Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2754
Views
0
Helpful
7
Replies

AMP for endpoint failing to start after RHEL patching.

hrithiktej
Level 1
Level 1

‎05-30-2018 02:24 AM - edited ‎03-10-2019 01:02 AM

AMP for endpoint failing to start after RHEL patching.

 

systemctl status cisco-amp
● cisco-amp.service - Cisco AMP for Endpoints daemon
Loaded: loaded (/usr/lib/systemd/system/cisco-amp.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Wed 2018-05-30 03:12:56 EDT; 1h 59min ago
Process: 8796 ExecStartPre=/opt/cisco/amp/bin/cisco-amp-helper start (code=exited, status=1/FAILURE)

 

/var/log/messages show

init: cisco-amp pre-start: failed to load ampnetworkflow

init: cisco-amp pre-start: failed to load ampnetworkflow.ko version 3.10.0-693.el7.x86_64

 init: cisco-amp pre-start: failed to load modules from latest version

 systemd: Unit cisco-amp.service entered failed state.

init: cisco-amp pre-start: failed to find compatible kernel version; trying latest version 3.10.0-693.el7.x86_64

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-30-2018 05:41 AM

That looks like a bug / compatibility issue.

 

If you're already running the latest Linux connector release (currently 1.7.0), I suggest opening a TAC case.

0 Helpful

hrithiktej
Level 1
Level 1
In response to Marvin Rhoads

‎05-30-2018 05:45 AM

Yes we are already on latest 1.7.0.545 connector version.

0 Helpful

hrithiktej
Level 1
Level 1
In response to Marvin Rhoads

‎05-31-2018 03:32 AM

This is TACs reply to this issue

 

"

Since you are using Linux kernel 3.10.0-862.3.2.el7.x86_64 that corresponds to 7.5. Unfortunately, since 7.5 is not yet supported (since there are performance issues), I would suggest downgrading the kernel back before applying the patch.

We also reproduced this in our lab and indeed 862 corresponds with the April release of 7.5. And also in our lab, AMP failed to start.

Please include attach@cisco.com or REPLY ALL when responding to this email.

Carol Park Floyd
Cisco TAC
Email: cafloyd@cisco.com

 

So now we are left in a situation where we have to choose between security patches or Cisco AMP.

0 Helpful

vaibhav581
Level 1
Level 1
In response to hrithiktej

‎08-22-2018 01:10 AM

Hi Guys,

 

Are you seeing similar issues with AMP 1.8 . It says it is supported but i am still seeing it getting failed to start.

0 Helpful

hrithiktej
Level 1
Level 1
In response to vaibhav581

‎08-22-2018 02:14 AM

Even with 1.8 i had issues on some 7.1 versions and then one of the guys on support community showed me release notes of 1.8 on page 27 where it states red-hat 7.2 on wards is supported

 

https://docs.amp.cisco.com/Release%20Notes.pdf

0 Helpful

imanassypov
Level 1
Level 1
In response to hrithiktej

‎12-13-2018 04:14 AM

Hi,

 

running into same kernel module loading issues with 1.9 and centos 7.6. 

Has TAC provided any workarounds? Alternatively, is there a supported way of downgrading to 7.5 or earlier to get it going?

 

Thanks,

0 Helpful

vaibhav581
Level 1
Level 1
In response to imanassypov

‎12-13-2018 04:25 AM

Hi,

 

Apparently there was another issue which was causing AMP to fail.

 

Unfortunately, we had to roll out AMP . I did heard they rolled out 1.9 to avoid the segmentation issues but the TAC is the best way forward for your scenario.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents