Video Screencast Help

Reverting VM snapshot with SEPM on board turns into disaster

Created: 11 Aug 2011
Language Translations
Maciej_Jedrzejczyk's picture
0 0 Votes
Login to vote

Problem

A return to a VM snapshot dated 15 days earlier containing Symantec Endpoint Protection Manager hosting ca. 2500+ clients turns into disaster. Since then, the following symptoms appeared:

- SEPM service was stopped when OS was restarted (however it was restartable)
- DB started growing considerably and at some point took 11GB
- DBValidator was showing links broken for several physical file ids
- Clients stopped receiving definitions and lost connection due to a timeout (in sylinkmonitor log)

 

Error

1) in sylink monitor log, clients receive timeouts when attepting to connect to the SEPM

2) in dbvalidator log (excerpt):

2011-06-15 14:44:12.235 INFO: Link is broken for [21] physical file ids :
 

Environment

Symantec Endpoint Protection Manager 11 RU6 MP3
OS Microsoft Windows Server 2003, Standard Edition Service Pack 2 (build 3790) 
Running on VMWare as 32bit application  

Physical Memory: Total 3.99 GB 
 

Cause

Possibly, but not definitely:

1) number of hosted definitions that demanded download of a considerable amount of full zips from LiveUpdate upon receiving notification of a difference between definitions on board (from 15 days earlier than the date of definitions already distributed among SEP clients) which eventually slowed down SEPM database performance.

2) Difference between policies from 15 days earlier and policies already applied to clients

3) Hearbeat rate set to "continuous"

 

Solution

1) returning again to a VM snapshot from 15 days earlier without allowing SEP clients to immediately seek connection with the SEPM or allowing SEPM to connect to LU to download new definitions
2) modifying hearbeat rate from "continuous" to "every 1 hour"
3) decreasing the number of definitions hosted by the SEPM from 42 to 10
4) downloading and applying JDB file to update definition database within SEPM
5) using DB fix tool provided by the Backline to fix 21 broken links in DB (please contact Symantec Technical Support to obtain it)

- stopping SEPM service via services.msc
- copying and running the LuDbFixTool.bat batch file from %ProgramFiles%\Symantec Endpoint Protection Manager\Tools\
- restarting SEPM service

6) reconnecting VM containing SEPM to the internet and intranet