Video Screencast Help

SEP 11 not updating from GUP

Created: 20 Jun 2012 | 25 comments

Hey all,

Strange situation here.

We recently started to migrate all out SEPM machines to GUP machines apart from 2 management server ( we had about 15 management servers globally ) 

Now we have one country where the servers are receiving their updates properly, but the clients don't

Firewall isn't being a problem, we are able to manually telnet to the device, the client just does't try to get the updates from the GUP, any ideas ?

Cheers,

-S

Comments 25 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

What version of SEPM are you running globally? From What version to which version was the migration taken place?

Are the GUP clients updated as well?

Are the Clients properly communicating to the SEPM Server and the GUP client machines?

Are the GUP client machines updated with the Latest definitions?

Troubleshooting Articles:

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

http://www.symantec.com/docs/TECH104539

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://www.symantec.com/docs/TECH95790

Troubleshooting Content Delivery to the Symantec Endpoint Protection client

http://www.symantec.com/docs/TECH106034

Could you upload us the sylink.log from 1 of the client machines which are not taking the updates. Check the Article on how to pull the sylink logs

http://www.symantec.com/docs/TECH104758

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

Are the clients/servers in the same or different group?

Are you using a location awareness policy to denote which policy the machines will get and what location they should be in?

Has the policy been applied?

Chetan Savade's picture

Hi,

After SEPM demoted did you change SEP clients sylink.xml? Did you point SEP clients to proper SEPM?

If yes, check promoted GUP's are actually acting as a GUP or not.

How to search for the clients that act as Group Update Providers ?

http://www.symantec.com/docs/TECH96094

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Dorbian's picture

to clarify, the machines are no longer allowed to download from a SEPM machine, the managers still exist, they are however forced to connect to the one in the centralized area.

The GUPS are in a different group then the clients, however for all the other 16000+ machines in different countries this isn't a problem.

When checking the SylinkMonitor, i actually don't see it trying to downloading anything, there is no connection attempt, nothing.

The specific GUP is updated to the lastest updates and the servers that communicate to it have no problem geting updates themselves.

Cheers for the replies so far.

-S

pete_4u2002's picture

sylink log should give some more information about the connectivity between client & SEPM/GUP

Dorbian's picture

The client is properly connected to the SEPM and receiving all information it should, it just never tries to download anything, and the definitations are 2 months old, it should be triggered by now.

I refuse to do it manually as we allow downloads from Liveupdate@Symantec so it will be able to get the latest manually, i just prefer it to update automagically.

The version being used is 11.0.5002.333 for SEPM GUP and Clients.

-S

 

EDIT:

Attached the running Sylink logfile changed some names to standard names but that shouldn't make the data useless.

-S

EDIT 2:

The ip of the GUP is 172.22.25.65
The ip of the Client is 172.22.21.39

AttachmentSize
log.txt 413.73 KB
pete_4u2002's picture

the client has requested the updates from SEPM.

Is the client supossed to get the updates only from GUP i.e. have you set do not by pass GUP? if yes, then the client is unable to reach the GUP machine. Please check if the GUP machine is available for content distribuition.

 

Dorbian's picture

The machine actually doesn't get updates from SEPM as it isn't allowed to, only from the GUP machines.

I Edited the previous post with some more information.

Thanks Pete for the effort so far.

pete_4u2002's picture

yeah, since the client always check with SEPM to know if new content is available . SEPM has the latest definition however client is not able to find the GUP hence it is not updated. You may test by allowing client to connect to SEPM  else you have make GUP available for the client.

Dorbian's picture

There are other machines using the GUP to update, they have no problems.

There is actually no machine that is allowed to get updates from SEPM, and yet almost all machines are reasonably up to date.

According to the log it should get a full update but the GUP isn't being contacted.

pete_4u2002's picture

 

check this link

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)
http://www.symantec.com/business/support/index?page=content&id=TECH104539
 

Dorbian's picture

Hi Pete,

Already went through that link, didn't help me with resolving the problem to be honest, as said, there are machines using that specific gup to update, the local client is able to telnet to the gup on the ports used, no problem there.

-S

pete_4u2002's picture

does this client have registry entry showing the GUP IP ?

something like this?

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

MasterClientHost"="192.168.2.4"
"MasterClientPort"="2967"
 

Dorbian's picture

it does have the port, just not the IP, i did read somewhere that that will be empty in a multiserver area with multiple gups being responsible for the area.

pete_4u2002's picture

yep, if it is multiple GUP then it will be blank.

umm do you ave the debug logs? i suggest to open a support case.

Dorbian's picture

Hey pete.

Already opened a case i was however hoping that yhr community would be faster with the resolution..thanks for the support so far.

When i have the solution i will post it here.

Chetan Savade's picture

Hi,

Machine acting as a GUP will have "shared updates" folder inside SEP installed folder.

Delete all the content inside shared update folders. 

Repair SEP client & reboot the system.

 

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Dorbian's picture

Dear Chetan,

Already tried this, also the GUP is updating some machines just not most, so i doubt the gup itself should be the problem in this case ?

Maybe a config setting that is wrong somewhere ?

Chetan Savade's picture

Hi,

Try to run RX4Defs utility on 2-3 affected machines.

How to determine if virus definitions of Symantec Endpoint Protection client (SEP) 11 or 12 Small Business Edition, are corrupted

http://www.symantec.com/docs/TECH97677 

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

http://www.symantec.com/docs/HOWTO59193 

OR

Try running utility "Rx4DefsSEP" on 2-3 affected machines & check.

http://www.symantec.com/business/support/index?page=content&id=TECH93036&locale=en_US

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Dorbian's picture

Hi Chetan,

Thank you for the information, can you please let me know if the Rx4Defs utility tries to connect to the symantec.com server when it isn't able to perform the repair from our local servers ?

i'm trying to avoid using the symantec.com servers as a solution as that doesn't tell me if the problem is resolved or not.

Also it is one specific country that isn't updating, performing a manual update towards Symantec.com updates the client once, so i doubt that the definitions themself are corrupted.

According to the log file there isn't a connection created towards the GUP which makes me think it doesn't know it exists.

Chetan Savade's picture

Hi,

Thank you for the information, can you please let me know if the Rx4DefsSEP utility tries to connect to the symantec.com server when it isn't able to perform the repair from our local servers ?

-> Answer is No

Rx4DefsSEP utility will remove only definitions, it won't touch to policies.

There won't be any harm to run this tool on 2-3 machines.

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Dorbian's picture

Hi Chetan,

Thanks for the swift reply.
The tool can only be received by contact support, i already have a support call open and i'm still waiting to be called, you happen to know a way to get the tool ?

Cheers,

-S

Chetan Savade's picture

Hi,

Could you please share case number with me?

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Dorbian's picture

Hi Chetan,

 

No luck, still no updates received, the program itself is actually hanging ( i think ) on DETAILSAV

The SyLink monitor still hasn't shown a connection attempt to the GUP

As the gup is in a different subnet, i added the gup as a failsafe in the list but this is also not working.