Endpoint Protection

Hello

I have a hundred of computer working with SEP but there is a problem on one :
When I add Sylink.xml from the server group to the client (with SylinkDrop or direct import), on the client there is no green dot and in troubleshooting view the server is view as Offline and I haven't Policy serial number. At the same time on the server, this client appear with green dot in computer list but after a few seconds, the green dot disapear but the client is still present.

Client version is SEP 11.0.4.202.75 and this client is also the domain server with dhcp and dns server.
Server version is 11.0.4202.75

I use LiveUpdate to update all the definitions and product versions.

There is no firewall on both side, I have tried  :

• ping in the 2 way with hostname or IP --> Ok
• telnet from the client to the server on the port 8014 --> Ok
• http://192.168.0.1:8014/secars/secars?hello,secars --> OK
• http://SEPSERVER:8014/secars/secars?hello,secars --> The page cannot be displayed with and without proxy

I have lauch SEP Support Tool v1.0.1090 and one errors appear :

Can Symantec Endpoint Protection communicate with its Symantec Endpoint Protection Manager?

The Secars communication test failed for these consoles:
Site Port Http Code Error
192.168.0.1 8014 502

None of the listed Management servers have a DNS error.

The Secars communication test worked with these servers:
Site Port Http Code Error
192.168.0.1 8014 200
SEPSERVER 8014 200

I have also lauch SylinkMonitor when I manually update the client and I have :

07/30 16:44:02 [5836] <ScheduleNextUpdate>Manually assigned heartbeat=1 seconds
07/30 16:44:40 [5356] <CSyLink::mfn_DownloadNow()>
07/30 16:44:40 [5356] </CSyLink::mfn_DownloadNow()>
07/30 16:45:40 [5356] <CSyLink::mfn_DownloadNow()>
07/30 16:45:40 [5356] </CSyLink::mfn_DownloadNow()>
07/30 16:46:40 [5356] <CSyLink::mfn_DownloadNow()>
07/30 16:46:40 [5356] </CSyLink::mfn_DownloadNow()>
07/30 16:47:40 [5356] <CSyLink::mfn_DownloadNow()>
07/30 16:47:40 [5356] </CSyLink::mfn_DownloadNow()>
07/30 16:48:40 [5356] <CSyLink::mfn_DownloadNow()>
07/30 16:48:40 [5356] </CSyLink::mfn_DownloadNow()>
07/30 16:49:41 [5356] <CSyLink::mfn_DownloadNow()>
07/30 16:49:41 [5356] </CSyLink::mfn_DownloadNow()>

I have also check in the database with dbisqlc.exe if there are double name in table SEM_COMPUTER and SEM_CLIENT but nothing.

Have you any idea ?

Thank you

Hi,

I'd like to see a longer piece of the sylink.log. Enable it on the client, right click on the yellow shield of SEP and select "update policies", in this way the communication is triggered and logged. Log it for some minutes and attach it to the discussion.

Are there other symptoms like a high CPU usage by SEP processes? In this client, is the SEP installation fresh or migrated by another release? Why did you need to replace the sylink.xml? Were there other issues/needs or you just tried to fix this one?

Regards,

Can you post the entire Sylink Monitor output? There should be evidence of why the client is not communicating with the Policy Manager inside the output. The fact that you can ping to the Policy Manager is evidence that there is connectivity between the two. You didn't say why you replaced the sylink file. Was it working before? I would also look inside the sylink.xml file to determine if the ip address for the Policy Manager is correct.

Check for the registry entries.

1. HKCU\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present change the value of the DWORD to 0
2. Now expand Internet settings key and take a backup of the "Connections" key, Delete the entire key

3. Check HKU\.Default\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present change the value of the DWORD to 0

4. expand "Internet settings" key in the above said location and take a backup of the "Connections" key, Delete the entire key

5. Reboot the machine.

If the above does not work then post the entire sylinkmonitor logs.

Thank you to all for your answer.

The client is a windows 2003 server enterprise edition SP2. There is no high cpu, everything is normal. It is a fresh install and it was working a week ago (the green dot was here).
I had replace sylink.xml hoping that will solve the issue. For this I have past the client to unmanaged, delete the entry on the server and finally import the sylink.xml from the server. In the sylik.xml the hostname and IP are correct.

There is no other issue on this client.
This client need proxy enbled in IE in order to manually use LiveUpdate.

Kedarnath --> I have check register key, there isn't "GlobalUserOffline" key and "ProxyEnable" depend on proxy setting on IE. I cannot reboot now because it is a critical server so I have to wait tonight. I will delete "Connections" just before reboot.

Sylinkmonitor logs are always the same, even if I wait for hours :

07/31 09:45:46 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:45:46 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:46:46 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:46:46 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:47:46 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:47:46 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:48:46 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:48:46 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:49:46 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:49:46 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:50:46 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:50:46 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:51:47 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:51:47 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:52:47 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:52:47 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:53:47 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:53:47 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:54:47 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:54:47 [5356] </CSyLink::mfn_DownloadNow()>
07/31 09:55:47 [5356] <CSyLink::mfn_DownloadNow()>
07/31 09:55:47 [5356] </CSyLink::mfn_DownloadNow()>

Sylink log when I lauch a manually update :

07/31 09:30:46 [4264:4468] Update ProfileNow Request has been sent
07/31 09:34:08 [4264:2744] Saving SMC State
07/31 09:34:08 [4264:2744] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/31 09:34:08 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/31 09:34:08 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.
07/31 09:38:24 [4264:2744] Saving SMC State
07/31 09:38:24 [4264:2744] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/31 09:38:24 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/31 09:38:24 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.
07/31 09:42:40 [4264:2744] Saving SMC State
07/31 09:42:40 [4264:2744] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/31 09:42:40 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/31 09:42:40 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.
07/31 09:46:56 [4264:2744] Saving SMC State
07/31 09:46:56 [4264:2744] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/31 09:46:56 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/31 09:46:56 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.
07/31 09:51:12 [4264:2744] Saving SMC State
07/31 09:51:12 [4264:2744] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/31 09:51:12 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/31 09:51:12 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.
07/31 09:55:28 [4264:2744] Saving SMC State
07/31 09:55:28 [4264:2744] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/31 09:55:28 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/31 09:55:28 [4264:2744] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.

Here the full log :

07/30 16:03:34 [4640:5616] <SyLink>[MakeRegisterData] registration Hardware Key=787201CD204FC0554F9C650ED1567CFF
07/30 16:03:34 [4640:5616] AH: Setting the Browser Session end option & Resetting the URL session ..
07/30 16:03:34 [4640:5616] <ParseHTTPStatusCode:>200=>200 OK
07/30 16:03:34 [4640:5616] <SendRegistrationRequest:>Lock proxy setting 1
07/30 16:03:34 [4640:5616] <SyLink>[SendRegsitrationRequest] Request Result= 0
07/30 16:04:02 [4640:6080] DnsHelper: update DNS ServerList
07/30 16:05:07 [4640:6080] DnsHelper: update DNS ServerList
07/30 16:07:12 [4640:6080] DnsHelper: update DNS ServerList
07/30 16:07:47 [4640:4940] Saving SMC State
07/30 16:07:47 [4640:4940] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/30 16:07:47 [4640:4940] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/30 16:07:47 [4640:4940] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.
07/30 16:11:17 [4640:6080] DnsHelper: update DNS ServerList
07/30 16:12:03 [4640:4940] Saving SMC State
07/30 16:12:03 [4640:4940] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/30 16:12:03 [4640:4940] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/30 16:12:03 [4640:4940] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.
07/30 16:13:30 [4640:5052] LUMan: Scheduled LU sleep timeout, checking schedule...

07/30 16:13:30 [4640:5052] LUMan: ScheduledLuThread() current time 16:13:30

07/30 16:13:30 [4640:5052] LUMan: ScheduleUpdateWatcherProc() delay: 179 mins; interval: 1440 mins

07/30 16:16:19 [4640:4940] Saving SMC State
07/30 16:16:19 [4640:4940] chmod on file C:\Program Files\Symantec\Symantec Endpoint Protection\SerState.dat to read/write.
07/30 16:16:19 [4640:4940] C:\Program Files\Symantec\Symantec Endpoint Protection\StdDef.dat: Not found.
07/30 16:16:19 [4640:4940] C:\Program Files\Symantec\Symantec Endpoint Protection\trojan.dat: Not found.
07/30 16:16:42 [4640:936] Service : Start Stopping Service
07/30 16:16:42 [4640:936] Waiting for the service to stop
07/30 16:16:42 [4640:3744] Service is shutting down
07/30 16:16:42 [4640:3744] AVMan: Entering ReceiveMessage with msg id 458754
07/30 16:16:42 [4640:3744] AVMan: Disabled event forwarding.
07/30 16:16:42 [4640:3744] AVMan: Leaving ReceiveMessage
07/30 16:16:42 [4640:3744] LUMan: Entering ReceiveMessage with message id 458754

07/30 16:16:42 [4640:3744] LUMan: CMC notified LuMan that it is stopping

07/30 16:16:42 [4640:3744] WMIStatus: failed to initialize COM-2147217394
07/30 16:16:42 [4640:3744]
****** WMI sets disabled flag failed ******

I have attach the full log to the first post.

The log you have attached does not look like a sylink log, it does not have any of the "Check Point" entry of a heartbeat.
Please, open the sylinkmonitor, don't wait for hours, as I suggested you can trigger the communication with "update policies", the heartbeat will run with its expected Check Points. Post it.

Regards,

How to use Sylinkmonitor:

http://service1.symantec.com/support/ent-security.nsf/docid/2007456519454798

read the note for MR3 and greater releases.

Regards,

I have follow the procedure and at the end I have lauch a manual update.

07/31 11:20:13 [4208] SyLinkDeleteConfig => Deleting instance: 01021050
07/31 11:20:13 [4208] <PostEvent>going to post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/31 11:20:13 [4208] <PostEvent>done post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED, return=0
07/31 11:20:13 [4208] <Stop>Stopping SyLink module...
07/31 11:20:13 [5356] <IsToStop:>stopping
07/31 11:20:13 [5356] <IsToStop:>stopping
07/31 11:20:13 [5356] <MainThreadProc:>***** Main Thread Exit ****
07/31 11:20:13 [4208] HEARTBEAT RUN TIME=68316sec
07/31 11:20:43 [4208] <StopHbThread>ERR to stop Heartbeat Thread
07/31 11:20:43 [4208] <StopHbThread>Heartbeat thread stopped, Heartbeat=1
07/31 11:20:43 [4208] <CDownloadManager::mfn_StopDownload()>
07/31 11:20:44 [4208] </CDownloadManager::mfn_StopDownload()>
07/31 11:20:44 [4208] <Stop>Switch the new setting.
07/31 11:20:44 [4208] Importing ConfigObject: 010C9E90 into: 010C79A8
07/31 11:20:44 [4208] SyLinkDeleteConfig => Deleting instance: 010C9E90
07/31 11:20:44 [4208] Write to registry UserGUID=0
07/31 11:20:44 [4208] <Stop>Stopped!
07/31 11:20:44 [4208] SyLinkDeleteInstance => Deleting instance: 010AB058
07/31 11:20:44 [4208] <PostEvent>stopping...ignore event ID=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/31 11:20:44 [4208] <Stop>Not started yet!.
07/31 11:20:44 [4208] SyLinkDeleteConfig => Deleting instance: 010C79A8
07/31 11:20:44 [4208] SyLink object is deleted !
07/31 11:20:44 [4208] <CDownloadManager::mfn_StopDownload()>
07/31 11:20:44 [4208] </CDownloadManager::mfn_StopDownload()>

read error, exit
07/31 11:21:07 [4564] ~~~Sylink log started. (SEP Product Version in registry: 11.0.4202.75, Sylink File Version: 11.0.4202.51)
07/31 11:21:07 [4564] Stored HostGUID=19C3F7B80A7B013C00964130F720B0C1; outlen=16
07/31 11:21:07 [4564] <RestoreSettings>Stored UserGuid=0; outlen=2
07/31 11:21:07 [4564] <mfn_DecodeSSN>Sygate-SSN=12
07/31 11:21:07 [4564] <mfn_DecodeSSN>Read CSN=13
07/31 11:21:07 [4564] <mfn_DecodeSSN>Sygate-SSN=30
07/31 11:21:07 [4564] <mfn_DecodeSSN>Read CSN=31
07/31 11:21:07 [4564] Product Type=2,Major Ver=5,Minor Ver=2,Platform ID=34,OSType=33882658
07/31 11:21:07 [4564] OS=Windows Server 2003 family Enterprise Edition; number=5.2.3790
07/31 11:21:07 [4564] SyLinkCreateInstance => Instance created: 010ADB90 Registry path: SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK
07/31 11:21:07 [4564] <GetOnlineNicInfo>:Netport Count=1
07/31 11:21:07 [4564] <GetOnlineNicInfo>:NicInfo<SSANICs><SSANIC Ip="192.168.0.2" Mac="00-13-72-60-8f-59" Gateway="10.123.1.1" SubnetMask="0.0.0.0"/></SSANICs>
07/31 11:21:07 [4564] SyLinkCreateConfig => Created instance: 010CB9C0
07/31 11:21:07 [4564] UseNewConfig => Created m_hNewConfig: 010CB9C0
07/31 11:21:07 [4564] Importing ConfigObject: 010AC8E8 into: 010CB9C0
07/31 11:21:07 [4564] Importing ConfigObject: 010AC8E8 into: 010C94D8
07/31 11:21:07 [4564] <PostEvent>stopping...ignore event ID=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/31 11:21:07 [4564] SSA packageType is set as 105
07/31 11:21:07 [4564] SyLinkDeleteConfig => Deleting instance: 010AC8E8
07/31 11:21:07 [4564] <SetHiStatus>HI status is changed to=3; reason=0; rule=Host Integrity check is disabled.
Host Integrity policy has been disabled by the administrator.
07/31 11:21:08 [4564] SyLinkCreateConfig => Created instance: 036211D0
07/31 11:21:08 [4564] SetCurLocationName: Name is set to - Default
07/31 11:21:08 [4564] SetCurLocationID: ID is set to -
07/31 11:21:08 [4564] SyLinkCreateConfig => Created instance: 036158C8
07/31 11:21:08 [4564] Importing ConfigObject: 036158C8 into: 010CB9C0
07/31 11:21:08 [4564] Importing ConfigObject: 036158C8 into: 010C94D8
07/31 11:21:08 [4564] <PostEvent>stopping...ignore event ID=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/31 11:21:08 [4564] SyLinkDeleteConfig => Deleting instance: 036158C8
07/31 11:21:08 [4564] SyLinkDeleteConfig => Deleting instance: 036211D0
07/31 11:21:08 [5072] <ScheduleNextUpdate>Manually assigned heartbeat=1 seconds
07/31 11:21:08 [5640] <ScheduleNextUpdate>Manually assigned heartbeat=1 seconds
07/31 11:21:08 [4564] <CSyLink::Start()>
07/31 11:21:08 [4564] <CSyLink::ImportConfigFile()>
07/31 11:21:08 [4564] </CSyLink::ImportConfigFile()>
07/31 11:21:08 [4564] <GetDomainHostName>msz_DomainName is taken from szDomainName
07/31 11:21:08 [4564] <GetDomainHostName>DomainName (Final)=fr.net
07/31 11:21:08 [4564] *********Netport Count=1
07/31 11:21:08 [4564] Physical: eth1::00-13-72-60-8f-59::intel(r) pro/1000 mt network connection
07/31 11:21:08 [4564] MAC=00-13-72-60-8f-59# Wireless=
07/31 11:21:08 [4564] Hardwire String=00-13-72-60-8f-59#
07/31 11:21:08 [5476] <ScheduleNextUpdate>Manually assigned heartbeat=3045936128 seconds
07/31 11:21:08 [6108] <HeartbeatThreadProc:>Thread is about to begin..
07/31 11:21:08 [5476] Successfully created the heartbeat thread
07/31 11:21:08 [4564] <Start>Started, contact SMS every 300 seconds
07/31 11:21:08 [4564] <PostEvent>going to post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/31 11:21:08 [4564] <PostEvent>done post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED, return=0
07/31 11:21:08 [1304] <CExpBackoff::CExpBackoff()>
07/31 11:21:08 [4564] </CSyLink::Start()>
07/31 11:21:08 [1304] </CExpBackoff::CExpBackoff()>
07/31 11:21:08 [4564] <SetClientAuth>Received new User/Domain from SMC.. User: suproot User Domain: FR
07/31 11:21:08 [4564] <SetClientAuth>Getting RDNS Domain Name (user domain in AD setup)..
07/31 11:21:09 [4564] <GetLoginRdnsDomain>DNS domain=fr.net
07/31 11:21:09 [4564] <SetClientAuth>Setting the User Domain to RDNS Domain ..
07/31 11:21:09 [4564] <SetClientAuth>Logged in user info set to: fr.net/suproot
07/31 11:21:09 [4564] <SetClientAuth>Marking User Change Notify to redo registration..
07/31 11:21:09 [6108] <CheckHeartbeatTimer>====== Heartbeat loop starts at 11:21:09 ======
07/31 11:21:09 [6108] <GetOnlineNicInfo>:Netport Count=1
07/31 11:21:09 [6108] <GetOnlineNicInfo>:NicInfo<SSANICs><SSANIC Ip="192.168.0.2" Mac="00-13-72-60-8f-59" Gateway="10.123.1.1" SubnetMask="0.0.0.0"/></SSANICs>
07/31 11:21:10 [6108] <CalcAgentHashKey>:CH=CEEBC0240A7B013C00DBE4E594CDFB671ADSERVfr.net787201CD204FC0554F9C650ED1567CFF
07/31 11:21:10 [6108] <CalcAgentHashKey>:CHKey=9DD36AD7C2C112739AE284E06A78EC2E
07/31 11:21:10 [6108] <CalcAgentHashKey>:C=CEEBC0240A7B013C00DBE4E594CDFB671ADSERVfr.net
07/31 11:21:10 [6108] <CalcAgentHashKey>:CKey=CC5BF9EF056306F5CA67B58455F0AE3D
07/31 11:21:10 [6108] <CalcAgentHashKey>:UCH=CEEBC0240A7B013C00DBE4E594CDFB670suprootfr.netADSERVfr.net787201CD204FC0554F9C650ED1567CFF
07/31 11:21:10 [6108] <CalcAgentHashKey>:UCHKey=A6333D026522837310679A9929E0D0C4
07/31 11:21:10 [6108] <CalcAgentHashKey>:UC=CEEBC0240A7B013C00DBE4E594CDFB670suprootfr.netADSERVfr.net
07/31 11:21:10 [6108] <CalcAgentHashKey>:UCKey=1B31438F05DF923CA69D203E1B60C52A
07/31 11:21:10 [6108] <DoHeartbeat>HardwareID=787201CD204FC0554F9C650ED1567CFF
07/31 11:21:10 [6108] <DoHeartbeat>CHKey=9DD36AD7C2C112739AE284E06A78EC2E
07/31 11:21:10 [6108] <DoHeartbeat>CKey=CC5BF9EF056306F5CA67B58455F0AE3D
07/31 11:21:10 [6108] <DoHeartbeat>UCHKey=A6333D026522837310679A9929E0D0C4
07/31 11:21:10 [6108] <DoHeartbeat>UCKey=1B31438F05DF923CA69D203E1B60C52A
07/31 11:21:10 [6108] <DoHeartbeat> Set heartbeat event
07/31 11:21:10 [6108] Use new configuration
07/31 11:21:10 [6108] <RegHeartbeatProc>====== Reg Heartbeat loop starts at 11:21:10 ======
07/31 11:21:10 [6108] HEARTBEAT: Check Point 1
07/31 11:21:10 [6108] <GetFirstSEMServer> Selecting a random server
07/31 11:21:10 [6108] <GetFirstServer> Using server '192.168.0.1'
07/31 11:21:10 [6108] HEARTBEAT: Check Point 2
07/31 11:21:10 [6108] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
07/31 11:21:10 [6108] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
07/31 11:21:10 [6108] HEARTBEAT: Check Point 3
07/31 11:21:10 [6108] <RegHeartbeatProc>Setting the session timeout on Profile Session (Registration) to 30000
07/31 11:21:10 [6108] HEARTBEAT: Check Point 4
07/31 11:21:10 [6108] <RegHeartbeatProc>===Registration STAGE===
07/31 11:21:10 [6108] <MakeRegisterData:>logon id (domain/user)=fr.net/suproot

read error, exit
07/31 11:21:10 [5072] SyLinkCreateConfig => Created instance: 0367FA50
07/31 11:21:10 [5072] Importing ConfigObject: 010C94D8 into: 0367FA50
07/31 11:21:10 [5072] SyLinkDeleteConfig => Deleting instance: 0367FA50
07/31 11:21:10 [6108] <SendRegistrationRequest:>SMS return=200
07/31 11:21:10 [6108] <ParseHTTPStatusCode:>200=>200 OK
07/31 11:21:10 [6108] <SendRegistrationRequest:>Content Lenght => 350
07/31 11:21:10 [6108] HTTP returns status code=200
07/31 11:21:10 [6108] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED
07/31 11:21:10 [6108] <SendRegistrationRequest:>COMPLETED, returned 0
07/31 11:22:08 [5476] <CSyLink::mfn_DownloadNow()>
07/31 11:22:08 [5476] </CSyLink::mfn_DownloadNow()>
07/31 11:22:33 [4580] <ScheduleNextUpdate>Manually assigned heartbeat=1 seconds
07/31 11:23:09 [5476] <CSyLink::mfn_DownloadNow()>
07/31 11:23:09 [5476] </CSyLink::mfn_DownloadNow()>

Are there other symptoms like a high CPU usage by SEP processes? In this client, is the SEP 11.0.4202 installation fresh or migrated by another release? Why did you need to replace the sylink.xml? Were there other issues/needs or you just tried to fix this one? What is the IP address of this PC?

same issue here. Case Detail: 320-212-974

Do you have these symptoms?

After Migrating to MR4 MP2 smc.exe raises to 100% (or 50% on dual core) and keeps it all the time.
SEP is not able to connect to the SEPM.
CleanWipe and reinstall the SEP client (same version) does not help.
Going back to previous version resolves the issue.
May occur only when connected over VPN.

BR,

SMC.exe use continually 25 % of the cpu and 22 Mb of memory. It is a quadcore. So your idea is good.
Is it a patch to solve this ? I am with a MR4 version. Which older version is good ?

May I ask if do you have a firewall enable in your network envinronment where your client located?

Your sylink log says you are on SEP 11.0.4202 (MR4 MP2) (07/31 11:21:07 [4564] ~~~Sylink log started. (SEP Product Version in registry: 11.0.4202.75, Sylink File Version: 11.0.4202.51)).
Your issue seems related only to this release.
Try to downgrade to 11.0.4000 (MR4).

Here are some other short term workarounds:
install an unmanaged client
change the default gateway on the affected client to an address that exists on the client's subnet.
if using a VPN connection, enable the VPN to use a VPN supplied default gateway instead of using the local physical adapter's gateway.

Symantec is still investigating to fix this issue.

Regards,

Giuseppe -->I will try to downgrade to MR4.
Thank you for the workarounds but for now I can't do it because it is a critical server.

Peterpan --> The only firewall is the network threat protection of SEP.

You mentioned that your client is reported in the manager
Delete that client from the group
go to clients tab
click on policies tab on the right had side
click on general settings
click on security settings
uncheck the require secure communication option for your server group

go to E:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent

take a sylink file

and replace this file to your client after deleting sylink.bak from the same folder

do smc -start this should have a green dot stable..

Rafeeq

 

Rafeeq --> It doesn't work

Giuseppe --> I have downgrade to 11.0.4000 (MR4) ant it works !!!

Thank you to all for your help. It finally works.