Endpoint Protection

Good Day,

I have encountered problem on my SEP clients. 3 subnet range from my remote site suddenly disconnected on my SEPM server. SEP client status now is OFFLINE and they are not reporting to my SEPM server. My SEP version is 12.1 RU2

Client to SEPM communication:

1. Ping is good from both end, client >< SEPM communication

2. RDP is good from SEPM to client

3. Tracert was successful

4. Client communication port was open

Isolation that i already did was the following:

1. Update communication settings

2. Change the Sylink file

3. Re-install SEP client

Is there other procedure i can consider on resolving this issue? Thanks

Best Regards,

Attachment(s)

Sylink.zip   8 KB 1 version

Enable sylink debugging on the affected client to see what is going on. Post the log here for review if needed. Also run the symhelp tool.

Are you able telnet port 8014 ?

does any changes in firewall site.

@Brian - I already attached the sylink log. Hope you can have a time to check

@James - we are using customize port for SEP communication and as per checking with network team the port is open both ways

Best Regards,

As per logs 'Connection Failed'

6/01 09:55:17.328 [5340] 9:55:17=>Send HTTP REQUEST
06/01 09:55:38.341 [5340] 9:55:38=>HTTP REQUEST sent
06/01 09:55:38.341 [5340] <GetIndexFileRequest:>Send Request failed.. Error Code = 12029
06/01 09:55:38.341 [5340] <ParseErrorCode:>12029=>The attempt to connect to the server failed.
06/01 09:55:38.341 [5340] <GetIndexFileRequest:>Send Request failed.. Error Code = 12029
06/01 09:55:38.341 [5340] <ParseErrorCode:>12029=>The attempt to connect to the server failed.
06/01 09:55:38.341 [5340] <GetIndexFileRequest:>COMPLETED
06/01 09:55:38.341 [5340] <IndexHeartbeatProc>GetIndexFile handling status: 6
06/01 09:55:38.341 [5340] <IndexHeartbeatProc>Switch Server flag=1
06/01 09:55:38.343 [5340] HEARTBEAT: Check Point 5.1
06/01 09:55:38.343 [5340] <ScheduleNextUpdate>new scheduled heartbeat=2048 seconds
06/01 09:55:38.343 [5340] HEARTBEAT: Check Point 8
06/01 09:55:38.343 [5340] NextProxySetting: Cycled through all proxy settings.
06/01 09:55:38.343 [5340] Get Next Server!
06/01 09:55:38.343 [5340] ResetProxySetting: Will now use proxy setting 1
06/01 09:55:38.343 [5340] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED
06/01 09:55:38.344 [5340] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0
06/01 09:55:38.344 [5340] <IndexHeartbeatProc>====== IndexHeartbeat Procedure stops at 09:55:38 ======
06/01 09:55:38.344 [5340] <IndexHeartbeatProc>Set Heartbeat Result= 1
06/01 09:55:38.344 [5340] <IndexHeartbeatProc>Sylink Comm.Flags: 'Connection Failed' = 1, 'Using Backup Sylink' = 0, 'Using Location Config' = 0
06/01 09:55:38.344 [5340] <IndexHeartbeatProc>Connection Failed! No. of tries = 1
06/01 09:55:38.344 [5340] Use new configuration
06/01 09:55:38.344 [5340] HEARTBEAT: Check Point Complete
06/01 09:55:38.344 [5340] <IndexHeartbeatProc>Done, Heartbeat=2048seconds
06/01 09:55:38.361 [5340] </CSyLink::IndexHeartbeatProc()>

Troubleshoot client/server connectivity in Endpoint Protection

https://support.symantec.com/en_US/article.TECH105894.html

The clients are trying to communicate on port 50100, is this the right port you have set?

 <SendRegistrationRequest:>http://192.168.9.15:50100
 

Please confirm this first,

Hi James,

Part of the checking that i already did was below. Please let me know if there is any specific checking you want me to try. Thanks

Client to SEPM communication:

1. Ping is good from both end, client >< SEPM communication

2. RDP is good from SEPM to client

3. Tracert was successful

4. Client communication port was open

Best Regards,

Yes that is the right port

Ok , please try these two things and share the results, 

1) Secars test, to make sure IE is not blocking anything

https://support.symantec.com/en_US/article.TECH102682.html

2) Proxy Block issue

https://www-secure.symantec.com/connect/blogs/troubleshoot-method-offline-clients

Check it

https://www-secure.symantec.com/connect/forums/client-not-connect-sepm-server

Try to one client

Check in the registry (HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings) those keys
"ProxyEnable"=dword:00000001
"ProxyServer"="test:80"

2. Change ProxyEnable to 0
3. Delete ProxyServer key

These settings are also cached in Hex format in the following location: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
-DefaultConnectionSettings
-SavedLegacySettings

If DefaultConnectionSettings and SavedLegacySettings are present, they will re-populate the proxy settings. If they are NOT present, they will be generated with the current proxy settings. This can cause issues if the customer tries to alter just "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable" without also purging DefaultConnectionSettings/SavedLegacySettings before a reboot.

The result for Secars is "Page cannot be displayed". Also, we are not using Proxy here 

Most probabally this issue is occur becaure of port is not open or not connected either it show ok.

Telnet the port 8014 from client or from server.

If it not work then require to open from firewall

I suggest you can raised support ticket,

I hope soe thing changes in network side.

the problem is on the client side then... or with port,

can you do a 

telnet SEPMIP PortNumber, does that open?

You are not using proxy but from the log it says

NextProxySetting: Will now use proxy setting 2

can you verify those proxy registry settings I posted above, you may need to delete and restart

FYI:  I've got the same issue after installing the May Microsoft updates on a 2008 server and rebooting.

Update: I uninstalled KB3061518, rebooted the server, and the clients came back online.

I've tried running telnet from SEPM to client and the result was "Connect failed".

I also tried to run update communication from SEPM to some clients and result was below..

Clients are still not reporting back to SEPM server.

Best Regards,

Are your clients also affected by this issue when you install the update? Thanks

Best Regards,

Telnet from SEPM to client on port will fail because there is no service listening on that port.

Did you delete the Proxy settings as I mentioned above? Is IE configured to WorkOffline?

We had similar issues in the past, still don't now how we solved it. I'm not an expert here but what happens if you reboot the server or services? Do the clients stay offline or are the clients online and after a while they go offline? We saw this with us, clients came online but not for long.
 

Update:

As verified, there was no Proxy configured.As per checking and validated, the listening port is not open. With this we requested and open the listening port for SEP communication.

But currently clients are still not reporting to SEPM server with the following error on the client

Error: Application level WinInet error 12019

Hope you can help me with this one. Thanks

Best Regards,

Have you engaed support? May need to enable advanced debugging within Symhelp and start looking at packet traces...

I haven't engaged with support yet.

Another question, just to clarify my thoughts. In my situation, clients from remote site are not connecting on the SEPM server.

Question are:

1. Is it necessary to open communication port both ways? SEPM to remote site and vise versa? Or it is ok to just open port communication from remote site to SEPM?

2. Is the communication traffic both ways? or from client to SEPM only?

Please advise. Thanks

Best Regards,

connection is initiated by client. 

its one-way

Depends. Are  you in push or pull mode?

In push mode the SEPM will push down data and if in pull mode the client will initiate.

I'm in pull mode. Meaning to say i don't have any issue now in communication port since I can already telnet the SEPM on the remote site. Maybe i should now engaged with support.

Best Regards,