Our network is flooded with updates from either the SEPM or GUP's as all clients are receiving full.zip updates instead of deltas.

SEPM x 4 (28000 clients): SEP 12ru4a 

SEP clients: SEP12 RU1 thru SEP 12 RU4.

Any idea on what the cause could be?

Typically, this only happens when the client is running a version of the defs that the SEPM does not have stored.  IIRC, you store 85 def revisions on your SEPM, is that correct?

Can you post the sylink logs (plus def details) from a client that should be receiving deltas, but is not.

How many content revisions do you have set ?

When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?

With default LiveUpdate content revision settings configured within the Symantec Endpoint Protection Manager, clients are downloading full definition updates instead of delta updates

check this link

When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?

Incidentally, as you say this is affecting all clients, you may wish to review the below articles on how to investigate when a SEPM is unable to create a delta:

http://www.symantec.com/docs/TECH155232
http://www.symantec.com/docs/TECH96332

Do you even see any xdelta<revision_number>.dax files in the definitions folders?

Yes, there are xdelta .dax files in most of the definition folders.

All sylink logs show that a full.zip file is downloaded either from the GUP or SEPM directly. The sylink logs dont show why the full.zip was downloaded (i.e. no logs to show that the deltas failed - there is NO showing of any entry with this).

And for this normal client that is downloading the full defs instead of a delta, can you confirm that the SEPM has the defs that the client is moving from, stored locally?

#EDIT#

BTW, I'd also recommend identifying the clients that are using the delta files and revewing to see if these clients are any different from those requesting the full defs.

You can identify these clients from the SEPM's logs.

Its a bit too much now, logged a call with Symantec.  I dont have time to go through clients logs - I have 28000 clients - where would i check for clients utilizing the deltas - not even the agents on the SEPM's are getting them. Thus , I have a problem.

Hi ThavenshinP,

Can i know how is your case currently? Any feedback from Symantec?

Hi,

Sorry for th delay in reporting feedback. Logged a call with Symantec . Symantec initially found that the SEPM Java Heap was the issue as it couldnt process the queries to create the deltas. A fix was found to double the java heap on the SEPM's. This did the trick however it came back again after too many clients connected to SEPM. Eventually I worked out that the services on the SEPM's had to be restarted every 4 hours for the deltas to be created.

After upgrading the SEPM's to the latest version SEP12RU4MP1 this seemed to do the trick as well as upgrading a test machine to the latest version as well. For all my older clients (RU1-Ru4a) a registry key is to be added to prevent the clients continously sending requests to the SEPM's. I believe this is a defect is all versions except for SEP12RU4MP1. Monitoring it now and all seems ok.

Herewith the articles relating to the call:

http://www.symantec.com/docs/TECH105179

http://www.symantec.com/docs/TECH212323

http://www.symantec.com/docs/TECH216176

Hi,

Can i know the registry key added was custom registry key?

• HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\UseLastServer