Video Screencast Help

SEP Agents and Content Update

Created: 04 Nov 2012 • Updated: 11 Nov 2012 | 11 comments
EssKay's picture
This issue has been solved. See solution.

Hi All,

I have been working on a client that is running SEP 11.0.6a and has 3 x GUP's for content updates (primarily A/V signatures). It has been observed that each Monday as the SEP Agents reconnect after the weekend that it takes the best part of a day to catch up. This has been improved with some closer attention and policy tweaking. However I strongly suspect there is a significant portion of the fleet that is waiting for the GUP retry timeout and defaulting to the SEPM for updates (currently set to 2 hours).

Whilst this practice is presently not impacting the network noticably, as the fleet grows it will become less and less workable. Also, ideally I would like to turn this timeout off entirely!

What I need is a way to identify those endpoints that are retrieving their content direct from the SEPM. This really needs to be able to run from the SEPM and not require queries/observations run on specific endpoints as any "solution" of that manner is simply not feasible with the size of the client. Is there a way to do this?

Regards,

Dean

Comments 11 CommentsJump to latest comment

.Brian's picture

See this article:

https://www-secure.symantec.com/connect/articles/u...

You can also check deltas by applying this display filter in wireshark:

frame matches "\.[Dd][Aa][Xx]" && tcp.port==8014

In the SEPM logs, under Monitors set log type to System

Set Log content to Client-server activity

This should give you info as well on what was downloaded

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

These articles might also help.

GUP Monitoring tool: http://www.symantec.com/docs/TECH156558

Download from GUP Logs on SEPM: http://www.symantec.com/docs/TECH187283

SOLUTION
Ian_C.'s picture

Thumbs up to article #187283 as pointed out by SMLatCST.

That is one report run directly on the SEPM console. No SQL queries or client log monitoring required.

 

Please mark the post that best solves your problem as the answer to this thread.
EssKay's picture

Hello SMLatCST,

I am familiar with this tool and have it running. I am still astounded it is not a core part of the product. That said, unless I am missing something this tool does not identify which clients are using or bypassing the GUP's after the timeout has been reached.

Regards,

Dean

Regards,

Dean

Ian_C.'s picture

this tool does not identify which clients are using or bypassing the GUP's after the timeout has been reached

The tool might not identify these clients, but the logs do (as per article #187283) I see four different event types

  1. Cannot reach server
  2. Definition file downloaded from GUP
  3. Failed to download from GUP
  4. Reconnected server

2 & 3 are obvious & I'd say exactly of what you are looking for (clients either using the GUP or not).

1 & 4 It never seems to be clear if that server is the actual SEPM.

Please mark the post that best solves your problem as the answer to this thread.
EssKay's picture

I only ever seem to see 1 & 4. Tried this over the past few days.

I can though see connections to each GUP throughout the day from other clients on port 2967.

Any ideas?

Regards,

Dean

Ian_C.'s picture

Hmmm, interesting.

 

... see connections to each GUP throughout the day from other clients ...

Sounds to me like your GUPs don't know they are supposed to be GUPs

  • Do your GUPs accept connections on :2967 ?
  • Can you connect with a browser to http://gup-name:2967/ ?
  • Have you reviewed the SYLINK files from the client to see if they request http://gup-name:2967/*.dax
  • Have you reviewed the SYLINK files from the GUP to see that it is serving the files?
  • Can you see the SharedUpdates folder on the GUP?
  •  

 

Please mark the post that best solves your problem as the answer to this thread.
EssKay's picture

Yes to all but number 3. I have read though that the "Client Activity" approach applied to 11.x  RU7 and above. Given its 11.0 RU6 it is probably not there. There are some plans to go to 12.1 RU2 when it is released, so will revisit then.

Until that upgrade is done I will scrape the IIS log for the data.

Thanks all for the help and assistance.

Regards,

Dean

SMLatCST's picture

Yup, that's what the second article is for smiley

Simpson Homer's picture

 

A  new tool has been released by Product Management, SEP Content Distribution Monitor that helps monitor GUP health and status as well as general content deployment. This is a lightweight, stand-alone tool designed to be run directly on the Symantec Endpoint Protection Manager (SEPM) server, and should return a graphical display of the content distribution status.

This monitor works with GUPs that are running 11.0.5 (SEP 11 RU5) or above.  There is also a beta release of a tool which works with SEP 12.1 SEPMs and GUPs.

An introduction and tutorial webcast on the use of this tool can be viewed at the following location:

http://www.symantec.com/connect/videos/sep-content-distribution-monitor-introduction