How to troubleshoot the Symantec OnDemand Client Static Route Spoof Tool

Article:TECH169933  |  Created: 2011-09-20  |  Updated: 2011-09-27  |  Article URL http://www.symantec.com/docs/TECH169933
Article Type
Technical Solution


Issue



When using Symantec Network Access Control (SNAC) with Macintosh machines in a DHCP Enforcer environment, how can I troubleshoot the Symantec On-Demand Client (ODC) Static Route Spoof Tool?

 


Solution



The following two articles discuss using Symantec Network Access Control (SNAC) with Macintosh machines in general, and why the Symantec On-Demand Client (ODC) Static Route Spoof Tool is required in a DHCP Enforcer environment:

TECH106301 Using the Symantec DHCP Enforcer with Macintosh clients

TECH134969 Using the Symantec On-Demand Client Static Route Spoof Tool

 

This article will discuss how to troubleshoot the Symantec ODC Static Route Spoof Tool and Symantec On-Demand Client on OS X.

 

How to verify if the ODC Static Route tool is running?

  • Use the OS X Activity Monitor to verify if the process "odcsniffer" is running.
    or:
  • In a terminal window, use the command: top -l 1 | grep odcsniffer

 

How to verify if the On-Demand client is running?

  • Use the same methods as the above steps, but look for the process "smcDaemon" and "Symantec Network Access Control On-Demand Client"

  • Use this command to verify that the smcDaemon process is listening on UDP port 39999: sudo lsof | grep 39999

 

How to collect the log file written by the ODC Static Route tool?

  • The log file is written to the path /private/tmp/odcsniffer.log

 

How to collect the log file written by the On-Demand Client?

  • The System Log from the On-Demand Client can be exported from the yellow icon in the OS X top-bar, from the Symantec NAC sub-menu.

 

How can I view the static routes added to the system by the ODC Static Route tool?

  • The command "netstat -rn" will show the static route configuration on OS X

 

Troubleshooting

  • If the intended routes are not getting added to the machine, verify using the odcsniffer.log if the tool is attempting to add them.
  • If not, verify that the tool is running in the background, and reinstall from the SNAC installation CD if required.
    The tool is available in the Tools\MacStaticRoute folder on the CD.
  • If the tool is running, but not attempting to add the routes - then verify (using network packet capture software) that the DHCP server is indeed sending the routes to the client machine.
    Article TECH102475 has general steps for how to configure the routes and scope options on a Microsoft DHCP server.

 

Caveats

Two caveats when configuring static routes for Macintosh clients on the DHCP server are;

  • Only option 33 Static Route is supported by the ODC Static Route tool on OS X - option 249 Classless Static Routes will be ignored.
  • Repeated ip-address routes to machines within the same network segment will not work with OS X - use ip-address/router pairs instead to allow the routes to work on both Windows and OS X.
    (use the syntax 10.10.10.34/10.10.10.1 instead of 10.10.10.34/10.10.10.34, and see the note in article TECH134969 for further details)
  • Regarding the blank default route (not the static routes) for the quarantine scope; with Windows clients this can be entered as 127.0.0.1 or blank/0.0.0.0 - with OS X clients the 127.0.0.1 alternative does not work.

 




Article URL http://www.symantec.com/docs/TECH169933


Terms of use for this information are found in Legal Notices