Symantec Integrated DHCP Enforcer Error: "Enforcer Cannot Bind To The Agent Authentication Port"

Article:TECH103855  |  Created: 2008-01-06  |  Updated: 2010-08-13  |  Article URL
Article Type
Technical Solution



Symantec Integrated DHCP Enforcer Error: "Enforcer Cannot Bind To The Agent Authentication Port"

The Symantec Integrated DHCP Enforcer is unable to bind to the agent authentication UDP port 39999.



This error is seen when a different process or service has bound to the agent authentication port UDP 39999. This is likely caused by the SEP agent being installed on the Integrated DHCP Enforcer host machine.


If the problem is a conflict with the SEP agent there are two options:

  • Uninstall the SEP agent from the DHCP Enforcer machine.
  • Leave the SEP agent installed on the machine, but disable the "Symantec Network Access Control" service (SNAC.EXE) from the Windows Services MMC snap-in.
    (the SNAC service is used to enforce endpoints and block machines failing host integrity from accessing the network - it serves no purpose when running on the Enforcer/DHCP-server machine itself)

To verify if the problem is caused by a conflict with the SEP agent SNAC service check which process is keeping port 39999 open.

  • Using netstat:
    1. Click <start><run> and type 'cmd' and click "enter". This will bring up a black cmd window.
    2. At the prompt type "netstat -abn | findstr "39999" and hit "enter". This command will return something like this: UDP *:* 2708. 2708 is the Process ID (PID).
    3. Open task manager by right clicking the task bar and selecting 'task manager'. Then, click the 'processes' tab, then click 'view' and 'Select Columns'. Make sure the box next to PID is checked.
    4. Click 'ok'
    5. Look for the PID that was returned from your netstat command in step 2
    6. If the PID points to SNAC.exe, then the SEP agent service is binding to port 39999 before your Integrated Enforcer can.
  • Using TCPView
    TCPView is a free tool from Microsoft, part of the Sysinternals suite. It provides a GUI interface to the same information found by netstat above.
    The TCPView tool can be downloaded from:

If another, non-symantec, service or process is using UDP port 39999 then this process or service will need to be removed or reconfigured in order to allow the Integrated Enforcer to function properly.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices