SNAC Enforcer fails to download profile from SEPM - HTTP 400 Bad Request

Article:TECH195367  |  Created: 2012-08-22  |  Updated: 2012-08-22  |  Article URL http://www.symantec.com/docs/TECH195367
Article Type
Technical Solution


Issue



The Symantec Network Access Control (SNAC) Enforcer appliance is able to register with the Symantec Endpoint Protection Manager (SEPM) - The Enforcer Group is correctly created in the SEPM console Servers tab - however downloading the profile following registration results in a HTTP 400 error.

 


Error



The Enforcer user.log file shows a HTTP 400 error when downloading the Enforcer Group profile:

Aug/13/2012 08:27:21  [SyVeLink.cpp][ 1184]: Try to download profile serial number on 192.168.10.10!
Aug/13/2012 08:27:21  [SyVeLink.cpp][ 1209]: Download profile index with URL http://192.168.10.10:8014/secars/secars.dll?action=200&hostid=23A6...&primaryenforcerid=23A6...&as=584551&mode=1&hbt=30
Aug/13/2012 08:27:21  [SyVeLink.cpp][ 2378]: plain URL: l=125&action=200&hostid=23A6...&primaryenforcerid=23A6...&as=584551&mode=1&hbt=30
Aug/13/2012 08:27:21  [SyVeLink.cpp][ 3480]: GetProfileIndexCallback returns code 400, 87 bytes.
Aug/13/2012 08:27:21  [SyVeLink.cpp][ 1258]: Get index file returns 400
Aug/13/2012 08:27:21  [SyVeLink.cpp][ 3848]: Try get profile/register returns 400, nRetryTimes=1, WaitTime=9000

(the initial /secreg/secreg.dll registration request however does receive a successful HTTP 200)

 

A packet capture taken between the two machines also shows a HTTP 400 message was sent from the SEPM in response to the profile download request:

GET /secars/secars.dll?h=2342...
HTTP/1.1 400 Bad Request <html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>

 

The SEPM web server log however shows a HTTP 200 successful reply was logged.

From the IIS log (LogFiles\W3SVC2\ex12nnnn.log)
                2012-08-13 08:27:21 W3SVC2 192.168.10.10 GET /secars/secars.dll h=2342.... 8014 - 192.168.10.10 SyVELink+Profile+Session 200 0 0
 

For details on how to enable the Enforcer or SEPM IIS debug logging please see articles TECH102413, TECH132808, TECH103211 linked below.

 


Solution



A possible cause may be that the IIS URLScan plugin is installed. This plugin can rewrite and change a SEPM reply for particular requests from the HTTP 200 logged by secars into the HTTP 400 error that is seen on the Enforcer side. Uninstalling or disabling this plugin resolves the issue.

 

For more details regarding the URLScan plugin please see:
http://technet.microsoft.com/en-us/security/cc242650.aspx

 

If the HTTP 400 error is instead seen on the secreg.dll registration request (not the secars.dll profile download request) please see article TECH132455 linked below.

 





Article URL http://www.symantec.com/docs/TECH195367


Terms of use for this information are found in Legal Notices