Symantec Endpoint Protection (SEP) clients fail to communicate after a new Symantec Endpoint Protection Manager (SEPM) replication partner is configured
|Article:TECH185333|||||Created: 2012-03-30|||||Updated: 2013-07-02|||||Article URL http://www.symantec.com/docs/TECH185333|
SEP clients no longer communicate with their SEPM server and new clients cannot register to it anymore.
SEP shows a different "kcs" value (the hash of the encryption password set during the installation) in the conf.properties and the sylink.xml files published for its groups.
The following errors can be seen in a sylink.log of a client with Sylink logging enabled:
05/29 13:43:03.595  <EncodeHelper::DecryptUrl> Exception caught: Could not parse length parameter.
05/29 13:43:03.595  <CSyLink::Start> Decryption for the last server entry failed.
05/29 13:43:06.264  <SendRegistrationRequest:>http://<SEPM address>:<sepm port>
05/29 13:43:06.264  13:43:6=>Send HTTP REQUEST
05/29 13:43:06.304  13:43:6=>HTTP REQUEST sent
05/29 13:43:06.304  13:43:6=>QUERY return code
05/29 13:43:06.304  13:43:6=>QUERY return code completed
05/29 13:43:06.304  <SendRegistrationRequest:>SMS return=400
05/29 13:43:06.304  <ParseHTTPStatusCode:>400=>400 Bad Request
05/29 13:43:06.304  <SendRegistrationRequest:>ERR to query content length
05/29 13:43:06.304  <SendRegistrationRequest:>Content Lenght =>
05/29 13:43:06.304  HTTP returns status code=400
Two independent SEPMs are installed, A and B.
B is reconfigured as the replication partner of A via the Management Server Configuration Wizard but, while doing so, the option to use the recovery file is selected (this is the default option).
Once the replication is done as described above and has completed and SEPMs are restarted, SEPM A got an inconsistent status by showing two different "kcs" values in its conf.properties and in sylink.xml published for its groups. Replacing the sylink.xml for the already registered clients resolves the communication issue, however newly installed clients are unable to register and connect to SEPM A.
Reconfiguring an independent SEPM to become a replication partner is not compliant with Symantec's Best Practice for configuring a replication partner already during its installation.
The SEPM encryption password is configured when the SEPM is first installed as part of the Management Server Configuration Wizard. The client's encryption password is stored in its sylink.xml configuration file as the XML value "kcs". If the value of "kcs" is not identical to the SEPM's encryption password, the SEP client will not be able to encrypt/decrypt communications to/from the SEPM.
Remove the SEPM which has been reconfigured to be a replication partner (B in the example).
Apply the disaster recovery process following Symantec's Best Practices on the compromised SEPM (A in the example) in order to restore it to its last working status:
Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
Reinstall SEPM B as a new replication partner of A.
Alternate: Disable the SEPM Service and replace the scm.agent.kcs value in conf.properties on the SEPM with the value that is being pushed out in the sylink. Then restart the SEPM and push out another communication package.
Article URL http://www.symantec.com/docs/TECH185333