Video Screencast Help

SEP 12.1 Clients Using GB's of Bandwidth

Created: 11 Jun 2013 • Updated: 11 Jun 2013 | 6 comments

I am new to a position and am faced wit ha network crippled by Symantec.  While investigating I came across connections running over port 8014 to VPN users specifically which were causing issues.  In a 24 hour period there were the following connections logged.

I have been trying to determine why Symantec has been using such huge amounts of bandwidth but having looked through hundreds of posts am still left somewhat baffled.  Any suggestions would be greatly appreciated, my main concern is the 4.29 GB hits as they are occurring fairly regularly, not always 4.29 exact but all days are 4.x in the past month.

10.15.3.31 10.1.34.29 TCP 8014 58353 4.29 GB  
192.168.30.33 10.1.34.29 TCP 8014 63572 4.29 GB  
10.15.3.31 10.1.34.30 TCP 8014 61692 4.29 GB  
10.15.3.31 10.1.34.75 TCP 8014 56846 4.29 GB  
192.168.30.33 10.1.34.29 TCP 8014 60263 4.29 GB  
192.168.30.33 10.1.34.31 TCP 8014 50605 4.29 GB  
10.15.10.63 100.60.100.13 UDP 53336 25495 694.61 MB  
10.15.3.31 192.168.15.61 TCP 58287 8014 493.94 MB  
10.15.3.31 192.168.35.77 TCP 49312 8014 430.77 MB  
10.15.3.31 192.168.35.119 TCP 57896 8014 415.91 MB  
10.15.3.31 10.1.34.76 TCP 59218 8014 280.66 MB  
10.15.20.2 10.6.166.62 UDP 27176 18496 71.76 MB  
10.15.20.143 10.6.166.62 UDP 31714 23296 60.84 MB  
192.168.30.33 10.1.34.31 TCP 63451 8014 53.53 MB

 

Operating Systems:

Comments 6 CommentsJump to latest comment

_Brian's picture

8014 is client/SEPM communication. It could be from content updates. My concern is why one client is pulling that much data. A full def file is typically around 150Mb. It could be that this client has corrupt file definitions and just keeps pulling over and over.

Do you have GUPs setup?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

what is the client version? can you upgrade one of the client to latest version and check if it still has the same problem?

 

James-x's picture

Hi mcfly,

As Brian81 noted, client-server communication is by default on port 8014 (this includes definition distribution.)

It's possible that definition distribution is your issue, but I'd want to see that in logs before I'd commit to it. Would you be up for enabling some Apache access logging? It will keep track of what content is being distributed by the SEPM to clients so we can narrow in on exactly what's going on.

To enable the Apache HTTP server Access log:

  1. In a text editor, open the file
  2. C:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\httpd.conf.
  3. In the httpd.conf file, remove the hash mark (#) from the following text string and then save the file:
  4. #CustomLog "logs/access.log" combined
  5. Using services.msc, restart the Symantec Endpoint Protection Manager Webserver service (Apache)
  6. Click "Yes" to also restart the SEPM service

After the logging is enabled, wait an hour (if the network can take it), cunnect collectLog.cmd (%SEPM_INSTALL_FOLDER%\Tools), and attach the ZIP file it creates to a reply.

If the ZIP is tool arge to attach, I'll provide an alternative way to send it to me.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

James-x's picture

Hello mcfly,

Any update on this?

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

mcfly's picture

Sorry for taking so long to get back.  We have been conducting a thorough investigation into the problem and have ocncluded that symantec is not the issue but merely an odd symptom of a deeper problem.

We have tested with other netflow collectors and seen the same results however manually watching the connections you can see that they are using the correct bandwidth for a full or partial updates.

We are trying to troubleshoot our netflow hardware now.

James-x's picture

Hi mcfly,

Glad to hear we aren't causing issues in your network.

Hope you can get everything sorted out quickly! Thanks for the update.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!