Dell EMC Unity: Common CAVA Errors (User Correctable)

Common Errors, Causes and Actions

Error: AUTH_ERROR 5                       MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS
                      AV Engine: Symantec AV
                      Server Name: cava.example.com
                      Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: The account being used for checking does not have the virus checking privilege assigned to it.
Actions: Ensure that the CAVA service in services.msc is set to logon as a user and not a local system account.

_____________________________________________________________________________________________________________________________________________________________

Error: ERROR_AUTH 64                       MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS
                      AV Engine: Symantec AV
                      Server Name: cava.example.com
                      Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Kerberos error caused by out of sync 'Time' between the Data Mover and Anti-Virus Server
Action: Implement NTP or sync 'Time' manually.
_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 86                       MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS
                      AV Engine: Symantec AV
                      Server Name: cava.example.com
                      Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Password inconsistency between the CAVA service and user password in AD. / e.g. : Password expired and was changed, but was not updated on the CAVA service.
Action: Right-click the EMC CAVA service in services.msc  > Properties > Log On tab > update the user password to reflect that in AD.
_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1265                       MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS
                      AV Engine: Symantec AV
                      Server Name: cava.example.com
                      Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: The user account that CAVA uses has expired in AD   won t be able to login to the server at all using the credentials.
Action: Unlock the account and set it to never expire and try again.
_____________________________________________________________________________________________________________________________________________________________

Error: ERROR_AUTH 1326                       MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS
                      AV Engine: Symantec AV
                      Server Name: cava.example.com
                      Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Password for the account running CAVA has expired.
Action: Reset the password and set it to never expire. Make any changes to CAVA service as required.
_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1331                       MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS
                      AV Engine: Symantec AV
                      Server Name: cava.example.com
                      Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: The user account for CAVA has been disabled in AD or is only allowed to logon during certain hours.
Action: Re-enable account and remove any logon restrictions in AD.
_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1909                       MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS
                      AV Engine: Symantec AV
                      Server Name: cava.example.com
                      Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: User account locked due to too many invalid login attempts.
Action: Unlock account/reset password. Make any changes to CAVA service as required.
_____________________________________________________________________________________________________________________________________________________________

Error: AV_NOT_FOUND
Cause:
AV_NOT_FOUND indicates that the viruschecking service on the VDM cannot communicate with the CAVA client on the AV server.
You must assign local administrative rights to the AV user on each AV server in order to successfully start CAVA and the viruschecking service on the Data Mover.

The "OpenProcess" failing usually indicates that the "emc cava" service is running in a user context that has not been given "local admin" rights on the system or that some rights are missing on that group.  The "local admin" account on CAVA systems doesn't have the "SeDebug" right (debug programs) that is needed by CAVA facility to track state of AV engines.

Action:
Please follow:

1. Recommended Troubleshoot for AV_NOT_FOUND at the Resolution Section, in this article.
2. Document "Using the Common Event Enabler on Windows Platforms":

• Restricted Group GPO - page 13
• Assign rights - page 23

Background Explanation

• The Active Directory (AD) Domain Controller (DC) doesn't allow anonymous access with the CIFS server machine account as it should be performing with NTLM and machine accounts.
• Other DC's in the environment may allow for anonymous access to the CAVA user with the CIFS server machine account.
• The authentication method between the Virtual Data Mover (VDM) and DC is NTLM (Microsoft) however Kerberos could also be used.
• The DC in the environment should allow anonymous access as part of establishing a secure channel between the VDM and the DC.
• Other option is to configure the AV servers to use  Kerberos  authentication instead of NTLM.

Background Events

• The AV servers are not being authenticated by the AD DC.
• The VDM server logs an error whenever the authentication to the DC fails for the Viruschecker Domain user.
• With NTLM Authentication the VDM must forward the user's credentials on to a Domain Controller (pass-through authentication) using DCERPC NetrLogonSamLogon asking it to authenticate the user.
• The DM is using the computer account of the CIFS Server for DCERPC NetrLogonSamLogon function.
• The DC will treat access using the computer account as equivalent to anonymous access.
• This can be seen in the network trace when the DM is sending the pass-through authentication to on the DC's.

Recommended Troubleshoot for ERROR_AUTH:

• Confirm the domain CAVA user has sufficient rights, which means, it's correctly added to the local CAVA group on the Data Mover and assigned the EMC Virus-Checking privilege.
• For details on the correct configuration, visit our Support Page at https://www.dell.com/support and look for "Using the Common Event Enabler on Windows Platforms".
• For more information, investigate MicroSoft Developer Network at https://msdn.microsoft.com for a complete list of Microsoft error codes.
• In that list, look for the numerical code that follows the "ERROR_AUTH" message and check its definition.

_____________________________________________________________________________________________________________________________________________________________

Recommended Troubleshoot for AV_NOT_FOUND:

• Confirm viruschecker.conf settings.
• Confirm The CAVA service is running with the AV user account.
• Confirm the installed Anti-Virus (TrendMicro, McAfee, others) service is running with the local system account.
• Confirm the AV user is member of the local admin group on each AV server.
• Confirm that the Anti-virus and CEE have been un-installed and re-installed (using the correct order, CEE first, then Anti-virus).
• Rebooted the CAVA server multiple times.
• Confirm that the CAVA servers have one network interface only.

if your unable to resolve this AV_NOT_FOUND, next step is to Please contact Dell EMC Technical Support or your Authorized Service Representative, and quote this Knowledgebase article ID.

Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell EMC Unity 450F, Dell EMC Unity 500, Dell EMC Unity 500F, Dell EMC Unity 550F, Dell EMC Unity 600, Dell EMC Unity 600F, Dell EMC Unity 650F , Dell EMC Unity Family |Dell EMC Unity All Flash, Dell EMC Unity Family, Dell EMC Unity Hybrid ... View More View Less