Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP clients unable to connect to SEPM after restoring database

Created: 07 May 2014 • Updated: 29 May 2014 | 11 comments
kplem's picture
This issue has been solved. See solution.

Greetings all,

I have a pretty serious problem here.

I am currently doing a migration of the SEPM 12.1 to a new server with new IP & hostname. However, after the restotation was completed, the clients are not not able to connect back to the new SEPM at all. I have used the receovery file and the site managment list has included the new server IP as well.

When i export a package and install the SEP into the server with the SEPM together, even locally the client cannot communicate with the SEPM.

my old set up was upgraded from SEP 11 to 12.1 and hence the IIS was still on. The clients are using 443 to connect to the IIS where the ISS will then forward the request to the SEPM apache using the default port 8014.

My new setup will be using apache port 443 directly to communicate with the clients. 

Has anyone encountered this issue before? I am suspecting this is due to the previous setup using IIS and also something to do with the SSL cert.

Operating Systems:

Comments 11 CommentsJump to latest comment

.Brian's picture

If you replace the sylink on one affected client, does it connect?

You followed the steps in example 3 from here?

How to move Symantec Endpoint Protection Manager from one server to another server

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

kplem's picture

Hi,

No, even when i replace the sylink, it does not work at all. i export a new package from the SEPM and install it locally. Even that does not work. And yes, i follow the method to restore the database using the recovery file. The SEPM is up and running but no clients can connect to it.

.Brian's picture

Is there a firewall in between clients/SEPM?

Enable sylink debugging to see whats going on

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

kplem's picture

They are in the same VLAN. My server is harden though. I will get my AD to un-harden it first. But problem is even if the local SEP client on the SEPM server is not able to connect. I don think that is related to firewall though.

James007's picture

Does you have select "Remove all previous logs and policies, and reset the client-server communications settings "

How to point clients to a new SEPM after decommissioning or replacing the primary SEPM.

Article:TECH92556 | Created: 2009-01-24 | Updated: 2012-06-21 | Article URL http://www.symantec.com/docs/TECH92556
chin_aust's picture

Replace the sylink for communication

Restoring client-server communications with Communication Update Package Deployment

Article:HOWTO81109  |  Created: 2012-10-24  |  Updated: 2013-10-07  |  Article URL http://www.symantec.com/docs/HOWTO81109
SMLatCST's picture

Presumably, if your old SEPM was communicating over 443 with the clients, then the current MSL and any exported clients will do the same.

To that end, can you confirm that your new SEPM is actually configured to listen and communicate with clients on port 443?

Instructions on how to set this up can be found below (please ensure you use this method, and haven't just added port 443 into the normal httpd.conf file, which I've seen happen):
http://www.symantec.com/docs/TECH162326

Assuming you've been through all that, can you have a look through the "error-<timezone>.log under "<Program Files>\Symantec\Symantec Endpoint Protection Manager\apache\logs" of your SEPM?

kplem's picture

Hi all,

thanks for the resolution provided so far. However, i have try all methods such as replacing sylink just to test connectivity but to no avail. My scenario is abit unsually, i have over 50,000 clients to swing over seamlessly to the new SEPM. The old SEPM currently resides in an old network which is going to get tear down after the migration. I have tested in my lab before and there is no issue. But 1 thing that i miss in my test lab is that i did not take IIS into consideration. So not sure if anything to with that. On the SEP logs, i saw an error that states unable to find SSL libraries. This error occurs in the SEP client where SEPM is installed. which means even locally the SEP client could not communicate with the SEPM. I am going to un harden the server later on and hope that is the root cause.

kplem's picture

Hi all,

i have managed to get the root cause. my SEPM has been listening on http 443 instead of https 443. I further verify that by exporting a sylink with http 443 and and the client communication is now successful.

I follow  tech guide http://www.symantec.com/docs/TECH162326. However, after modifying the httpd config file, the SEPM services is unable to start. I have already change the communication port back 8014 and have verify that port 443 is now free on the server. What other things can i do to check the configuration? Am i missing something?

SMLatCST's picture

I'm glad to hear my hunch was right on the money.  Like I said, I've seen it happen before as I did the same myself when 12.1 first came out blush

Reversing the changes should be all that's needed, but as it's not working for you I think the quickest resolution at this point is to just .old the httpd.conf file and run a repair of the SEPM.

SOLUTION