Endpoint Protection

For some reason new clients are not able to connect to our central SEP server. Older clients are not seeming to have any trouble, however. When deploying a package to a new computer, the installation goes well, the computer restarts but when going to Help & Support > Troubleshooting the server appears as offline. 

The support tool says that the secars communication test failed for 3 consoles (which all resolve to the same thing) with port 80 and HTTP code 401. Below is the output from sylinkmonitor:

11/12 14:47:36 [2336] <SendRegistrationRequest:>SMS return=401

11/12 14:47:36 [2336] <ParseHTTPStatusCode:>401=>Uninterpreted Status

11/12 14:47:36 [2336] <SendRegistrationRequest:>Content Lenght => 1539

11/12 14:47:36 [2336] HTTP returns status code=401

11/12 14:47:36 [2336] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED

11/12 14:47:36 [2336] <SendRegistrationRequest:>COMPLETED, returned 5

11/12 14:47:36 [2336] HEARTBEAT: Check Point 5.1

11/12 14:47:36 [2336] <RegHeartbeatProc>switch to another server

11/12 14:47:36 [2336] HEARTBEAT: Check Point 9

11/12 14:47:36 [2336] HEARTBEAT: Check Point 8

11/12 14:47:36 [2336] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED

11/12 14:47:36 [2336] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0

11/12 14:47:36 [2336] HEARTBEAT: Check Point 1

11/12 14:47:36 [2336] HEARTBEAT: Check Point 2

11/12 14:47:36 [2336] <PostEvent>going to post event=EVENT_SERVER_CONNECTING

11/12 14:47:36 [2336] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0

11/12 14:47:36 [2336] HEARTBEAT: Check Point 3

11/12 14:47:36 [2336] <RegHeartbeatProc>Setting the session timeout on Profile Session (Registration) to 30000

11/12 14:47:36 [2336] HEARTBEAT: Check Point 4

11/12 14:47:36 [2336] <RegHeartbeatProc>===Registration STAGE===

11/12 14:47:36 [2336] <MakeRegisterData:>logon id (domain/user)=BOBST.LIB/administrator

11/12 14:47:36 [2336] <GeneratePreferredGroupAndModeInRegistration:>Loading current group:My Company\Systems\MySQL Servers

11/12 14:47:36 [2336] <GeneratePreferredGroupAndModeInRegistration:>Loading preferred group:My Company\Systems\MySQL Servers

11/12 14:47:36 [2336] <GeneratePreferredGroupAndModeInRegistration:>Loading preferred mode:1

11/12 14:47:36 [2336] <GeneratePreferredGroupAndModeInRegistration:>It will remember nothing, PreferredGroup is My Company\Systems\MySQL Servers, PreferredMode is 1

11/12 14:47:36 [2336] <MakeRegisterData:>XML data: <?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="845C39DE807A950A00443E37D6D6C4DC" AgentType="105" UserDomain="BOBST.LIB" LoginUser="administrator" ComputerDomain="bobst.lib" ComputerName="SEPTest" PreferredGroup="Myompany    

read error, exit

Try replacing sylink.xml file on one machine having the issue.

Did your reboot after install?

401 means authentication, do you have proxy set in your environement?

Clients stop communicating with the Symantec Endpoint Protection Manager (SEPM) with a HTTP 401 error in Sylink log and a HTTP 401.1 error in IIS log

http://www.symantec.com/business/support/index?page=content&id=TECH104479

@brian81 Yes, I've tried rebooting to no avail and even set up a VM to test the behavior and it appears to be happening on more than one computer.

What should the sylink.xml file be replaced with?

@Rafeeq No, we don't have a proxy server. I saw that kb article, what would happen to our current working clients if we were to change that IUSR password though, would they lose connectivity?

You can use the sylinkdrop utility. What version of SEP is this for?

11.0.7000.975

Should be located on the install DVD under \Tools\NoSupport\SylinkDrop

If the IUSR password is wrong, your existing clients wil also loose connectivity

on only client which has a green dot

go to start

run

type smc -stop

wait for 2 mins

type smc -start

green dot stable?

you can find the password without resetting it too , check this link

http://lichao.net/eblog/troubleshooting-and-resolve-http-401-1-errors-in-iis-6-by-resetting-iusr-password-201111664.html

No luck with the smc -stop and -start. What's very odd is that this is happening on two different clients, so it leads me to believe that it has to be something related to the server. But the fact that the old clients are still connected, must mean that it's not an IUSR issue? (is that what you're saying)? 

I actually found the password using a similar howto, but that wouldn't help unless we were actually to reset the password to the one found in the vbscript, correct? We're just weary to reset the password in the event that it would cause current clients to stop connectivity.

It would not stop the clients from communicating..

smilar issue resolved here by resetting IUSR

https://www-secure.symantec.com/connect/forums/iusr-account-sep#comment-4466111

Check this KB article to see if it applies:

http://www.symantec.com/business/support/index?page=content&id=TECH91093

Checked it =/ it's not enabled.

can you run this command?

http://www.symantec.com/business/support/index?page=content&id=TECH102682

I get a screen that prompts me for windows credentials, if I enter a domain admin credentials, the page throws a bad request error.

I can imagine that you shouldn't have to be prompted for credentials, right?

right, it should give OK as output coz its anonymous access, this is how clients communicate to the IIS

so this is related to permissions, check the proxy settings first in IE.

you can check the same commond on another machines which are communicating with the manager. do u get the same prompt?

This is quite bizzarre. There are no proxy settings configured in IE, only "Automatically detect settings" is checked.

Trying this on a working client shows "OK". Could it be that they have a cached authentication with the server?

is your internet explorer set to work offline?

Check for the registry entries.

1. HKCU\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present change the value of the DWORD to 0
2. Now expand Internet settings key and take a backup of the "Connections" key, Delete the entire key

3. Check HKU\.Default\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present change the value of the DWORD to 0

4. expand "Internet settings" key in the above said location and take a backup of the "Connections" key, Delete the entire key

5. Reboot the machine.

ProxyEnable was equal to 0 in both places. I deleted both connections keys, rebooted, but am still getting the 401.1. This is happening on two completely independent clients.

delete all the keys below SMC inside symantec registry key.

do smc -stop and start

check if you see these clients inside SEPM. there might be cached info.

or Lets reset IUSR, that would be my last try :)

Unfortunately, the URL in the KB article is incorrect. Try the following:

http://<SEPM_Server_IP_or_Machine_Name:Port>/secars/secars.dll?hello,secars

What version of windows and IE are your 2 clients using?

From your client (one that is not working) can you telnet to the server?

Telnet [server name] 80

If using Windows Vista / 7 you might need to turn telnet client on in order to get a terminal

1. Start
2. Control Panel
3. Programs And Features
4. Turn Windows features on or off
5. Check Telnet Client
6. Hit OK

Alternatively, you can just download and try the "putty.exe" client and establish a telnet session.

* * * * * * * *

Your 2 completely different clients, unable to connect, do they have the proper netMask and Gateway assigned?  Are they in the proper domain, branch, tree, forest?