Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Clients reporting offline after SEPM upgrade to 12.1 RU5

  • 1.  Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 08:24 AM

    Our environments are  with large numbers in mixed mode connections such as VSAT and Leased Line.

    After upgrading successfully to SEP 12.1 RU5 from SEP 12.1.RU4MP1a. Clients reporting offline after SEPM upgrade to 12.1 RU5

    But the best thing is clients are getting definitions updates. We are facing administrative issue.

    Seems to a product defect. And has the FIX ID: 3680595, 3682969, 3721675  in SEP 12.1 RU6Beta2

    Kindly provide us the workaround asap.

     

     

     



  • 2.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 08:38 AM

    Its only on the console they show as offline, but clients are talking to SEPM and getting policies and updates?



  • 3.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 08:43 AM

    Could you check if the ports in conf.properties and httpd.conf are mismatching. (Port may be configured incorrect)

    You can find - 

    conf.properties - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tomcat\etc\conf.properties

    httpd.conf - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf

    conf.properties:

    scm.webserver.http.port=8014
    scm.iis.http.defaultsite=0

    httpd.conf:

    Listen 80

    If yes, could you try following the steps below:

    1. Go to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tomcat\etc\conf.properties

    2. Edit conf.properties

    3. Replace "scm.webserver.http.port=8014" by "scm.webserver.http.port=80"

    4. Delete "scm.iis.http.defaultsite=0"

    5. Save changes

    6. Restart Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services



  • 4.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 08:48 AM

    Have you verified they don't have a duplicate HWID?

     



  • 5.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 08:54 AM

    Thanks Rafeeq and Brain,

     

    There is no mismatch in conf.properties files and httpd.conf or duplicate HWID as we do not use ghosting method



  • 6.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 08:57 AM

    Can you try to restart SEPM service once? they might comeback with green dot.



  • 7.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 09:03 AM

    Green dot comes and goes. Even Symantec support got shocked after seeing this.

    We are working on this case since last 3 weeks.

     

     

     



  • 8.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 09:06 AM

    If it's a bug, they should be able to provide a workaround. Unless of course it requires a code change.



  • 9.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 09:08 AM

    Create a new group, Move one client to the group

    Uncheck inheritance

    click on clients - click on policies

    general settings (under settings)

    select security settings

    uncheck enable secure communication between manager and client, see if green dot stays constant..

    ( was this tried alerady)?



  • 10.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Trusted Advisor
    Posted Apr 09, 2015 09:09 AM

    Hello,

    Could you check with the Wireshark logs on what connections are getting blocked and where??

    This surely seems to be a defect as what I know is that you are carrying too many connections at the same time on the server with the fixed bandwidth.

    What happens if you have divided these SEP clients connections across different SEPM's?

    For example: Incase you have 1000 clients, and 5 SEPM sites - let each carry 200 connections and check if they loose the connections.

    I believe its worth a try.



  • 11.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 09, 2015 09:17 AM

    Rafeeq,

    Let me try ur workaround and let u know.

    Note:- we are compromising PCIDSS norms. :)

     

    Mithun,

     There are 2 SEPMs in loadbalance/failover  and total clients are 15k

    Cant have more sepms.

     



  • 12.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Trusted Advisor
    Posted Apr 09, 2015 09:24 AM

    Hello,

    This shouldn't happen if the total clients are 15k.

    Does this issue occur only on few client machines or all of them?

    Could you try pulling sylink logs from any random machine with issue?

    A couple of things to check:

    1. Is the Windows Firewall active on the SEPM server?  If so, is it blocking port 8014?

    2. How many clients do you have and what is the communication mode? (push or pull)

    3. When the client goes offline in the SEPM, does it go offline on the client too (still has the green dot or not?)

    4. Any recent error messages in scm-server*.log in \Symantec Endpoint Protection Manager\tomcat\logs ?



  • 13.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 10, 2015 03:52 AM

     

    Mithun,

     

    Does this issue occur only on few client machines or all of them?

    Ans:- All the clients.

    Could you try pulling sylink logs from any random machine with issue?

    Ans:- Pulled sylink logs of one day of few PC's & submitted to symantec support for but no error found/

    A couple of things to check:

    1. Is the Windows Firewall active on the SEPM server?  If so, is it blocking port 8014?

    Ans:- NO Windows FW/ We are using Port 80 and not blocked

    2. How many clients do you have and what is the communication mode? (push or pull)

    Ans:- 15k clients in pull mode. with mixed nw Vsat & LL. Heartbeat is 4 hrs

    3. When the client goes offline in the SEPM, does it go offline on the client too (still has the green dot or not?)

    Ans:- On SEPM it is offline on Clients it is online ( green dot is seen)

    4. Any recent error messages in scm-server*.log in \Symantec Endpoint Protection Manager\tomcat\logs ?

    Ans :- Unexpected server error



  • 14.  RE: Clients reporting offline after SEPM upgrade to 12.1 RU5

    Posted Apr 30, 2015 05:23 AM
      |   view attached

    Please find below the steps as suggested by Symantec Support.

    1) Stop SEPM services
     
    2) Go to %SEPM%\Apache\bin
     
    3) Backup following files: libaprutil-1.dll, libapr-1.dll, libhttpd.dll
     
    4) Extract and copy the following files attached to this email to %SEPM%\Apache\bin
     
    libapr-1.dll
    libaprutil-1.dll
    libhttpd.dll
     
    5) Fix the log rotation issue by editing %SEPM%\Apache\conf\httpd.conf file
    Find the following line:
    ErrorLog "|| bin/......
    Replace with:
    ErrorLog "|| bin/rotatelogs.exe -n 2 logs/error.log 100M"
     
    6) Start SEPM service

    Attachment(s)

    zip
    httpd binaries_0.zip   320 KB 1 version