXL upgrade. Your process is correct. The goal is to get to a 4.x primary as quickly as possible. Then look to add additional 4.x secondary servers as replicas of that newly built primary. 

Thanks

Brian