Video Screencast Help

Green Dots keep disappearing in SEPM

Created: 14 Feb 2008 • Updated: 21 May 2010 | 43 comments
This issue has been solved. See solution.
Hi,
 
I importerd an Active Directory OU in the SEPM, and after that I installed a SEP client on a few servers in that OU. Problem is, the server do show up with the little green dot in SEPM, but after a while, some of the green dots are disappearing. And sometimes they will show up again. Commands can be issued on the clients. And the reporting site is accessible from the clients. It's only that nasty little green dot which is driving me crazy.

Comments 43 CommentsJump to latest comment

Cuthbert's picture
As anoying as this may be, if this is your only problem with SEPM I would count count myself lucky!
 
:smileywink:
 
It may just need some time to settle down.
Richard D.'s picture
Well, it's quite annoying because I cannot see if a client is installed or not. This green dots tell me that. If I remove the complete OU from SEPM, and then re-import it again, the green dots seems to light up again.
Cuthbert's picture
Sorry, what I was trying to get at was that on my system (Two 2003 servers & 21 clients) it takes up to 20mins to show up in SEPM when a client is connected/disconnected.
 
Richard D.'s picture
If I don't see green dots, does this affect reporting in SEPM? Otherwise I really need an solution for this.
ADutch1's picture
The green dots tell you if the client is up and running and has checked in with the SEPM server. Since it depends on a random time between the maximum checkin time you set in the console, it might take a while for them to check in. If the client is turned off, then the green dot will disappear again but the client name should stay visiable in the concole.
Laura's picture
I have clients that I KNOW are online (it's still mostly a test environment) and have SEP enabled, but no green dot.
 
On the client side, I see my laptop, in fact, go "online" and "offline" frequently.  I guess I thought that once the connection was established, that the connection would remain active?
Matthew Brooks's picture
I'm new to SEPM, but here's something you can try. I know there's a push vs. pull mode for client communications. Push mode "keeps the connection between clients and management servers open" where pull "client connects to the management server at a a regular interval"  Maybe that's it??? I only have a few clients installed but all show in the console... I am using the push mode method.
 
It's under your group | policies | communications settings.
 
Just a thought.
 
-Matt
 
Laura's picture
Good idea on the "push" vs. "pull".... checked that, and it's already set at "push", though, so it should be keeping that connection active.  Or, so I thought, at least....!
Matthew Brooks's picture
Maybe it has to do with their firewall component. Did you actually install that part or just the antivirus / antispyware components? I had to uninstall that because it was blocking things it shouldn't have. I'm still "testing" , not production.
 
Also on a side note, Symantec Corp Edition had that same problem with clients showing up as "offline" until they came out with a fix. It's possible it could be a bug.
Laura's picture
We do have the firewall enabled, but the clients will switch between enabled and offline -- I would think that if it were the firewall policy that it would be "offline" all the time...
 
I'm using MR1 -- pretty sure MR2 hasn't been released yet? 
 
I dread doing so, but I think I might have to get on the phone with tech support.  I'll just try to carve 2 hours out of my schedule to wait on hold until someone wants to talk to me.
 
Thanks for the input so far!
TypeO's picture
We have Platinum support and I called in on this "feature".  We found the issue to be that the Green DOT will only show up once a system has been logged in once.  If I reboot a computer/server and never logon the Green DOT will never show up, but once I logon the Green will appear and stay on at that point even after a logoff.  But once a reboot agian the dot will go away until a logon occurs.
 
This is a bug and they know about it.
 
Mike
 
TypeO's picture
this wasn't fixed in MR1 it appears either.



Message Edited by TypeO on 02-19-2008 11:58 AM

Laura's picture
I'm seeing slightly different behavior ... my own laptop, even once I'm logged in, bounces between connected and disconnected.
 
In the SEP Client Management System event log, there are messages saying either "Connected to Symantec Endpoint Protection Manager" or "Disconnected from Symantec Endpoint Protection Mananger".  Disconnects every 5-20 minutes and will take 1-3 minutes to reconnect.
 
Sounds like it could be the same bug, though... or at least somewhat similar symptoms.
 
Thanks!
TypeO's picture
You are correct, this happens also to me.  We have stopped all testing on SEP and will give it 6months to another year before we revisit it.  We have had issue even uninstalling and have had to use the CleanWipe tool and then I had to create a vbscript to fix the PPP/EAP/13 and 25 keys.  Did you know that if you uninstall SEP on a laptop for example it will not reset the PPP/EAP keys back to the MS defaults.  You can see this if you are trying to open the Properties of the PEAP in the MS wireless client.
 
Did this on almost ever single system we have so I had to make the script to get it done quickly.
 
Just FYI.
 
 
Jakesty's picture

I upgraded to MR1, and on my 2 test machines I no longer show the green dots either.  My workstations though are not getting updated with the AV signatures though.  I assumed that this is what the dot meant, a connection to the workstation was made on it's last heartbeat monitoring.

Laura's picture
Some new information....
 
Browsing through the forums, I noticed that some folks were having an issue with Checkpoint SecuRemote/SecureClient.  I'm running that on my laptop.
 
On a whim, I completely uninstalled Checkpoit.... and voila! I'm connected all the time now.
 
Mind you, I'm not actually working through a VPN -- I'm directly connected to my network via CAT5 -- the Checkpoint service was just sitting out there running, waiting for me to want to connect.
 
Anybody else also using Checkpoint?
DW1 IT Department's picture
Hello!
 
I have the same problem with one laptop which has checkpoint on it!
The endpoint sign is without the green dot, it does not get a connection to the SEP Manager!!
 
Is there a solution from Symantec??
 
I cant uninstall the checkpoint --> thats not the solution!
Laura's picture
I just spent 1.5 hours on the phone with tech support, and came away with very little information.  Or at least very little helpful information.
 
Basically, there are some known issues with SEP and Checkpoint and they need to research this further.
 
They had me download and run Sylink Monitor -- which for me didn't even work (I think it's a little ironic that not even their troubleshooting tool seems to work for me...)
 
So, ran a packet sniffer and also symbatchdiag and uploaded the files.  We'll see if this gets me anywhere.  I'll let you guys know if I get back anything useful from this.  Hopefully so -- we are also in a position where we can't uninstall Checkpoint for users.
Mike T's picture

I have the same issue on some of my test clients. (Also on Norton 360 on my home machine .. but that's a different story :smileysad:).  Like you said, it makes me wonder what is working and not working.  Green is good, no green means panic.  I am glad to hear it is a bug (well, not really glad) and that a fix is on the way.  I also have MR1 installed, btw.

shurton's picture
I've been putting up with this for months, and I just installed MR2 and it's still not fixed.  Has anyone been able to resolve this issue???
Paul Murgatroyd's picture

shurton, which specific issue? there are a number discussed in this thread!

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

shurton's picture
The green dot going in and out based on whether someone has logged into the machine or not.
John T. Croson's picture

Well I for one have seen some wierd behavior with MR2. I'd not seen the green Dot issue in MR1, but now clearly see that while looking in my SEP "Troubleshooting" menu item shows that the server is Offline, SEPM logs say that the machine is correctly connected...

Now, I did an in-place upgrade and restored my old database from MR1, but geez, this is getting rediculous...each time I try to upgrade this product, something else breaks.

RBW's picture
The green dots tell you if someone is logged on to that machine.  They stay on for awhile after the user logs off.  If the client is set for pull, the logon/logoff status will only update at Heartbeat intervals.
My advise is that you should not be concerned with whether the green lights are on or not.  There are better ways to tell if the client is installed and running.  For example, under:
Monitors:
Logs:
Log type: Computer Status
select View log and you can get a list of clients with detailed information about each.
On the Home tab there is a wide variety of exception and status reports.
On the reports tab there are a wide variety of possible reports so that you can create one that tells you what you need to know.
For performance purposes, SEP clients will run better if you change the communication status from push to pull.  The Heartbeat interval can be left at 15 minutes or lengthened to say one hour.  To change them, go to Clients, Global, Policies, Communication Settings.
If you are still in a test environment, stay there until you learn enough about how the product works.  It is a very complicated product and most of the problems people are experiencing are configuration errors rather than programming bugs.  It takes a while to learn the ins and outs of the configuration parameters and you do not want to start learning them while production users complain about not being able to logon, read their files, access the Internet, etc.  If you only have a few machines to protect, it may not be worth the time investment to learn.  This is not a one size fits all product.  It is an Enterprise product designed to adapt to and fit the diverse situations present in a large Enterprise.  Even the best documentation in the world takes a long time to absorb if you are trying to address hundreds or thousands of options.  If you continue to work in the lab, the knowledge will come.  If you give up and wait for Symantec to make it happen for you, it will not.
Good luck.
shurton's picture
Wrong!  The green dot is supposed to tell you if a machine is online and communicating with the manager, who cares if someones logged on.  Support is aware of this problem and it's been dragging on for months.  I have 500 servers to support, and it's not my job to fix or find workarounds for SEP's shortcomings.  If you have time to waste on that then fine,  but I'm not here to be Symantec's beta tester.  I expected to have SEP rolled out to all the servers by the end of January, but with all the ongoing problems, here we are in mid April and I still can't put it in production.
What's your motivation for defending this product, because it sure isn't its bullet proof quality.
Matthew Brooks's picture
What I personally find comical about this thread, maybe you guys didn't notice it (but I did!)...and have seen it numerous times here before. The moderator pops in and makes (IMHO) a sarcastic comment "shurton, which specific issue? there are a number discussed in this thread!" then "poof" he's gone with nothing of value added to the support of this thread. If there actually were a number of issues discussed in this thread sir, why have you not taken the time to address... hrm... any of them? :o
 
Do you have symantec phone support by any chance? It might be the only way to resolve the issue if it's critical in nature for you. I unfortunately have not been able to fix this specific problem (but it's not critical for my company). If I figure anything out I'll be sure to post it here.
 
-Matt
shurton's picture
That's funny, you've got a good point.
Yes, I have phone support so I'll go there next.  The only problem with that is a phone call to support is an hour on hold, followed by a couple hours on the phone with potentially no resolution.  Since I haven't read a single post that this is resolved, and knowing Symantec is aware of the issue tells me there is no fix yet.
I'll give it some more time before I try that road again.
 
Paul Murgatroyd's picture
shurton already has a call logged... there isn't much I can personally do on this forum to make it work - we fixed a number of communications issues involving green dots with MR2, by the looks of it we didn't get them all.
 
currently, we take the user name (and hence logged on status) from explorer.exe, I suspect what is happening is that when explorer.exe isn't running, we can't get the client status.... but we need to investigate further - thats a job for engineering.
 
I'm not quite sure what you see as sarcastic in my asking for more information - there are several reasons as to why the green dot disappears and I was trying to ascertain which one was the particular issue here.  Just because I don't post a reply, doesn't mean that I havent done anything about it...

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Paul Murgatroyd's picture
shurton, as you are online, I understood you had a call open - do you have the call reference?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

shurton's picture
No, I don't have a call open for this issue.  I previously had a call open on some other issues and they were resolved.  I'll have to open another one for this....
Paul Murgatroyd's picture
ok, please post your call reference once you have opened it.
 
for ease, you can always use https://mysupport.symantec.com and someone will contact you.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

ImurPappy's picture
Not sure if this helps anyone but here is what I have just discovered.  I did a test on one of my problem computers (not connecting to sepm, ie no green dot).  The computer is a laptop that was using a wireless connection.  After installing the sep client it appeared to work fine for a couple of days.  Then the green dot would stop showing.  I could not get it to connect to the server to get updates, the troubleshooting page showed me that it thought the server was offline.  It isn't, so after spending many hours scouring through these forums and others looking for a solution, I simply disabled the wireless and connected with the same IP address using a CAT 5 cable.  After a reboot and upon logging in it connected to the server right away and received all the updates and cleared the warning status in the sepm. 
 
In the past I tried disabling the sep firewall and windows firewall with no success.  I tried uninstalling and reinstalling and nothing worked.  It seems to me that something is breaking the link to the server through the wireless network card.  To test this theory I disabled the wired network card and re-enabled the wireless card.  The green dot immediately went away upon doing this.  I issued the restart command to the laptop from the sepm and after an hour it still did not receive the command on the wireless card.  I decided to reboot the laptop and see if that worked.  It didn't and the green dot was still missing.  Finally I disabled the wireless card again and connected to the network with the cat5 cable and the same IP address again.  After a reboot the green dot appeared again and the previously issued reboot command initiated another reboot.
 
To me this shows that something is corrupting some settings with the network card on some installations of sep.  I'm not sure what those settings could be. I don't think it has anything to do with the fact that it is the wireless card itself because I have several laptops with the same card and they seem to be working just fine.  Anyway I hope this helps someone at Symantec to find a real solution because I would hate to have to try and put my puppets back on a string. 
Ted G.'s picture

I haven't seen this question asked yet so I'll ask it.

How many of you experiencing the random green dot disappearing issue installed the SEPM and created your installation packages vis an RDP session?

ImurPappy's picture
I did use RDP to create and install the installation images.  I'm not sure if that is causing the problem because I did it for every computer on the network and only two are having the problem now and they are both using a wireless connection to connect to the network.  The other laptops using wireless are working fine.  I believe it is an issue with the SEP firewall preventing the detection of the SEP Server during login through a wireless network.
shurton's picture
I used a console RDP session to install sepm and create the packages.
Ted G.'s picture

shurton:

Are you absolutely sure you had a console level session? Using the /console switch does not always guarantee a console level session via RDP.

As a test, connect to the SEPM computer the same way you did before when installing the SEPM and creating the install packages, then open a DOS box on the remote computer and type "set" without the quotes. Scroll down until you see "SESSIONNAME =" and reply back with what it says in that line after the equals sign.



Ted G.'s picture

Imurpappy:

From what I read, your issue isn't quite the same as most of the folks in this thread. More than likely you are correct, the firewall is causing the issue. I would recommend looking at the client traffic logs for the firewall to see which protocol is being blocked and by which rule and adjust accordingly if you haven't already done so.

FYI, RDP is not a recommended method of installation of the product.

Also, the build of the product could be the culprit too if you are not up to MR2MP1. (v11.0 2010.25).






shurton's picture
There's no firewall component installed, just antivirus anti spyware.  The green dot is on, on all the clients, it just goes on and off in the manager depending on whether someone logs on to the client.  In my case all the clients are servers.
I've had the same behavior through every version, currently on MR2 MP1.  Several SEPM installs, as well as a complete server rebuild.
Anyway, I've got a case open on it and they haven't been able to figure it out either.



Message Edited by shurton on 06-12-2008 10:24 AM

Message Edited by shurton on 06-12-2008 10:25 AM

ImurPappy's picture
I'm still using MR1 v11.0.1000.1375.  I've been afraid to upgrade to any new MR because of the problems I've had with this software getting to the point I'm at now (where most of it seems to be working).  I was waiting for the fallout of MR2 before moving on.  This has been the absolute most buggy software I've had to work with. 
 
Not recommended to install via RDP?  Wow.  I can't live without using RDP.  I've never encountered problems installing software using RDP nor have I ever had to use the /console switch which doesn't appear to be a valid switch anyway according to mstsc /?.  I don't even use the command line to start a remote session I use the gui. 
 
I do thank you for responding to this thread and asking questions.  I will try to upgrade in the next week or two and see how that goes.
Ted G.'s picture

"SESSIONNAME=RDP-Tcp#5"

Unfortunately, RDP-TCP#5 is not a console session. More than likely this is the root cause of the issue.

Please see the following document for information on a very similar issue caused by RDP installations:

Title: 'Symantec Endpoint Protection clients do not appear in the Management console, but are being updated and the shield icon shows a green dot.'
Document ID: 2007111510031148
> Web URL: http://service1.symantec.com/SUPPORT/ent-security....

My suggestion would be to create a package while local to the machine, or by using the Remote Management Console. Uninstall the SEP client on a couple machines and re-install using the new package. Wait and see if the issue continues.


Here's how to use the remote Management Console:

Title: 'How to log on to the Symantec Endpoint Protection Manager Console remotely'
Document ID: 2008020815065948
> Web URL: http://service1.symantec.com/SUPPORT/ent-security....



It may be best to completely remove the entire product and install it while local to the machine, as other issues may arise.



This doc will show you how to set up a remote connection that should give you console level access:

Title: 'How to install Symantec Endpoint Protection and Symantec Endpoint Protection Manager through Remote Desktop'
Document ID: 2008030509272248
> Web URL: http://service1.symantec.com/SUPPORT/ent-security....





Message Edited by Ted G. on 06-12-2008 10:37 AM

SOLUTION
shurton's picture
I'll give it a try and see what happens.
My symptom is different in that when the client is installed it appears in the manager right away.
I am able to to control the client from sepm as well.
 



Message Edited by shurton on 06-12-2008 10:38 AM

Dw212's picture

I installed Microsofts FastCGI from the unsupported tools folder of the install media and this solved many if not all of my green dot woes. Currently running MR3