03-29-2005 10:19 AM - edited 03-10-2019 01:21 AM
We have just started to notice with a new set of laptops that when we installed CSA ver. 4.0.3.720 or 4.0.3.728 it takes up to 30 seconds to get the log in screen. These systems are XP fully patched with sp2. I've also started to hear a few other people in our company complaining that it's taking a long time to boot up also and they have XP with all the patches except for SP2. I'm thinking it's one of the patches that MS put out there. But I can't seem to narrow it down. Can anyone help me with this? Or is that normal for it to take 30 secs sitting at the loding windows screen after you load CSA. Thanks
03-29-2005 11:12 AM
It could be related to CSA and XP SP2 (or some other patch). We patch fully and have had this issue on some machines (were mostly laptops). Did you disable the ICF and WSC after SP2?
Check the Windows application event log for any messages like "CSA failed to load the rules within 30 seconds". Also look for timeout errors from these machines on the MC.
I had this happen on several laptops that have two NICs, XP SP2, McAfee VSE 8.0i and CSA 4.0.3-720 and have a couple of ideas.
Let me know...
03-29-2005 12:25 PM
Okay not to crazy but what is WSC? ICF is the firewall right? Yes the firewall is disabled. I did find that the browser service was stopping for no reason and found a MS KB article id 889320 but I will have to contact MS to get the fix. I will have to see if this is happening on anyone elses machine. We just loaded XP, drivers and SP 2 and tried it and we are not having any problems so we are now adding all the extra little patches to see if that may cause a problem.
03-29-2005 02:39 PM
Sorry, WSC is Windows Security Center. Did you see any events in the event log or the MC?
We disable the Browser service because it's not necessary. Please post if you find a patch that is causing the problem. I tested 4.0.3-728 and the "CSA fails to load rule sets..." message went away.
Tom
03-30-2005 07:33 AM
I've had this issue for a while now. I moved up to build 736 in hopes that it would correct the problem. No luck. I have an open case with TAC right now. Check in the client logs for something like this:
---
[Csamanager]: Event: The intelligent agent denied this request due to a timeout. If this message happens frequently, then it should be reported to technical support. This is most likely to happen on very heavily loaded systems, or systems which are under attack.
03-30-2005 08:36 AM
I am seeing an event ID 273 "Service CSAgent started although rules failed to load within 30 seconds"
Also If I cancel the vpn client before log in and log in quickly I get two errors in the system event log. One is ID 40961, source: lsasrv, Category: spnego (negotiator) and the second is ID 40960 with everything else the same.
03-30-2005 05:33 PM
Apparently the agent times out because it:
- doesn't have network connectivity
or
- can't resolve to the CSA MC yet
I had a TAC case open on this one too for a while (600804068).
We had a few machines (laptops mostly) that took too long to boot because of all the stuff we have loading and would timout to the MC.
My thoughts were that machines with multiple NICs and network shims were trying to accomplish the same things.
I was able to find a workable solution:
I disabled two of the three network shims (McAfee VSE 8 and XP SP2) on my laptop and updated to 728. The event ID 273 and MC timeout problems went away and my boot ime decreased dramtically. My system is fully patched from MS.
It would also be nice to either let the agent load the last known good set of rules without resolving to the MC or be able to increase the timeout for machines that take longer to find it.
Tom
03-31-2005 09:21 AM
How do you disable network shims?
03-31-2005 10:28 AM
For CSA, create a kits without the shim.
For XP SP2, you disable the ICF service.
For McAfee VSE 8.0i, keep the TDI driver from
loading.
I have specific registry settings for the last two if you are interested.
Tom
03-31-2005 12:26 PM
Doesn't CSA need that shim? I already have ICF disabled along with a million other services and we are running TrendMicro AV. I'll try to load CSA with out the shim to see if that helps.
03-31-2005 01:26 PM
Yes, CSA needs the shim to enable the Network Shield but it may conflict with certain Firewall or VPN software. You could disable it for testing purposes and then make a decision.
Here is the help text from "Agent Kits" on the CSAMC:
CAUTION: In some circumstances, you may not want users to enable the network shim on their systems as part of the agent installation. For example, if users have VPN software or a personal firewall installed on their systems, the network shim's Portscan detection, SYN flood protection, and malformed packet detection capabilities are in conflict with VPNs and personal firewalls. To allow users to enable it, you would create kits as non-quiet installations. (Do not select the Quiet install checkbox.) This way, users are prompted to enable the network shim during the agent installation.
NOTE: Not enabling the network shim does not mean that Network Access Control rules won't work. It only means that the system hardening features (configured in the Network Shield rule page) mentioned in the previous paragraph are not enabled.
03-31-2005 02:57 PM
A TAC engineer told me that this problem was fixed in version 4.5, which was just released today.
I'll be doing an upgrade this evening so I can get you a definitive answer maybe by tomorrow.
04-01-2005 01:38 AM
Hi,
one general note: on XP SP2 machines ICF Service is needed if you want to use Browser functionality!
I had a similiar problem with Browser Service timing out and stopping.
I recommend not to disable ICF Service or set to manual. AFAIK during CSA installing the installer leaves ICF Service on automatic start and disables ICF protection on the particular interfaces for binding CSA on them. Maybe this information is applicable,too?
Up to now I did not have to disable WSC for troubleshooting reasons but maybe this day will come :)
Regards,
Arne
04-04-2005 09:17 AM
We turned the Computer Browser off because every machine does not need to keep a list of NetBIOS names. That's what AD, DNS, etc.. is for. Unless you are doing peer-to peer, it's a liability (and even then you need only one master browser).
We disabled WSC to hide it from users and ICF because of McAfee, not CSA. ICF and CSA seem to co-exist fine.
I turn off many services and disable them to increase performance and security. 2000 and XP came with a lot of unnecessary stuff on and enabled.
I may have to go back and turn them on some day but for now I think we have a more efficient setup.
Just my two cents...
Tom
04-04-2005 07:53 AM
Following up on this...
I did get 4.5 installed and it is a marked improvement over 4.0x. Currently, I'm in the process of migrating clients over to the new version and I'm impressed thus far. Boot times are much faster with 4.5.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide