Video Screencast Help

SEP 12.1.1 issues on Lenovo Laptop - re-installing itself then dropping network connection

Created: 23 Oct 2012 | 15 comments

Issues with SEP 12.1.1 with randomly dropping network connection on certain Lenovo laptops.

I have a Lenovo ThinkPad T530 running Windows 7 Pro SP1 64-bit.  I installed SEP 12.1.1 on it.  It is randomly dropping its network connection.

Re-loaded this machine at least 4 times and it does the same thing.

I tried installing SEP 11.0.5 and SEP 11.0.7.  After 2 reboots, it SOMEHOW installs SEP 12.1.1 again automatically, then starts dropping the network connection randomly again.

I don't know what to do, has anyone ever seen this behaviour before???

Comments 15 CommentsJump to latest comment

.Brian's picture

Remove the NTP component and try again.

Do you have an auto upgrade package in place? This would be one of the few ways it could upgrade by itself.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

rmorda's picture

I don't think I do, but can you provide instructions on how I can check to see if auto upgrade is in place?

However, we do have machines that are running 11.0.5 and 11.0.7 and none of them have auto upgraded other than this one.

I will cleanwipe and try installing without NTP.

Thanks for the quick response!

.Brian's picture

On the Clients page in SEPM, select the group this PC belongs to and click the Install Packages tab. This will show if a package has been assigned for auto-upgrade.

And you may want to try just installing only AV to start than add the PTP component and NTP component. At least this way we can narrow it down to which component may be causing the issue.

Do you use a VPN? I've seen this inadvertantly enabled during install causing the connection to drop.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

rmorda's picture

We do use VPN but I don't have it installed on this machine.  I tried installing SEP first to eliminate any conflicts with other software apps.

It looks like there was 2 install packages in there already - 11.0.5 and 12.1.1.  I have removed both of them and try to install 11.0.7.  I am not installing 12.1.1 on any more machines until they come out with some kind of update to fix the multiple issues we have been having with it.

.Brian's picture

So the auto upgrade was the reason than it looked like.

I've seen this happen in the past.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Jason1222's picture

If your system was doing a straight pipe update from 11.0.5 to 12.1.1, you are likely experiencing the problems you are having because of a simple looping problem.

See this thread and enclosed links. 

https://www-secure.symantec.com/connect/forums/upgrading-symantec-endpoint-protection-manager-1105002333-1211-mp1

You cannot upgrade directly from 11.0.5 to 12.1.1.

Because you had the package deploying 12.1.1 automatically to this client, as I said above, you are ending up in the loop.

11.0.5 with NTP includes a Teefer driver (virtual network card) which hooks into the physical NIC for analyzing traffic and applying rules, for example.

The system wants to update to 12.1.1 so it begins the installation process.

Begins uninstalling 11.0.5 and the Teefer driver...  Network is dropped for a few moments.

Loses it's connection to the server trying to feed it the 12.1.1 upgrade (different drivers) and it can no no longer connect, roll back initiates and the teefer driver from 11.0.5 re-installs...  Network is dropped again.

Reconnects to the SEPM server who in turn tells the system again to update to 12.1.1 as indicated by the system and the "auto-update".  Begin loop.

System initiates uninstall, removes the Teefer driver... network is dropped.  Rollback occurs and network is dropped again...  System connects to SEPM...  And begin loop again.

I don't think your problem is directly related to the SEP version.  Your problem is: you are inadvertantly skipping steps (or at least the server is) in order to properly upgrade from SEP 11.0.5 to 12.1.1

* * * * * *

Now, Brian told you to setup auto-upgrade of your clients, or at least where to find the settings in order to push the version you would like.

You have 2 options here:

- You can set your clients to auto-upgrade to SEP 11.0.7

- When you are satisfied with that, you can than set your clients to auto-upgrade to 12.1

- Once that requirement has been met, you can than auto-upgrade your clients to build 12.1.1

Here is a document that may help you out for the upgrading process.

http://www.symantec.com/business/support/index?page=content&id=TECH163602

 

Hope this helps and have a great day!!

 

rmorda's picture

That makes sense now, here we thought we were losing our minds with this machine!
 

It's just odd that there are a few machines in this group that had the auto install packages but did not auto install, not sure why, but I'm hoping the removal of these install packages does the trick.

I didn't realize you couldn't go from 11.0.5 to 12.1.1 without updating to 11.0.7 first.

There are a few clients that I installed 12.1.1 on via exported install package because we are having issues with remote push.  Their network connections have dropped a few times but haven't dropped for a while.  Maybe it was trying to roll itself back to 11.0.5 and couldn't since both install packages were in that group.  All 3 of these machines were in the same group so I'm starting to think that is how they are all related to each other with similar issues.

 

.Brian's picture

You can always upgrade from one major release to another (eg. 11.0.5 to 12.1 RU1) but not from a major release to a maintenance patch(MP) (eg. can't go from 11.0.5 to 12.1 RU1 MP1) Need to go to RU1 first than to MP1

The release notes will have the supported migration paths

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

rmorda's picture

One thing though, after about 2 reboots, it does install SEP 12.1.1 successfuly but only after its installed that it starts dropping the network connection.  Perhaps the Teefer driver has gotten messed up because of the straight update to 12.1.1 from 11.0.5, but even after installing 11.0.7 it still messed up as well as a straight 12.1.1 install from the exported package, so that part of it may have something to do with the NTP protection. 

I installed 11.0.7 and *fingers crossed* it doesn't update itself to SEP 12.1.1 again.  11.0.7 has been stable for us so I'm not going to update to SEP 12.1.1 right now.

rmorda's picture

Ok, stupid question.....

How can I tell if I have RU1 or RU1 MP1?  Did MP1 just get released or has it been out for a while?

I have SEP 12.1.1101.401 right now.

 

.Brian's picture

That is MP1, released a few months back

Official migration path supported for Symantec Endpoint Protection 12.1

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Jason1222's picture

The Teefer2 driver was used in SEP 11.x and that changed to the Teefer3 driver in 12.1

Now, this document talks about an isue in which the Teefer3 driver fails to bind correctly to a NIC and causes issues, such as the ones you are describing as having with this particular laptop.

The cause is not identfied 100%, but could indeed be related to a certain chip on the NIC.

http://www.symantec.com/business/support/index?page=content&id=TECH188021

They do indicate that the RU1 MP1 (released last week) resolves this issue.

It might be a good idea, even though you have rolled back to 11.0.7 to test, for future reference, if this issue still exists in 12.1.1 for your particular case.

Other question...  Are your machines using DHCP or Static addresses? 

rmorda's picture

All workstation computers and laptops use DHCP.  We also have IP phones.  When the connection gets dropped, it doesn't just drop the laptop it drops the entire connection so the phone that it's connected to dies as well.  The IP phone just has a gigabit passthrough from the jack on the wall to the laptop.  So, basically it kills the entire connection from the laptop to the main switch.  When I disconnect the laptop from the network, then the phone comes back.  It's totally random too.

Do you have a link to the new SEP 12.1.1 RU1 MP1?

.Brian's picture

The version you're on (12.1.1101.401) is RU1 MP1

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Jason1222's picture

The only other thing I can think of, because I am using a similar (not exactly the same, but similar) model laptop and am not experiencing any of these troubles, is somehow, your IP stack on that machine is getting corrupted.

I had a machine which was not behaving properly and the issue was a misconfigured driver from the manufacturer.  Although, you probably have the latest Lenovo driver, it may be worth a check, to go directly to Intel's website and run the hardware detection wizard.

You can try by getting rid of the additional overhead installed by Lenovo and see if the generic driver helps you out.

http://downloadcenter.intel.com/default.aspx?lang=eng

You can just scan directly.  If you know how to setup traps using SNMP or you can try a wireshark to see where the problem occurs...