Celerra CAVA errors

The first error messages make me think there's a problem with the anti-virus product on each server.  The CAVA client on each server seems to be able to communicate with the the CAVA service on the NAS - hence the ntStatus: SUCCESS.  However, the AV product seems to be unavailble to the CAVA client, hence the OFFLINE message.  At the same time, the CAVA service suddenly starts responding, hence the Server is ONLINE message.  The Low/High watermark messages were caused by an outsanding number of scan requests that came while no CAVA servers were available.

Without more info, I'd guess that the AV client might have updated its virus definitions and restarted.  Or, there could have been network issues between the CAVA servers and the NAS.  Or it might be stray backgound radiation.   Are there any messages in the Event Logs on the servers?

Thanks!

Karl

This sounds similar to past experiences.  Under McAfee, the default maximum scan time is 45 seconds.  When the scan time exceeds this limit, the current scan is aborted.  Under McAfee 8.0i, the abort is actually the exit of the service - McAfee stops and restarts the service.  This causes CAVA to mark the AV server as offline - you'll probably have scans that were sent to this AV server and sitting in the wait queue, hence, the high water mark.

We upgraded to McAfee 8.5i patch 2 and seems like the problem has gone away.  If you can, upgrade one of your CAVA servers to 8.5i and see if things improve.  You'll probably want to open a ticket with EMC if upgrading McAfee has no effect.

Be sure to comment on your progress here.

Thanks!

Hi Karl,

Thanks for the prompt response!

I saw the event logs but did not find any errors related to this issue. But, I found below EMC primus solution could be the reason. Our NAS code is 5.6, CAVA version is 3.6.2 and McAfee is 8.0i. In the primus it is saying that we have to at 8.5i patch7. What are you comments?

Thanks,

Bannu.

EMC Knowledgebase

"CAVA has detected termination of the resident Network Associates."

Hi Karl,

What are the McAfee upgrade steps:

Can I stop the viruschecker service on all DMs

Upgrade the McAfee to 8.5i patch7 and start the VC service? Will it updates the Virusdefinition file. Means will it scans all the files again.

Could you please let me know.

Thanks,

Bannu.

Hi Bannu -

There's no need to stop the viruschecker service.  You can upgrade McAfee on each CAVA server, one at a time, until the upgrade is completed.  While McAfee is being reloaded, the CAVA agent on the server won't be able to find a valid virus scanning engine.As you reboot each CAVA server after installing McAfee 8.5i, the CAVA service will contact the DM to identify itself.  If you use the command 'server_viruschk server_2', you should see a list of all the configured CAVA servers and the version of McAfee on them.  Keep upgrading your CAVA servers and make sure that they restart CAVA correctly and are ready for scanning.  Just be sure that each CAVA server comes back up and ready to scan before shutting down the next one.  If you're too fast, you might have all your CAVA servers down at once, causing the CIFS service to stop.  Keep us posted with your progress!

Thanks!

Karl

Hi Karl,

We are in the process of upgrading. I am seeing the below entries in the VC log all the day(couple of times).

  2010-03-16 00:23:47: VC: 5: 18: The VC server xxx.x.xxxx.x updated the reference time, reference=Tue Mar 16 04:23:46 2010 (GMT-00:00).
2010-03-16 00:31:45: VC: 5: 18: The VC server xxx.x.xxxx.x updated the reference time, reference=Tue Mar 16 04:31:25 2010 (GMT-00:00).
2010-03-16 01:20:45: VC: 5: 18: The VC server xxx.x.xxxx.xupdated the reference time, reference=Tue Mar 16 05:19:51 2010 (GMT-00:00).
2010-03-16 01:26:46: VC: 5: 18: The VC server xxx.x.xxxx.x updated the reference time, reference=Tue Mar 16 05:26:46 2010 (GMT-00:00).

I checked the CAVA server time and DM time which are almost same(may be 3secs diffrence). Is something that goes away after McAfee upgrade?

Any comments on the above entries?

Thanks,

Bannu.

Hi Bannu -

The reference time updates indicate that the McAfee process updated its definition files.  This happens whenever the AutoUpdate or Startup Update task runs and updates the VirusScan definitions.  These messages are usually harmless, if they're coming from different CAVA servers at different times.  However, if all your servers are set to update their virus definitions at the same time, this can cause an outage, as all AV servers could be down at the same time.  You should consider setting the AutoUpdate task to run at a different time on each server (possibly several hours apart), so that no two servers should be updating at the same time.

Thanks!

Karl

Thanks Karl for your quick response!

We have 4 AV servers having the same Autoupdate time 12AM daily. So, can I keep them 12AM, 1AM, 2AM, 3AM for AV servers. Is this a good idea?

Thanks again.

Bannu.

Hi Bannu - it sounds like setting them to update at 12AM through 3AM would be great. Be sure to look at the settings for Randomization in the Scheduler:

Make sure that you reduce the randomization time to less than one hour.  Otherwise, there's a 'random' chance two servers might update at the same time.

Thanks!

Karl

Sure thing -

Start from the Powerlink home page > Support > Interoptability and Product Lifecycle Information > E-Lab Interoperability Manager

Select Software:Antivirus Software and check 'McAfee' under NAI; Add to cart

Select Server: Operating System and check 'DART' under EMC; Add to cart; Get Results

Under 'NAS', take a look at the resulting document 'Celerra Virus Scanning Solution'

Thanks!

Karl

Karl,

We have 8.5i patch8 with our admins. But according to emc primus206027 we need patch7. Is it OK to apply patch8.

Thanks,

Bannu.

Hey Karl,

Thanks for your help.

I came to know this 4 CAVA AV servers are VMs. Still the operation and eveything should be same as physical machine right?

Bannu.

Yes, Bannu - that's correct.  The operation of the VM CAVA servers is identical to the physical CAVA servers.  All of the servers have the same configuration - same amounts of RAM and processor, and behave basically the same.

Thanks!

Karl

In my environment, we are running McAfee 8.7i patch 1.  We were running McAfee 8.5i patch 3 when we upgraded.  According to the E-Lab Interoperability Navigator, it says "8.5.i patch 2 and higher is supported".  If you're not 100% sure, install it on just one CAVA servers and see how it behaves.

Thanks!

Karl