It sounds like two things may be happening here:
1- Clients are unable to report an accurate status back to the SEPM, or the SEPM is not processing new logs received by the clients (look for a lot of .err or .tmp files within the [SEPM]\data\inbox\* folders). You didn't mention whether or not there a "green ball" on the shield on the client side. If the clients do have a green dot, then it sounds like the SEPM is incorrectly telling the clients (via the heartbeat process) that they're already updated and don't need to download new definitions. Sylink debug logging would reveal what's happening 'behind the scenes' during the heartbeat process.
How to enable Sylink Debugging for Symantec Endpoint Protection in the registry
http://www.symantec.com/docs/TECH104758
- Update Content launches LiveUpdate on the client. The log.lue file ("log" if file extensions are hidden; location will vary depending on OS) would indicate why that communication is failing. If you have not implemented a LUA (internal LiveUpdate) server and your clients don't have direct internet access, then you'll know why it failed already.
Hope this helps,
sandra