Video Screencast Help

Clients not Connecting to Management Server

Created: 22 Feb 2013 | 10 comments

I have set up four management servers for my agency, one at HQ and three at remote offices. All management servers are setup to access a SQL database on a separate machine at HQ and all management servers can connect to this database correctly. I have created a management server list for each server and applied the appropriate list to the groups I want managed. The management list configures the closest management server (closest via physical link) to be that sites primary server and the management server at HQ to be the secondary management server. The clients at HQ and two of the remote offices connect to their respective management server without issue.

My issue is clients at the third remote office will not connect to their configured primary management server, they connect to the HQ management server. I have attempted to manually force a client to connect to the local management server by having the client update it's policy and sometimes this will get the client to connect, but it only lasts a second or two. It immediately reconnects to HQ.

I can ping the server from the client and I can connect to the server via it's remote web console and it's Java console. The Windows firewall on the server is turned off and the Symantec firewall in the server client is configured to allow connections on port 8014. I thought maybe that the Symantec firewall was blocking communication, but when I disabled the firewall the client still would not connect.

On a possibly unrelated note, the management servers are not updating the virus definitions. According to the management console the definitions are now six days out of date.

All management servers use the same version: 12.1.2015.2015

Client versions vary: 11.0.6300.803 - 12.1.2012.2015

 

Any assistance is appreciated!

Thank you!

Operating Systems:

Comments 10 CommentsJump to latest comment

.Brian's picture

See this KB:

Troubleshooting Client Communication with SEPM

Article:TECH95789  |  Created: 2009-01-26  |  Updated: 2012-01-03  |  Article URL http://www.symantec.com/docs/TECH95789

 

Also, can you post the sylink log from an affected client? Sounds like an issue with not seeing the right MSL and not using the correct priority. What happens if you replace the sylink file with the server you want it to connect to?

Do you have enough free space on C: of the SEPM not updating? Are there any errors showing under Admin >> Servers tab?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

Check this

could you please upload us the sylink.log from the SEP clients which are not updating to understand the root cause of the issue? Check this Article on how to collect the "sylink.log" -

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

http://www.symantec.com/docs/TECH104758

Here are the Troubleshooting Articles which may assist you -

1) Symantec Endpoint Protection Manager 11.x Communication Troubleshooting

http://www.symantec.com/docs/TECH102681

2) Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://www.symantec.com/docs/TECH95790

3) Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity

http://www.symantec.com/docs/TECH105894

Thanks In Advance

Ashish Sharma

 

 

Rafeeq's picture

Do this test for your third office client let me know what result you get

 

Testing Communication from an Endpoint Protection client to the Endpoint Protection Manager

 

http://www.symantec.com/business/support/index?pag...

DRE_PSO's picture

Thank you to everyone who responded. Something I should have mentioned in my original post regarding the virus definistions; when I try to perform a manual LiveUpdate from the SEP manager it responds with either "no updates found for ..." or "Symantec Endpoint Protection Manager could not update ...".

 

Brian81:

  • I have attached the Sylink.log (sylink.txt) file with this post.
  • When I attempt to replace the sylink file the connection goes to server: offline and then back to the server at HQ. I tried this while the sylink log was running, so you should see it in there.
  • There are no errors in Admin>>Servers.
  • Each management server has at least 50GB of free space.

 

Ashish-Sharma:

  • I have attached the Sylink.log (sylink.txt) file with this post.
  • I am still going through the LiveUpdate Troubleshooting Flowchart. I will respond again when I get to the end or the issue is fixed.

 

Rafeeq:

  • I connected to the server using both the IP address and the host name. In both instances the server responded with "OK".
AttachmentSize
sylink.txt 180.26 KB
SMLatCST's picture

Before I comment on the sylink file, I'd like to make it clear that having SEPMs on remote sites with no databases of their own goes against Symantec Best Practices.

http://www.symantec.com/docs/TECH92051

You'd be better off, network utilisation-wise, putting all the SEPMs in the HQ and configuring GUPs at your remote sites.  Whenever any client checks into a SEPM, it will immediately write the data back to the database.  Any policy changes made via a remote SEPM would also have to traverse the WAN back to the DB too.  A SEPM should only be required at a remote site if it has a truck-load of clients on it, and even then it should be a separate SEP Site and have a DB of it's own.

Regarding the sylink file, it only shows successfuly connections to 10.1.0.200 and a server named EOPSEP01.  Assuming these are one and the same HQ Server, can you grab the logs from a client that exhibits the communications issue?

DRE_PSO's picture

SMLatCST,

Thank you for your response. The main reason for doing this is network utilization. The majority of our computers are not in the HQ building and most of the remote sites connect to HQ through very slow WAN links or connect through other buildings to get to HQ. Case in point, the remote site I am having issues with also has another building attached to it via a T1. I had not considered GUP's. Can they also be configured to allow clients to connect to them and download the latest version of SEP?

The sylink file is from a computer experiencing the communication issue. 10.1.0.200 - DETSEP12 is at HQ. 10.206.8.4 - EOPSEP01 is at the remote site. I have seen the client connect to EOPSEP01, but it only lasts a few seconds. The client immediately reconnects to DETSEP12.

 

Thank you!

SebastianZ's picture

 I had not considered GUP's. Can they also be configured to allow clients to connect to them and download the latest version of SEP?

 

A: Unfortunately no - GUP can only forward the content updates - so the definitions to clients. Product upgrade packages can be deployed only directly from SEPM.

 

SMLatCST's picture

I think the issue is that the logs seem to indicate successful comms, and don't show the machine switching back to 10.1.0.200.  The switch from 10.1.0.200 to EOPSEOP01 appeared to be down to the heartbeat interval.  If correct, this would suggest they might be set as the same priority in the MSL assigned to this endpoints group.  Can you verify, or can you provide a sylink log that shows it switching back to 10.1.0.200 very quickly?

As far as distribution of client upgrades go, the above post is correct that GUP cannot do this.  GUPs only provide definitions updates.  That said, it's easy enough to spin up a temporary website on a remote site to serve the client upgrades from:

http://www.symantec.com/docs/TECH97406

DRE_PSO's picture

The attached PNG shows how the management server list for this site is configured. I have verified that it is applied to the proper group in SEPM. The sylink.log file I previously uploaded was running when I attempted to force a communication update. For clarity purposes I do this by opening the client>pressing help>troubleshooting>management. Under policy profile I click update. At the top, the server changes to EOPSEP01 or 10.206.8.4 and then changes back to 10.1.0.200.

Regarding the log, I'm seeing this:

  • 02/22 11:01:16.433 [3028] <GetIndexFileRequest:>http://EOPSEP01:8014/secars/secars.dll?
  • 02/22 11:01:16.433 [3028] 11:1:16=>Send HTTP REQUEST
  • 02/22 11:01:16.464 [3028] 11:1:16=>HTTP REQUEST sent
  • 02/22 11:01:16.464 [3028] <GetIndexFileRequest:>SMS return=500
  • 02/22 11:01:16.464 [3028] <ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR
  • 02/22 11:01:16.464 [3028] HTTP returns status code=500
  • 02/22 11:01:16.994 [3028] <GetIndexFileRequest:>http://10.206.8.4:8014/secars/secars.dll?
  • 02/22 11:01:16.994 [3028] 11:1:16=>Send HTTP REQUEST
  • 02/22 11:01:17.026 [3028] 11:1:17=>HTTP REQUEST sent
  • 02/22 11:01:17.026 [3028] <GetIndexFileRequest:>SMS return=500
  • 02/22 11:01:17.026 [3028] <ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR
  • 02/22 11:01:17.026 [3028] HTTP returns status code=500 
  • 02/22 11:01:17.556 [3028] <GetIndexFileRequest:>http://10.1.0.200:8014/secars/secars.dll?
  • 02/22 11:01:17.556 [3028] 11:1:17=>Send HTTP REQUEST
  • 02/22 11:01:17.587 [3028] 11:1:17=>HTTP REQUEST sent
  • 02/22 11:01:17.587 [3028] <GetIndexFileRequest:>SMS return=200
  • 02/22 11:01:17.587 [3028] <ParseHTTPStatusCode:>200=>200 OK

 

Regarding SEPM not updating virus definitions, I'm seeing this in the SesmLu log:

  • 02/25 08:50:58 [0530:1370] ERROR       SesmLu Server failed to publish the LU inventory.at SesmLu.cpp[1322]
  • 02/25 08:50:58 [0530:1370] WARNING     SesmLu Request for server to publish the LuConfig.xml, LuDownloadedContentArray.xml and LuSesmContentCatalog.xml returned error. One or more of these files may be out of date, potentially resulting in partial or incorrect LiveUpdate downloads.
  • 02/25 08:50:58 [0530:1370] ERROR      spccatalogen SesmLu 0 Product: {7073FE74-CAB0-42cc-B839-9808FCB47909},SESM Content Catalog,11.0,SymAllLanguages,catalogen,PATCHMANAGEMENT,,,0X000000FF, Filtered:1, Suspended:0, RegComClassId:0, : Failed to set disable download.at SesmLu.cpp[1440]
  • 02/25 08:50:58 [0530:1370] ERROR      spccatalogen SesmLu 1 Product: {2A75E5CB-0AB4-F6D4-00BE-15396E8F5C44},SEPM Content Catalog,12.1,SymAllLanguages,spccatalogen,PATCHMANAGEMENT,,,0X0000FFFF, Filtered:1, Suspended:0, RegComClassId:1, : Failed to set disable download.at SesmLu.cpp[1440]
  • 02/25 08:50:58 [0530:1370] ERROR      spccatalogen SesmLu 4 Product: {2E96287D-0A02-8787-00F6-AC0B723729F0},SESM AntiVirus Client Win32,11.0.5002,English,sesmAvClient32en_MR5,PATCHMANAGEMENT,,,0X0000000F, Filtered:0, Suspended:0, RegComClassId:0, : Failed to set disable download.at SesmLu.cpp[1440]

Thank you!

 

SEP.png