Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Client data in SEPM not updating even though clients are up to daye definition wise

Created: 25 May 2012 | 24 comments

Hello,

We have a problem where a number of our clients are not updating their status in the SEPM. For example, the definition dates in the SEPM show as being out of date or in some cases as not having a definition at all. If we look at the client then it is fully up to date and is showing the symantec shield with a green dot in it.

In some cases we can get up-to-date information form the client by telling it to update content in the SEPM client commands however this does not always work.

Can anyone tell me what is happening here and how to fix it? We are running SEP 11.0.6200

Thanks

 

Comments 24 CommentsJump to latest comment

Sumit G's picture

This problem is occur due to defintion file corruption. Kindly find the below link. It will help to clear the corrupted defintion. Try it on one system if it working then try on other

http://www.symantec.com/business/support/index?page=content&id=TECH103176&actp=search&viewlocale=en_US&searchid=1320508122368
 

try the below document if systems are not manage by Server

https://www-secure.symantec.com/connect/downloads/solution-doc-manage-unmanaged-system-sep-1106005

Regards

Sumit G.

pete_4u2002's picture

does the SEPM console shows the latest contact with SEP i.e. last heartbeat contact of client the latest?

is it happening with only few machines?

 

Aeropars's picture

Hello,

Yes, Its only happening to a few clients. Around 50 in a 800 client estate.

The last check-in date and time are updating fine so it seems communication is there but not all data is being updated.

pete_4u2002's picture

does deleting the client from SEPM console make the client to update it's correct information?
 

can you post the sylink log from one such ( out of 50)client?

 

Aeropars's picture

I haven't tried deleting a client form the SEPM but I will give that a try now.

Where will I find the Sylink log file?

Aeropars's picture

Thanks. I've enabled logging but how long should i leave it before uploading the log to here?

NRaj's picture

try deleting the HWID. It will be regenerated. This has helped us, though just a workaround, we have to show some improvement ;)

Aeropars's picture

Ok heres the log file. It looks like it hasnt done anythign since i restarted the smc.

AttachmentSize
debug.txt 4.97 KB
John Q.'s picture

Please check if you have a lot of .DAT/.TMP/.ERR files into SEPM\data\inbox subfolders (especially Agentinfo). If yes, it means clients are reporting their logs to the SEPM, but the manager is not able to process them.

See http://www.symantec.com/docs/TECH154391

Some improvements were made as well in the latest builds regaring DAT files processing (http://www.symantec.com/docs/TECH103087)

This can also appear if you have a lot of clients (few thousands) and your communication mode is set to PUSH (Symantec recommand to switch to PULL mode for big environement, with 1 hour heartbeat interval - http://www.symantec.com/docs/TECH92051):
http://www.symantec.com/docs/TECH94711

 

Please remember to mark the proper comment as SOLUTION:
 - to identify threads that do not require further assistance
 - to let other visitors know how to fix such issue

Aeropars's picture

Thanks for the reply. In the agentinfo folder I have 21 files. content folder has 174 subfolders ending in .tmp and the rest seem Ok.

We only have 900 clients and we are using pull mode with a 1hr heartbeat.

Aeropars's picture

I've just searched rather than browsing the subfolders and I have 157 err files in there in different subfolders. does this look like there is a problem then?

I've also checked the debug log on the client which i took the original debul log form and this has not updated since i restarted the smc. surely this should have updated by now?

John Q.'s picture

.ERR are log files sent by clients to report their status and that SEPM was not able to process. Therefore, correct information about real client status (definition up-to-date, etc.) might be inside these files and explain why you have out-of-date information in the console.

You can open ERR files with notepad and try to identify which machine it is coming from. There might be some errors in SEPM logs as well that describe what's wrong with such files (you would need to open a ticket with the Support for such troubleshooting).

This can usually appear if you have an older version of SEP client managed by a newer SEPM release.

Try to update the client and see if it helps.

 

Please remember to mark the proper comment as SOLUTION:
 - to identify threads that do not require further assistance
 - to let other visitors know how to fix such issue

Aeropars's picture

when you referr to client versions are you talking about full releases (i.e. version 10, 11, 12) or incremental releases (I.E Version 11 RU6)

We have an 11.0.6200 server which manages clients running from version 11.0.4 to 11.0.7

Aeropars's picture

Also, what folder should i be looking at for the errors? Does each folder relate to anything specific? most of my errors are in the AVMan folder however theres no computer information within the files. Just random numbers it would seem.

Aeropars's picture

More information...

we've deleted a number of clients form the SEPM and when they are reporting back in they are showing the correct information.

This is obviously a big problem as it is invalidating any security reports we run. what would be causing this and how can we ge tthe information to be updated consistently?

John Q.'s picture

Check if the impacted machines are running SEP 11.0 MR4/RU5. If that's the case, update them to newer release, as it may fix your problem.

 

Please remember to mark the proper comment as SOLUTION:
 - to identify threads that do not require further assistance
 - to let other visitors know how to fix such issue

ScottM 2's picture

Is this a SQL database setup or embedded database? I've seen this before where a buildup of dat files caused poor reporting. One of the things to check in that case if the version of BCP.EXE, making sure the version matches up with the version of SQL you are using.

Aeropars's picture

Here is a debug log of one of the affected client.

We are using the built in database and not SQL.

AttachmentSize
debug.txt 57.19 KB
Aeropars's picture

Also, I've just realised that were running clients which are 11.0.7 yet our server is 11.0.6. could this be the problem?

Its clearly not an issue for all our clients however it is for some.