HI,

What is SEPM version ?

Edit..

Check this thread

https://www-secure.symantec.com/connect/forums/sep-11-not-updating-gup

Are the GUP clients updated as well?

Are the Clients properly communicating to the SEPM Server and the GUP client machines?

Are the GUP client machines updated with the Latest definitions?

Troubleshooting Articles:

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

http://www.symantec.com/docs/TECH104539

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://www.symantec.com/docs/TECH95790

Troubleshooting Content Delivery to the Symantec Endpoint Protection client

http://www.symantec.com/docs/TECH106034

Could you upload us the sylink.log from 1 of the client machines which are not taking the updates. Check the Article on how to pull the sylink logs

http://www.symantec.com/docs/TECH104758

Hi,

The SEPM version is 12.1.671.4971.

The GUP as well as the computers are up to date. The issues happens not everyday and not to all branches.

Regards,

Anish

Are the clients/servers in the same or different group?

Are you able to telnet 2967 to gup computer ?

Has the policy been applied?

Hi

Please check whether you checked the option for clients try to connect  to SEPM after x hours

Regards

The high traffic may be caused by frequent full downloads by the GUPs. In this case you have to increase the number of content revisions saved on the SEPM. More content versions cover a longer time line for delta files production, which dramatically reduces bandwidth utilization.

So at first I would check if the high traffic really stems from clients bypassing their GUPs.

Here is a great article by John Q. explaining how you can use the SEPM logs for this purpose:

https://www-secure.symantec.com/connect/articles/how-can-we-check-which-content-sep-121-clients-are-downloading-gup

Alternatively, you can use the SEP Content Distribution Monitor:

https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor

Is the GUP always on?

Hello,

I agree with Greg's Suggestion above.

The more past revisions that you keep, the better the SEPM will be able to provide smaller "delta" definition updates to SEP clients that are farther out-of-date. 

If you have ample bandwidth and can handle clients that are out of date by a week or more downloading full definitions (up to 200 MB) then reduce the number of past content revisions to 20, rather than 30.

Keeping only 3 revisions means that SEP clients more than a day out of date will need the full download.  (There are, on average, 3 releases of certified SEP definitions released every weekday)

How to change the number of downloaded content revisions that are retained by the Symantec Endpoint Protection Manager versions 11.0. or 12.1

http://www.symantec.com/docs/TECH104845

Group Update Provider(GUP): Sizing and Scaling Guidelines

http://www.symantec.com/business/support/index?page=content&id=TECH95353&locale=en_US

SEP Content Distribution Monitor / GUP monitoring tool

http://www.symantec.com/business/support/index?page=content&id=TECH156558

GUP content monitoring tool video

https://www-secure.symantec.com/connect/videos/sep-content-distribution-monitor-introduction

and 

Link to download the SEP Content Distribution Monitor Utility 

https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor

Hope that helps!!

Hello,

You can confirm the issue by enabling debug at GUP SEP client... verify whether its downloading deltas.zip or full.zip

Check the debug.log file....

Willing to try SQL?

You can run the following SQL query and it will tell you which clients try to download from GUP & which from SEPM.

SELECT [COMPUTER_ID]
      ,[HARDWARE_KEY]
      ,[HOST_NAME]
      ,[TIME_STAMP]
      ,[EVENT_ID]
      ,[EVENT_TIME]
      ,[SEVERITY]
      ,[AGENT_ID]
      ,[CATEGORY]
      ,[EVENT_SOURCE]
      ,[EVENT_DESC]
      ,[LOG_IDX]
  FROM [Antivirus_SEM5].[dbo].[AGENT_SYSTEM_LOG_1]
  WHERE [EVENT_SOURCE] = 'SYLINK'
UNION ALL
  SELECT [COMPUTER_ID]
      ,[HARDWARE_KEY]
      ,[HOST_NAME]
      ,[TIME_STAMP]
      ,[EVENT_ID]
      ,[EVENT_TIME]
      ,[SEVERITY]
      ,[AGENT_ID]
      ,[CATEGORY]
      ,[EVENT_SOURCE]
      ,[EVENT_DESC]
      ,[LOG_IDX]
  FROM [Antivirus_SEM5].[dbo].[AGENT_SYSTEM_LOG_2]
  WHERE [EVENT_SOURCE] = 'SYLINK'
ORDER BY [HOST_NAME], [HARDWARE_KEY]

Original post here.

Please mark the post that best solves your problem as the answer to this thread.