Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Policy Manager Connected: NO on LAN Enforcer

Created: 19 Oct 2012 • Updated: 19 Oct 2012 | 3 comments

As stated in the title, we have a LAN Enforcer showing as following:

Enforcer# show status
Enforcer Status:                ONLINE
Policy Manager Connected:       NO
Policy Manager:                 10.151.127.22 HTTP 8014
Packets Received:               77719
Packets Transmitted:            68600
Packet Receive Failed:          0
Packet Transfer Failed:         0
Enforcer Health:                EXCELLENT
Enforcer Uptime:                0 days 17:30:00
Policy ID:                      18/10/2012  16:26:47

Enforcer# show configure
Please wait for a moment...

Network Interface Setting:
eth0      Link encap:Ethernet  HWaddr 00:E0:ED:1E:5C:38
          inet addr:10.151.127.24  Bcast:10.151.127.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:78667 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69249 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14898989 (14.2 MiB)  TX bytes:10874583 (10.3 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:726 (726.0 b)  TX bytes:726 (726.0 b)

Route Table:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.151.127.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         10.151.127.254   0.0.0.0         UG    0      0        0 eth0

DNS Setting:
nameserver 10.150.1.2
nameserver 10.150.2.2

Policy Manager Settings:
IP/Name:                  10.151.127.22
Port:                     8014
Protocol:                 HTTP
Hash of Preshared Secret: B5066AAB000A2B5370E88C9D05B37990
Preferred Group:          NAC-BLAH-B

NTP: disabled
Enforcer#
 

On the SEPM, inside the scm-server-0.log we see many NullPointerException like this

2012-10-18 22:46:44.793 THREAD 25 SEVERE: Unknown Exception in: com.sygate.scm.server.task.EnforcerCompilerTask
java.lang.NullPointerException
    at com.sygate.scm.server.task.EnforcerCompilerTask.compileCommonProfile(EnforcerCompilerTask.java:953)
    at com.sygate.scm.server.task.EnforcerCompilerTask.compileProfile(EnforcerCompilerTask.java:310)
    at com.sygate.scm.server.task.EnforcerCompilerTask.run(EnforcerCompilerTask.java:251)
    at java.util.TimerThread.mainLoop(Timer.java:512)
    at java.util.TimerThread.run(Timer.java:462)

What's wrong between them?

Comments 3 CommentsJump to latest comment

Chuck Edson's picture

Has the Enforcer ever been able to connect to the SEPM?

I would pull a packet capture and see what the http return code is. 

On the Enforcer CLI enter "capture start".  The filter level is set by default to only capture Enforcer<>SEPM communications

Let it run for a few minutes, to be sure that it captures a check-in attempt.  Take note of the filename.

Then start a TFTP server on the network that the Enforcer can communicate with, and enter the following command "capture upload tftp xxx.xxx.xxx.xxx filename [filename]".  On some older versions of the Enforcer, you need to put a / in front of the [filename].  Don't enter the full path, just the filename.

Open up the capture file in Wireshark, and filter by the SEPM's IP address.

200 = OK communication

400 = Bad shared secret

If you don't see any response from the SEPM, you most likely have a networking issue (firewall, etc).  Try pinging the SEPM from the Enforcer.

That Java error may be a red herring.

Also, did you install the Network Access Control add-on from the SNAC CD? The Enforcer will not be able to check in until you do the SNAC install.

If a post helps you, please mark it as the solution to your issue.

gianlucadandrea's picture

The Enforcer isn't able to connect anymore to the SEPM after changing IP address on the Enforcer itself and on the SEPM.

At the moment I haven't a TFTP server on the network, so I'm not able to download a packet capture. However, setting the debug level to ENGINEER, the live user debug is showing:

Oct/22/2012 09:36:45.126  [SyVeLink.cpp][ 1383]: Try to download profile serial number on 10.151.127.22!
Oct/22/2012 09:36:45.126  [SyVeLink.cpp][ 1408]: Download profile index with URL http://10.151.127.22:8014/secars/secars.dll?action...
Oct/22/2012 09:36:45.126  [SyVeLink.cpp][ 2847]: plain URL: l=125&action=200&hostid=C400BB9B0A337F16016FBFAB9EF99DA5&primaryenforcerid=C400BB9B0A337F16016FBFAB9EF99DA5&as=113973&mode=1&hbt=30

Oct/22/2012 09:36:30.119  [    Http.cpp][  171]: curl_easy_getinfo HTTP content-length : 538
Oct/22/2012 09:36:30.119  [SyVeLink.cpp][ 4029]: GetProfileIndexCallback returns code 500, 538 bytes.
Oct/22/2012 09:36:30.120  [SyVeLink.cpp][ 4034]: HttpHeader: HTTP/1.1 500 INTERNAL SERVER ERROR

Oct/22/2012 09:36:30.120  [SyVeLink.cpp][ 4034]: HttpHeader: Date: Mon, 22 Oct 2012 08:38:22 GMT

Oct/22/2012 09:36:30.120  [SyVeLink.cpp][ 4034]: HttpHeader: Server: Apache

Oct/22/2012 09:36:30.120  [SyVeLink.cpp][ 4034]: HttpHeader: Content-Length: 538

Oct/22/2012 09:36:30.121  [SyVeLink.cpp][ 4034]: HttpHeader: Connection: close

Oct/22/2012 09:36:30.121  [SyVeLink.cpp][ 4034]: HttpHeader: Content-Type: text/html; charset=iso-8859-1

Oct/22/2012 09:36:30.121  [SyVeLink.cpp][ 4034]: HttpHeader:

Oct/22/2012 09:36:30.122  [SyVeLink.cpp][ 1460]: Get index file returns 500
Oct/22/2012 09:36:30.122  [SyVeLink.cpp][ 4852]: Try get profile/register returns 500, nRetryTimes=0, WaitTime=15000
Oct/22/2012 09:36:34.960  [SyVeLink.cpp][ 4682]: SEPM Server Status:
 

Enforcer and SEPM are on the same IP subnet and VLAN, and there aren't network firewalls between them.

The NAC add-on is already installed onto the SEPM.

cemilebaşak's picture

Hi;

Restart the enforcer and after that you can see it connected.

If not you must look the logs in enforcer as well.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.