Endpoint Protection

Since the 21st of June, I (and all the other admins set up on SEPM) have been getting emails advising me that the SEPM database has gone down and needs immediate attention. I've not had this before and no configuration changes have been made since importing SEP 11.0.6MR3 packages on May 25th. Having investigated, I've found that the emails are correct, the database is down at the times they were sent, and the times coincide with LiveUpdate running. LiveUpdate runs at other times throughout the day and it doesn't cause this problem every time, it only seems to be occassionally that it kills the database. The database does come up again after LiveUpdate finishes but is unavailable for use during that time. The instances of this happening are increasing, so clearly it's not going to resolve itself.

Does anyone know why this is happening? Is it something I need be concerned about?

I've seen other posts to do with this issue but they're so old they're irrelevent. SEPM version is 11.0.62.

Cheers!

Hi,

Have you found any error in event viewer ?

Are you using an embedded database?

If yes, check also the out.log or error.log in %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\db which may contain some clues why the database stopped.

There are no errors in the event logs, just information that shows that "the LiveUpdate service entered the running state" a couple of minutes before the database goes down.

I am using the embedded database. I've attached a spreadsheet that lists the time the database went down, when LiveUpdate was started and stopped, and when there were different entries in the out.log file. I've listed those entries below:

I. 06/23 01:44:56. Disconnecting Client - No activity for 240 minutes
I. 06/23 01:44:56. Disconnected TCPIP client's AppInfo: HOST=<host_name>
I. 06/23 01:45:00. Disconnecting Client - No activity for 240 minutes
I. 06/23 01:45:00. Disconnected TCPIP client's AppInfo: HOST=<host_name>
I. 06/23 01:45:00. Disconnecting Client - No activity for 240 minutes
I. 06/23 01:45:00. Disconnected TCPIP client's AppInfo: HOST=<host_name>

I. 06/23 05:00:15. Disconnecting Client - No activity for 240 minutes
I. 06/23 05:00:15. Disconnected TCPIP client's AppInfo: HOST=<host_name>

I. 06/23 05:48:10. Disconnecting Client - No activity for 240 minutes
I. 06/23 05:48:10. Disconnected TCPIP client's AppInfo: HOST=<host_name>

I. 06/23 09:34:06. Connection terminated abnormally
I. 06/23 09:34:06. Disconnected TCPIP client's AppInfo: HOST=<host_name>
I. 06/23 09:34:06. Connection terminated abnormally
I. 06/23 09:34:06. Disconnected TCPIP client's AppInfo: HOST=<host_name>

I. 06/23 14:39:24. Connection terminated abnormally
I. 06/23 14:39:24. Disconnected TCPIP client's AppInfo: HOST=<host_name>

I. 06/23 23:11:27. Disconnecting Client - No activity for 240 minutes
I. 06/23 23:11:27. Disconnected TCPIP client's AppInfo: HOST=<host_name>

I. 06/24 08:02:12. Disconnecting Client - No activity for 240 minutes
I. 06/24 08:02:12. Disconnected TCPIP client's AppInfo: HOST=<host_name>

(I changed the host name to <host_name>)

Otherwise the log is filled with the following entries every minute or so:

I. 06/24 08:01:43. Starting checkpoint of "sem5" (sem5.db) at Fri Jun 24 2011 08:01
I. 06/24 08:01:43. Finished checkpoint of "sem5" (sem5.db) at Fri Jun 24 2011 08:01 

The backup on the server ran from 03:30 - 04:08 last night.

As the spreadsheet shows, LiveUpdate is running at other times and not pulling the database down, but those times it's only running for a matter of seconds. I assume this means that LiveUpdate is actually updating something on the SEPM database when it's running for longer? Perhaps this is normal behaviour but I'm now getting notified for some reason? If that's the case, I'd appreciate someone telling me how to disable the notices becuase I didn't set it up!

Is anyone else getting this problem, or is it just me?

Any input would be hugely appreciated :D

Attachment(s)

downtime.xls   21 KB 1 version

Hi GillB,

I have exactly the same problem on our SEPM server. If you solved the problem, coluld you share your solution method?

Thank you very much..

Hi,

I would suggest open a case with Symantec, this is not known issue so further investigation is required.

Run DBvalidator to check if nothing is wrong in the database.

I am assuming that there is something going on when the SEPM is trying to write the content info in the database.Probably a broken link. but this can only be confirmed after we get the DBvalidator logs and the other logs..

Ok, what I've tried...

1) I delete all the notifications I had set up in case that was causing some sort of weird problem. I didn't think it would help as I had them set to notify only 2 admins, not the whole list as happens when the database goes down. It made no difference. Database went down this morning, everyone was notified and I got kicked out of the console.

Further digging, however, showed that the regular reboots of the server hadn't been running as the admin password had been changed (without my knowledge, grr). So:

2) I rebooted the server. Yes, yes, I should have tried this before but I was certain the reboots were working. Sue me. The first time I tried to get onto the console it hung (I checked and LiveUpdate WAS running) but the subsequent time I got in ok, despite LiveUpdate still apparently running. No emails complaining about the database being down have been received thus far.

So far so good. I'll update with any news tomorrow. 

Oh, yes I ran DBvalidator when this started. It said the database was fine.

Rebooting the server worked. I've not received any more emails complaining about the database.

Thanks to all who tried to help. Sorry I didn't think of the reboot sooner.