Endpoint Protection Small Business Edition

I have upgraded our SEPM on the SBS 2011 server from 12.1 RU 2 to 12.1 RU 5 about a month ago. I had no problems and after a short break, all the clients (12.1.2) connected back to SEPM. I decided there was no need to upgrade clients to new version at this time. As of this Monday, all the clients (Win7 and Win XP) started crashing their SEP software repeatedly so I decided to start the client upgrade to see if this would resolve the issue. My first test case was Win XP SP3 machine on which I installed the newly created installation package - I did not remove the previous version of the client and just installed over it. After restart, the SEP could not connect to SEPM no matter what I tried. I have exported sylink.xml from SEPM and applied it two different ways - still no communication. I have uninstalled SEP 12.1.5 from this computer and did a clean install - still no communication. I have tried replacing the sylink.xml again - still no communication. It should be a simple upgrade that should not completely destroy to functionality of this software but turns out frustrating as hell. I am out of ideas as I am faced with old clients malfunctioning yet connecting to SEPM or new client nonfunctional and unable to connect to SEPM! 

Run the symhelp tool on it to see what's up.

Also enable sylink debugging and post the log here for review

We will try to fix the issue, do not worry, please post the sylink.log

I'm running symhelp to gather diagnostic information but it told me what I already know - no communication with SEPM. I will run SylinkMonitor after that's done.

Hi,

Thank you for posting in Symantec community.

Could you please check by any chance you have been affected by this known issue thought it's not mentioned for SEP 12.1 RU2.

ccSvcHst.exe intermittently crashes after updating Proactive Threat Protection content on January 19, 2015 content

http://www.symantec.com/docs/TECH227716

Kindly revert back with an update.

Was there any windows update..? It might have enabled windows firewall.. Firewall off on server and clients or port 8014 allowed? Please post the sylink

Is symhelp supposed to take over 30 minutes to run? It's gathering support data but I've been looking at this screen (see attached) for the last 10 minutes.

Typically does not take that long. Is anything on the screen moving?

Chetan, 

I do believe this is what prompted my problems that started on Monday:

Event Type:    Error
Event Source:    Application Error
Event Category:    (100)
Event ID:    1000
Date:        1/19/2015
Time:        2:36:37 PM
User:        N/A
Computer:    BRANDT11
Description:
Faulting application ccSvcHst.exe, version 10.1.2.14, faulting module SubmissionsEim.dll, version 12.1.671.4971, fault address 0x0002243f.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 63 63 53   ure  ccS
0018: 76 63 48 73 74 2e 65 78   vcHst.ex
0020: 65 20 31 30 2e 31 2e 32   e 10.1.2
0028: 2e 31 34 20 69 6e 20 53   .14 in S
0030: 75 62 6d 69 73 73 69 6f   ubmissio
0038: 6e 73 45 69 6d 2e 64 6c   nsEim.dl
0040: 6c 20 31 32 2e 31 2e 36   l 12.1.6
0048: 37 31 2e 34 39 37 31 20   71.4971 
0050: 61 74 20 6f 66 66 73 65   at offse
0058: 74 20 30 30 30 32 32 34   t 000224
0060: 33 66                     3f      

However, my solution of upgrading the client created the next problem that this post is referencing. Thank you for pointing me at the root of my problems.

 

Brian,

It is moving but there has been about 5 to 10 minutes between activity. It hasn't crashed. When I run it the first time, I thought it hanged so I end task'ed it but it's doing the same thing again so I'll just let it run. I would post the results of the initial scan but it won't let me copy them. I have to run the collect data for support case for it to generate a file.

After almost an hour - here is the diagnostic info from symhelp.

Was the communication port changed? Looks like clients are trying over 80, by default it is 8014. Something change?

I'm running SylinkMonitor but it just keeps running - do I need to stop it as some point or does it stop by iself?

Brian,

That is the problem - all my other clients are communicating over port 8014 but this one, after upgrade, is trying to use port 80, even after exporting sylink.xml from SEPM (even after trying sylink exported from one of the working clients).

You can stop after 1 or 2 heartbeats by the client

What if you export the sylink, edit in notepad and change it to 8014, then import into client

And here is the sylink.log

I could if I knew what to change - there is no Port 80 entry in my sylink.xml

stop SMC sevice, start -run - smc -stop

delete sylink.bak and SyLinkEx.bak and replace a new sylink file

http://www.symantec.com/business/support/index?page=content&id=TECH157585

Rafeeq,

I did this with sylink.xml exported from SEPM and even from a working older client, it will not connect. Which begs the question of how are all of my other clients connecting?

You did replace the Sylink, but did you open the sylink once replaced?

 

Open the current sylink on the client and check the Port and IP,

You can edit the Port number ( assuming IP and SEPM name is same) 

Save the Sylink, restart SEP service 

P.S : You need to stop SEP service before changing sylink file

Rafeeq,

I did open the sylink.xml - there are no port or IP settings in it. That is why I'm so confused. I do not know how they are communicating or where is this client getting Port 80 from.

Have you considered doing a reinstall since only one client is affected. Perhaps something is just hung up

Port 80 is default for any HTTP communication so your wont find it in the sylink.xml file, if there is no port then its port 80.

 I was thinking that all your clients are communicating on port 8014 and this one is on port 80.

I have few questions for you,

whats your client port, 80 or 8014?

the issue is pretty simple, we dont have the basic details.

use this secar test, change the port as necessary, see which port gives you the result as OK

http://www.symantec.com/business/support/index?page=content&id=TECH102682

 

Brian,

This is second installation on this client. Only this client is affected because this is the only one I've tried to upgrade so far and seeing how "well" that went, I will not touch any others. I don't know if I want to try another installation - it's beginning to look like deja vous.

Rafeeq,

You are right, all other clients are communicating on port 8014 and this one, after upgrade, is stuck to port 80. The secar test shows Port 8014 as OK on this client. I finally managed to find the spot to put the port 8014 in my sylink file; alas, still no communication.

I know there was a KB which said about this, I'm not able to find it as of now, Give me sometime I will get it for you, how are upgrading your clients? 

Have you used the Autoupgrade feature in SEPM, or pushed a new package? does it changes the port as well?

I have never used the autoupgrade feature of SEPM - I just export installation package as exe file and install it on every client. I know that after I upgraded the SEPM, it sent upgrades to clients - but I only recently discovered the clients refused the package - don't know why and I really don't want to dig into that one since I'm having so much "fun" with this issue. They were all still working with the upgraded SEPM so I just left it alone. 

Export an another package from SEPM, uncheck Single Exe,

Open the Sylink file,is there any port? If not 8014, then its problem at the SEPM.

I did and the sylink.xml does not have Port 8014 anywhere. Of course, neither do any of the other sylink files on older clients that do comminicate with the SEPM - I do not know how and where they get their settings from. All the sylink files coming from my new SEPM are missing information required to establish connection with new clients. I've even tried reinstalling my old client this morning and importing a sylink from a working older client - no connection. There is something about my setup that works in some weird non-standard way that I have no way to duplicate now. That means that I cannot connect new clients so maybe it's time for me to start looking at other security software. Symantec Endpoint Protection has been getting harder and harder to work with and I have been dreading any upgrades because I have never had a problem free upgrade - I've been working with this software for 9 years now and I think I've just about had it.

Chetan, 

I do believe this is what prompted my problems that started on Monday:

Event Type:    Error
Event Source:    Application Error
Event Category:    (100)
Event ID:    1000
Date:        1/19/2015
Time:        2:36:37 PM
User:        N/A
Computer:    BRANDT11
Description:
Faulting application ccSvcHst.exe, version 10.1.2.14, faulting module SubmissionsEim.dll, version 12.1.671.4971, fault address 0x0002243f.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 63 63 53   ure  ccS
0018: 76 63 48 73 74 2e 65 78   vcHst.ex
0020: 65 20 31 30 2e 31 2e 32   e 10.1.2
0028: 2e 31 34 20 69 6e 20 53   .14 in S
0030: 75 62 6d 69 73 73 69 6f   ubmissio
0038: 6e 73 45 69 6d 2e 64 6c   nsEim.dl
0040: 6c 20 31 32 2e 31 2e 36   l 12.1.6
0048: 37 31 2e 34 39 37 31 20   71.4971 
0050: 61 74 20 6f 66 66 73 65   at offse
0058: 74 20 30 30 30 32 32 34   t 000224
0060: 33 66                     3f      

However, my solution of upgrading the client created the next problem that this post is referencing. Thank you for pointing me at the root of my problems.

Some ideas:

Try sylinkDrop to change the sylink.xml. (In CD2 of SEP package.)

Delete the client with CleanWipe, and re-install it with a package where the option Remove all previous logs and policies, and reset the client-server communications settings is set (you can find it under Admin > Install Packages > Client Install Settings).

Is there another web server (e.g. IIS) running on your SEPM? If yes, on which ports is it listening?

Check your Apache settings (<SEPM folder>:\apache\conf\httpd.conf): Is it only listening on 8014?

Greg,

I have tried multiple ways of updating the sylink file the problem being not the procedure but rather the settings in the sylink file (or lack thereof). Thanks for the CleanWipe info - I could have used that before clean install as SEP leaves a lot of junk behind when uninstalled. It might come in handy next time.

I have actually solved my problem with help from Symantec tech support. The issue being, during SEPM upgrade from version 11 to 12, while moving from SBS 2003 to SBS 2011, as the clients were being upgraded to 12.1.2, there was a communication problem. It was solved by customizing their communication settings (or messing with them until they connected). This worked (sort of) until now - the next client version upgrade -when the "creatively" modified settings stopped working. After a few re-installations, countless versions of sylink files and quite a few SymHelp files, all I had to do is reset management server list to default in communication settings. We were using a custom one that had the wrong port (or no port set) and the clients were communicating due to some weird combination of backed up working settings from previous installation. Once the management server list was reset, the clients connected and updated policies, the working sylink was downloaded and everything is working as intended.

Thank you all for working with me on this.