Hot!FSAE collectoragent.exe DCOM errors Event ID 10028

Author
Frosty
Gold Member
  • Total Posts : 192
  • Scores: 13
  • Reward points: 0
  • Joined: 2010/11/03 15:53:40
  • Status: offline
2019/04/02 17:36:08 (permalink)
0

FSAE collectoragent.exe DCOM errors Event ID 10028

We've been running FSAE/FSSO collector agents on our DCs for some time and everything seems to be working just fine in terms of user authentication in the firewall.
But I have noticed DCOM errors in the Event Log on the main DC, such as the following:
 
Event ID = 10028
Source = DistributedCOM
Message = DCOM was unable to communicate with the computer 10.20.30.40 using any of the configured protocols; requested by PID 999 (C:\Program Files (x86)\Fortinet\FSAE\collectoragent.exe).
 
Investigations of the IP Addresses reported show that these errors occur in 2 specific scenarios:
(1)  when one of our Fuji Xerox printers is used by a staff member to Scan a document which is saved to an SMB File Share on a server (there is a domain user account used by the printer to authenticate access to the share); or
(2)  when our Barracuda Message Archiver checks user mailboxes in Exchange to synchronise the list of mailbox folders (this runs under a specific domain user account each evening)
 
I have tried excluding the 2 x domain user accounts used by those processes, so that the collector 'ignores' them.  This has NOT fixed the Event Log errors.
 
Q.  is there any way to tell the Collector to ignore specific IP Addresses on the network?  (there is no point it trying a DCOM connection to the BMA or to a Printer).
post edited by Frosty - 2019/04/04 14:09:55
#1

5 Replies Related Threads

    Alivo_ FTNT
    Expert Member
    • Total Posts : 94
    • Scores: 46
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: FSAE collectoragent.exe DCOM errors Event ID 14554 2019/04/04 01:58:50 (permalink)
    5 (1)
    Hello Frosty,
     
    What should work is editing Windows AD registry with specific IP (not range) :
     
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent  > dc_agent_ignore_ip_list
    > modify > Value Data: 10.20.30.40;
    Multiple values separated by semicolon.
     
    P.S. wanted to add picture but it fails
    Alivo
    #2
    Alivo_ FTNT
    Expert Member
    • Total Posts : 94
    • Scores: 46
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: FSAE collectoragent.exe DCOM errors Event ID 14554 2019/04/04 02:03:18 (permalink)
    5 (1)
    screenshot

    Attached Image(s)

    #3
    Frosty
    Gold Member
    • Total Posts : 192
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/11/03 15:53:40
    • Status: offline
    Re: FSAE collectoragent.exe DCOM errors Event ID 14554 2019/04/04 14:02:56 (permalink)
    0
    Hey!  Thanks so much Alivo!
    I tried this registry setting on the main DC a few minutes ago, then kicked off one of the synchronisation jobs on the Barracuda Message Archiver.  So far, so good, no new DCOM errors reported.
    I'll know for sure tonight when the main sync tasks run.
    Cheers,
    Frosty
     
    EDIT: there is an error in my original post; Event ID = 10028 (not 14554)
    post edited by Frosty - 2019/04/04 14:09:30
    #4
    Frosty
    Gold Member
    • Total Posts : 192
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/11/03 15:53:40
    • Status: offline
    Re: FSAE collectoragent.exe DCOM errors Event ID 14554 2019/04/07 22:52:17 (permalink)
    5 (1)
    Can now confirm, this indeed fixed my DCOM error issues; none reported since applying the registry setting 'fix'.
    #5
    Frosty
    Gold Member
    • Total Posts : 192
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/11/03 15:53:40
    • Status: offline
    Re: FSAE collectoragent.exe DCOM errors Event ID 14554 2020/09/09 16:06:39 (permalink)
    0
    So I need to re-open this discussion, as the error logs have returned with a vengeance!
    Since implementing Always On VPN a few months ago, I am now getting Event ID 10028 again for every VPN client.
    I would like to block a Range of IP Addresses (e.g. everything starting with 1.2.3.whatever) as it just isn't possible to put in 254 individual IP addresses from a range.
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5