Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

Migration User

Migration UserNov 13, 2013 10:28 AM

Got it, thanks.

  • 1.  After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 08:09 AM

    2013-11-8, I upgraded first our servers from SEPM 12.1.671.4971 to 12.1.4.

    I followed the recommended upgrade process:

    http://www.symantec.com/business/support/index?page=content&id=TECH211821

    Next day, 2013-11-9 I upraded the clients to 12.1.4 using the Autoupgrade process"

    http://www.symantec.com/business/support/index?page=content&id=HOWTO80780

    Server OS: Windows Server 2008 SP2 64-bit

    Client OS: Windows 7 Enterprise - 64-bit, Windows Server 2008 (64 & 32 bit), Windows 8.1 Enterprise

    Current Issue:

    • Clients are randomly expriencing the said event logs: 8003, 5719, 1129, 3210, 8033. Not all clients but few of them are randomly experiencing it.
    • Seems like the Windows 7 desktop's can't authenticate to the domain. As if it's authenticating to a different master browser, or pdc.
    • Affected clients are getting "There are currently no logon servers available to service this request." when they try to logon.

     

     

     

     



  • 2.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 08:50 AM

    What components are installed on the SEP client?



  • 3.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Trusted Advisor
    Posted Nov 13, 2013 09:00 AM

    Are the machines that are experiencing the issue in their own group within the SEPM?

    Also are you using location awareness and specific policies?



  • 4.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 09:29 AM

    For the Windows 7:

    Virus & Spyware Protection

    Proactive Threat Protection - both Sonar & Apps & Device

    Network Threat Protection - both Firewall & Intrusion Protection

    For the Windows Server 2008:
    Virus & Spyware Protection Only


  • 5.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 09:34 AM

    All the Windows 7 & Win 8.1 are in the same group while Win2k8 is different.

    Laptops are also in a differrent group.

    and yes, I have specific policies but this is only for the laptops.

     



  • 6.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Trusted Advisor
    Posted Nov 13, 2013 09:45 AM

    By any chance do you use a proxy?

    If you expand Location-specific Settings and click on External Communications Settings have your proxy details been entered into here?



  • 7.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 09:50 AM

    Can you try a temporary disable of the firewall to see what the result is?



  • 8.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 09:51 AM

    I'm not sure if this is related with the proxy, just to answer your question we do have a proxy for the internet and my the setting is the default one.



  • 9.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Trusted Advisor
    Posted Nov 13, 2013 09:54 AM

    No worries I saw something that looked similar a few versions ago and thought it might be the same issue



  • 10.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 10:03 AM

    As suggested by Brian, does the problem persist if SEP Firewall is temporily turned off? If issue disappear, then follow these steps to identify why the traffic is blocked:

       - Enable logging for every single rule in your Firewall policy

       - Reproduce the issue

       - Check Traffic log on client sire

    I would also recommend to check Security (IPS) logs, to see whether Active Response could be engaged and blocking connection to DC.

     



  • 11.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 10:06 AM

    Before doing that, just a quick question.

    As I mentioned, firewall is enabled in the Client Install Feature Set.

    However in my Location-specific Policies, firewall is disabled.

    I was in the impression that the policy will overide. 

     



  • 12.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 10:09 AM

    Yes, it will be disabled than.

    I'm not sure what you have for a test environment (if anything) but I would start with installing only AV and add components if all looks fine



  • 13.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 10:28 AM

    Got it, thanks.



  • 14.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 10:29 AM

    Yes, SEP Firewall is now disabled.

    Let me leave it for few hours, keep you posted later. 



  • 15.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 13, 2013 10:38 AM

    Copy.

    Actually, I did that way back SEP 11.xx. Did test it properly per components in UAT before rolling out. It was working properly at least from the previous version. But now, after the upgrade FW is enabled.

    It's good that you reminded me about the SEP FW, I don't have any changes with all my policies and last time I checked before the upgrade FW is disable.



  • 16.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 16, 2013 09:43 AM

    Just to update you guys, disabling firewall in the policy is indeed working, I can see that in all of the clients are grayed out and no checkmark on it. 

    However, we are still getting event 8003 & 5719 from some of our workstations.

    Usually when this happens, one of the desktop is trying to broadcast that his the master browser, causing the other desktop to believe it, by the time a user will login, they will get "The system cannot log you on now because the domain <DomainName> is not available"

     

    This came out after the upgrade.

     

     



  • 17.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 16, 2013 10:17 AM

    Okay this time I'm disabling  Intrusion Prevention policy...



  • 18.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 19, 2013 07:51 AM

    So far, everything is working well. I wonder if others are experiencing this issue from 12.1.4?

    Bug from IPS?

     



  • 19.  RE: After upgrading SEP to version 12.1.4 both SEPM and our clients - I'm getting event logs from our clients: 8003, 5719, 1129, 3210, 8033

    Posted Nov 19, 2013 08:57 AM

    I would suggest getting a case open

    How to create a new case in MySymantec

    http://www.symantec.com/docs/TECH58873

    Phone numbers to contact Tech Support:

    Regional Support Telephone Numbers:

        United States: https://support.broadcom.com (407-357-7600 from outside the United States)
        Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
        United Kingdom: +44 (0) 870 606 6000

    Additional contact numbers: http://www.symantec.com/support/contact_techsupp_static.jsp