Hi,i need some guidence for troubleshooting.

Enviroment:Used SEPM 11.06 MR3 on Windows XP sp3 with 100 + clients runing SEP 11.06 MR3.The sever was fairly old so another server (new site) with replication was added in order to upgrade the enviroment to SEP 12.The replication went without problems,the groups,policies replciated.A new management server list was added and applied on all the groups puting the new server as the primary and the old server as secondary,all of the clients reported to the new server.On both the servers the repliaction partner was deleted and the new server was upgraded to SEPM 12.1.4,the upgrade went fine.

-After upgrading to SEPM 12.1.4 the clients disconect from the SEPM.This also hapend with two brand new instalations of SEP 12.1.4 with a brand new package exported from the SEPM.Aftter stoping and starting the SMC the server is online (GUI on the SEP client) for about 30-45 seconds,after that the server becomes offline and on the conection status on the SEP client GUI an HTTP error 503 is displayed.On the SEPM console the clients are reported as being online.

I noticed that when loging to the SEPM Java console a warning appeared that the certificate is not trusted,the certificate was instaled in the local computer store after which the warning disapeared.On the couple of cients the sylink.xml was replaced but the problem remained.The last thing i tried is turning off the security setting on the group level "enable secure comunication between the server and the clients by using digital certificates for authentication".After this setting was changed the clients that were tested did not conected to the SEPM not even for a second (after stoping and starting SMC).I had to leave the customer at thattime so i didnt had time to investigte further more.

Thanks in advnace

If you go to the client and look at Help >> Troubleshooting, what SEPM does it point to?

I would enable sylink logging to see the communication and what's going on

See here

http://www.symantec.com/docs/TECH104758

you can try two things, 1 ) re - run the management server configuraion wizard 

2) Admin - Servers - Local site, Rebuild the indexes, if the above two fails , please post the sylink llog

Hi,

1) Repair the SEPM through add/remove programs.

2) Run the secar test to test the connectivity.

3) Collect the sylink logs where sylink file is replaced, grab the data for min 15-20 minutes.

4)  Was IIS configured on any other custom port in RU6?

5) Stop the service on old server to see if it makes any difference.

Hi

Run the Management Wizard and observe

Regards

Hi JS

Regarding the sugestions:

2) The secar test returned ok (forgot to mention)

4) On the old server there was IIS 5 since is started as WIndows xp SP1 (not sure).If the issue is with custom ports will repairing the new SEP 12 server do the trick?

5) The services on the old server are stopped thats why the clients are offline after 30 seconds,befoe stopping the services the clinet were falling back to the old server (they were online with old server)

You can use Restoring client-server communications

Restoring client-server communications by using a client installation package

http://www.symantec.com/docs/HOWTO80762

SEP 12.1 RU2 and Reset Client Communication

https://www-secure.symantec.com/connect/articles/sep-121-ru2-and-reset-client-communication

Hi

Have you got a chance to run Managment Wizard console tool

Regards

Hi,

Start the services on old server, run the management server configuration wizard.

You will be able to see ports used by old SEPM

Compare it with the new SEPM.

If not helped, collect the slink logs from one of the affected systems & upload it here.

Hi

Thanks to all for the replies.I got the sylink debuging file using sylink monitor. (3 minutes in lenght).During those 3 minutes SMC was stoped and started after a while which resulted in conecting to the SEP and disconecting after a short period of time.I am ataching the log and i found these events quite intereting.

-This is from a SEP 12.1.4 that got upgraded from SEP 11 during the weekend (was placed in the upgrade group the previous friday and from time to time the client got conected to the SEPM)

please advice

Attachment(s)

sylink_log.txt   56 KB 1 version

Have you tried just replacing the sylink file with a new one from the SEPM?

Hi Brian

I am testing the problem on 3 SEP clients,on one of them the sylink was replaced via sylink drop (the problem remained)

-The second SEP cleint that i`am using did not had any SEP cleint previously,it is a fresh setup with SEP 12.1.4 exported from the server after the upgrade (same problem)

any proxy in place?

is IIS disabled?

and is there change in port ? what was the port used earlier (with SEP 11)?

IIS service on the new SEP (12) is runing but the deaulft web site is sopped.

IIS servcie on the old SEP is runing,default web site sopped,symantec web site (used by sep) is listening on port 8014 and runing 

Hi Biran

No proxy in place (never had one),the tested clients are in the same LAN/Subnet as the SEPM,the proxy information in the log is confusing for me too 

Hi,

With reference to an error: ParseHTTPStatusCode:>503=>503 SERVICE NOT AVAILABLE

Refer this article to verify the configuration.

http://www.symantec.com/docs/TECH174761

Thanks for the link,but the IIS on the old sep does not contain ant sep directories only

It seems that repairing the sepm is the only solution

Need to check if repair can help.

Just repaired the SEPM (using the recovery file) the repair was succesfull but the problem remains

Bad news, Total how many clients are there in the network?

Hi Chrisian 100 + clients are on the network,installing a brand new SEPM is an option but replacing the sylink will be dificult since a large number of pc`s have firewall,and i don want to disable it via GPO.

Hi,

It means SEP client is installed only with AV/AS and PTP features? NTP is not installed on those machines?

Did you try rebuilding the indexes as I mentioned earlier? The problem is with SEPM not getting the clients registered.

It happends with and wihout NTP installed.

One pc has all the features except outlook and lotus notess scanner

The other pc has only AV/AS and download protection installed

Hi,

Provide Operating System details where SEPM 12.1 RU4 is installed?

Is there any firewall/router between old SEPM and new SEPM?

Also try these steps:

Check for the registry entries.

1. HKCU\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present change the value of the DWORD to 0
2. Now expand Internet settings key and take a backup of the "Connections" key, Delete the entire key

3. Check HKU\.Default\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present change the value of the DWORD to 0

4. expand "Internet settings" key in the above said location and take a backup of the "Connections" key, Delete the entire key

5. Reboot the machine.

From the logs I see that its sending request to 

http://sep-pc:8014/  

this seems to be your old sepm.. so its obvious you will get 503.

Ideally Your Sylink file should not have this information...

it should only have new server..

when you export communication setting from your SEPM what information do you see..

on any affected machine open cmd prompt and type

proxycnf

does it show direct access or does it list any proxy info?

Windows XP SP 3 on Esxi 5.1  3 GB ram

No router/firewall between the old and the new SEPM ,nore between the clients that im testing

rebulding did no helped either

The old sep is still in the mgmt server list but under priority and since the clients disconetct from the new SEPM they try to contact the old one,whose symantec services are disabled

I thought so, Windows XP has a 10 concurrent connection limitation that has been built in by Microsoft.

Clients are receiving updates though they are showing offline in the console?

Check this article:

Best practices guide for installing the Symantec Endpoint Protection Manager (SEPM) on a Windows XP operating system.

http://www.symantec.com/docs/TECH91694

Hmm, create a new group in SEPM.

It should have only 1 MSL. Your New SEPM list Only

Export sylink from this group. Import on the client... post the Sylink log and also check the proxycfg cmd 

Hi

Thanks again for all the help so far.Most likely the problem is related due to a network problem,after analysing the traffic with wireshark i discovered dropped packets from the SEPM.Disabling the option for TCP Offloading on the NIC of the SEPM so far has best results.I am waiting for a confirmation from the customer.If that does not solve the problem Symantec Support will be contacted.I will let you know for the final result since this thread has many replies.

Hi

Just to confirm that the problem is solved and had nothing to do with SEPM.Disabling the options for offloading on the SEPM NIC solved the problem.The SEPM was running on Windows XP SP 3 on ESXi 5.1 and was connected to a Gigabit switch,hope this will help in any future troubleshooting since it took a lot of time for me to find the problem. 

Thanks for all the suggestions.

Thanks for the update, detaile information provided by you will be definitely helpful to others.

You can close this thread now.

Hi Chetan

Is there a way of closing a thread without using "mark as solution" ? I dont think that marking my own comment as a solution is professional :)

There is not any way to close a thread without using "mark as solution". However after certain period of time it will get lock automatically.

Hello. I have an open case with Symantec support on a simular issue. I upgrade SEP from 12.1.3. to 12.1.4 and added a 3rd SEPM server and now we have no clients showing in the console. our case is 05566870. We have been struggling with support. We have been told this is a bug with SEP 12.1.4. Can you confirm for me if it is in fact a known bug and if a fix is coming some?

It's perfectly acceptable to mark your own. It will help others find a solution should they encounter the same problem.