Hi all. where i work we have over 16000 clients and bit more of 80 gups, one of the central gups in HQ is online as a gup, but the updates are being redirected  to sepm server which sepm server is on same building, but in diferent subnet since for a while the client was corrupted on the gup it was allowed to go to the sepm console, now that gup is back online the need is go to gup for update. the gup policy that that server is on, was built same way than others that works fine. i made that gup 3 times, and reinstaled the client. client is a win 2k8 and its rol is a NAS server. the other nas server in company are gups and working ok. what can i check?  or could be some firewall rule that bloking content download?

Thanks

You can enable sylink logging on the GUP to see what's going on.

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

Also, make sure port 2967 is not blocked at the firewall. This is the port used for communication for the GUPs.

What setting do you have done in GUP setting please post screen shot ?

have you enable below setting ?

I will check that James thanks. Also Brain. the thing is that since is a production server and is a NAS can not change the reg for the syslink. and thy got rules in a GPO mode that puts port 2967 allowed.

No on the Office now, i think time for try is on 30 min t. its a GOV company and most of pc are only turned on only 9 hours at day. that gup provides updates for 500 clients.

Thanks both, ill check both and let you know.

Hi all.  James. the gup download time is set to 30 minutes. the gup port is open,  used netmon and some tool to test it, also telnet to port 2967 worked. as per firewall team.

Here are the logs from gup

Attachment(s)

ansesdebug.txt   50 KB 1 version

Troubleshooting_3.txt   9 KB 1 version

you can choose never option ,Because 30 min after sep client direct update for SEPM manager not GUP.

Thank. ill do that and let you know.

Clients should still get updates from the GUP, you can check their System log to verify.

Use the "SYLINK" keywork filter to verify, see thi article:

https://www-secure.symantec.com/connect/articles/sepm-121-advanced-settings-filter-options-client-activity-logs

where can i download... and a dummi manual for the sylink tool? , i checked the links in the site and most of them are point to sylink drop, or replacer.

thanks.

It's incorporated in SEP, see my first link for enabling it

Ill check that tomorrow. what seems odd to me is that gup is= true, but clients are still redirected to sepm console for updates. and the gup scope points to the client subnets

How do you have it set in your policy? Did you apply policy to the group the GUP is in?

The policy is applied to the site, the server is showned in 2 SEP OU, it appears on the site ou and on the exceptions ou with the rest of the nas servers from other sites that are working fine.the policy is using explicit gup and multiple gup, but in both with only one gup that is the nas server, also i tried to change it as a sinegle gup but it was same behaivor.

here is attached the sylink from the gup server.

regards

Attachment(s)

sylink_30.txt   154 KB 1 version

I went through the logs here is what I found

<CSyLink::mfn_DownloadNow()>
05/28 15:14:24.745 [30392] </CSyLink::mfn_DownloadNow()>
05/28 15:14:28.754 [15276] <CExpBackoff::CExpBackoff()>
05/28 15:14:28.754 [15276] </CExpBackoff::CExpBackoff()>
05/28 15:15:12.575 [21072] <ScheduleNextUpdate>Manually assigned heartbeat=1 seconds
05/28 15:15:12.606 [24824] AH: (InetWaiting) urgent exit event on InetCtrlBlock: 000000000548D7A0
05/28 15:15:12.606 [24824] Throw Internet Exception, Error Code=2;AH: failed to send request...
05/28 15:15:12.622 [24824] <MaintainPushConnection:>Push connection is shutdown by the urgent exit flag.

Whats the version of SEPM and SEP?

whats the version of IE ? Seems to be IE / connectivity issue as its not able to send the request to SEPM and its throwing this error, check this document

Communication issues between SEP client and SEPM after installing Internet Explorer v.7 in environment using a proxy server.

http://www.symantec.com/business/support/index?page=content&id=TECH106341

Sooo, having had a quick flick through, I can certainly see that this machine believes itself to be a GUP, that it has 3 nics and is connected to the SEPM on a push connection, but what I fail to see is any clients actually connecting into it.

This could just be because the logs you've provided only cover a 4 minute time span, so if you've got an updated log file I'd recommend reviewing that against the below article:

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

As the article states, it's also useful to enable debug logging and check those as well (the article tells you how to enable the logging and what to look for in both the debug and sylink logs).

I'd recommend reviewing the logs for the GUP itself, as well as another SEP client that you believe should be using the GUP.

Hi Rafeeq.
the Sepm and Sep Clients are 12.1.4
The IE Versions on servers, gups and Clients  is 9 and 10.
Windows XP and Windows 7 Clients.
Sep Server is Windows 2012, gups are Windows 7, Windows 2003, and Windows 2008.
As far as i Know, the proxy is global and is LB. and no issues with ohter GUPS.

Hi Smlatcst.
i Coulndt get time to get more sylink today.  the polocy is being applied due if i change it, the gup gets new policy id. the thing is that clients arent being redirected or pointed to the gup.

The thing odd in this, is the following:

Lets said that gup in question is in Site called C, in a 10.1.10.0 subnet
Clients are in same Site C, on subnets 10.86.36.0 37.0 and 38.0

On SEPm are 4 diferents Sites c, due they have Diferents USB and exceptions for dierent clients.
So part of clients point to Site C, USB acces child ou, other NO USB child ou, or Security child OU. and some are showed in multiple Child OU.

But in all that ous or Child ous are showed that GUP policy is SITE C.

Mi fear is that that kind of configuration is getting issues for clients.

Ill see if tomorrow can get the Sylinks.

Due to your subnet differences in Site C, can you confirm your LU Policy defines the GUP as a Single GUP?

If it's listed as a Multiple GUP only, then it won't work as Multiple GUPs are only accessible to SEP clients on the same subnet.

The Gup in that Site, is configured as multiple and also explicit for each subnet in site C. and Now i just modified to as single gup to the hole Site

i just add the Sylink from Gup and 1 client.

Attachment(s)

sylinkansesnas.txt   6.21 MB 1 version

sylinkClient.txt   204 KB 1 version

Hi it was configured, in multiple gup and also as Explicit gup pointing to each subnet. Now it was changed as a Single grup for all site.

I attach the client sylink

Attachment(s)

sylinkClient_0.txt   204 KB 1 version

here is the sylink from Gup

Attachment(s)

sylinkansesnas.rar   192 KB 1 version

Hmm, the client and the GUP are receiving different policy serial numbers, and their GroupIDs don't match.

Can you confirm the group containing the GUP and the group containing the client are both using the same LU Policy please?

Ok, thanks. how can check that ? sorry for dummi question. Due the Gup is in OU A, and clients are in a Mix of OU depending te exceptions and USB or not policy tipes.

I'd personally start with a test machine if I were you.  Pick a client, put it in its own OU/group, assign the LU policy to it and make sure it works.

Once confirmed working, you can then look into how to get those settings out to the rest of the machines in Site C.

If the OUs/Groups you use actually hold clients from a number of different Sites, then you may well revert back to using the Multiple/Explicit GUPs, but lets make we can get it working first 

#EDIT#

BTW, to check if the groups are using the same LU Policy (or any policy for that matter), all you have to do is open up the Policy and click on the "Used By" tab under the "General" section.  This should show you all the Groups and Locations that this policy is assigned to.

Ok, i ll se if can get one

Here is what is showed in used by. and the client from which i took the silynk is in Ou that points to the policy

Attachment(s)

policygup.txt   1 KB 1 version

Just to recap then, the client is in:

My Company\Exclusiones de politicas\Computadoras\Areas Centrales\Piedras 353\Con USB - Con DVD

and the GUP is in:

My Company\Servidores\File Servers\Piedras 353

Is this correct?

Both appear to be in the list you posted (assuming the client is in the Internet or Default location), but the GUP and Client are reporting different policy serial numbers.  While the client appears to have updated its policy today, the GUP hasn't changed any of its policy settings since 20th May.

Please verify the GUP is receiving the latest policy, and continue with the individual client testing.

Hi. i just made inside the piedras exlusion OU a test ou, i put mi laptop as a gup, and showed as true, bu yet no clients where pointing to it, i move 3 clients to that ou where policy applies, aslo mi laptop is on same subnet than clients so far was tested for like 1 hour, ill upload the sylink from gup and client on monday.

Hi all, here is the Sylink from the test gup and test client.

is not pointing clients to the gup, but one thing strange, is on the client that is took the syink log, i saw on the reg, a key on the live update called masterclienthost, that was showing the IP of the gup test.

Sylink in both pc ran for bit over 4 min.

Thanks.

Attachment(s)

Sylinkclient.txt   199 KB 1 version

sylinkguptest.txt   151 KB 1 version

As menioned earlier, the debug logs would be useful too.

Also, I don't see any evidence of the client attempting to update at all.  Did the SEPM itself post new defs while the sylink logging was enabled?  Was there anything for the client to download during the logging session?

Remember that the GUP only proxies the definition download, the SEP Client must still talk to the SEPM directly for all other purposes (policy downloads, log uploads, heartbeats, etc).

In the sylink log, you need to look for "luthreadproc" type events (which I don't see).

Hi, during the sylink the gup and the client where executed to update policy and reconect.  ill be ataching in few minutes the debug log from gup and client.

What does the luthreadprodc?

As far as I can tell, while they may have connected to the SEPM and updated their policies, they did not update their defs.

The luthreadproc tag is present in the def update events as indicated by the first article I posted.

I'd highly recommend you review that article, as it provides details on what to look for within the debug and sylink logs to troubleshoot the updating of a SEP Client via a GUP.

Hi all here the debuglogs

Attachment(s)

debugclient.txt   80 KB 1 version

debugup.txt   236 KB 1 version

Have you got those logs mixed up by any chance?

The GUP in today's logs references an entirely different IP address, and the logs  also state it is not a GUP:

2014/06/02 10:05:18.328 [6096:7836] GUProxy - Is this computer a GUP Server? [0]

Hi SM, no that log is from the test gup, that i build on friday. that is my laptop.

As an aside, I'd suggest you review my post in the below thread (might help you understand GUPs better):

https://www-secure.symantec.com/connect/forums/gups-roaming-workstations#comment-10075921

Your laptop doesn't think it's a GUP...

but from the properties of it, the Gup was =True.

I just made another test, from mi laptop and another pc as client in a test OU, and from client logs, i can see that download update content, from mi IP, but from the help-> troubleshooting and general information i can see that as server shows the console not gup.

If on the client downloaded content from The gup ( mi pc), the server shouldnt be the gup? or its ok that shows the server?

I'd recommend you refer to the first aarticle I posted and verify the registry settings are correct, then post some sylink and debug logs that cover a timeframe that includes the client and GUP performing updates.

the logs and sylink posted 3 hs are from today tests. anow here is the atach of how the reg is showed on the "gup".

On the Test Client, i see the regstry MasterClientHost= Mi ip.

The logs say the machine on 10.86.38.62 is not a GUP, and that neither the GUP nor the client saw any updates during the timeframe covered by the logs.  From what I recall, the host name in your screenshot for MasterClientHost had a 10.1.10.117 IP address and was a Win2k8R2 server, right?

Given the amount of time spent on this already, I'd highly recommend you contact Symantec directly for support.