Endpoint Protection

Hello,

Recently I had to do a reinstall of SEPM 11.0.6005.562 (on windows sbs 2008) after this obviouisly none of the SEP clients (all on windows 7) would connect so I created a new domain addded the old domain ID and recreated the old groups. After a refresh all the old clients showed up. However, on the client machine it says that the server is offline and in SEPM it has the computer off logo beside the clients. I can't replace the sylink file as no clients are currently connected. Also when tried to reinstall SEP from the SEPM it doesn't work either. The only thing I can guess it would be is that it is the folder permissions of D:\Program Files\Symantec\Symantec Endpoint Protection Manager. I don't think it is the firewall as none of those settings have been touched since symantec last worked

Here is an error log from one of the clients as well

08/09 13:59:58 [1112:2020] <SyLink>[MakeRegisterData] registration Hardware Key=E1788A548FE70E182699A2808C9245F5
08/09 13:59:58 [1112:2020] AH: Setting the Browser Session end option & Resetting the URL session ..
08/09 13:59:58 [1112:2020] <ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR
08/09 13:59:58 [1112:2020] <SyLink>ERR to query content length
08/09 13:59:58 [1112:2020] <SyLink>[SendRegsitrationRequest] Request Result= 5
08/09 13:59:58 [1112:2020] ###### Set ACSConnec offline
08/09 13:59:58 [1112:2020] AVMan: Entering ReceiveMessage with msg id 262146
08/09 13:59:58 [1112:2020] AVMan: Leaving ReceiveMessage
08/09 13:59:58 [1112:2020] LUMan: Entering ReceiveMessage with message id 262146

Help would really be appreciated as I am stuck at a loose end!

For any client/server communication issues always start with:

Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity

http://www.symantec.com/business/support/index?page=content&id=TECH105894

Hello,

Upon checking your Logs, we see this Error as below:

08/09 13:59:58 [1112:2020] AH: Setting the Browser Session end option & Resetting the URL session ..
08/09 13:59:58 [1112:2020] <ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR

Check this Article and work on the steps provided in it.

After migration to 11.0 RU7 clients are not updating or connecting - Sylink.log 500 internal server error

http://www.symantec.com/docs/TECH168828

OR / AND

Possible Causes: Legacy proxy settings in the registry still persist after environmental changes on client machine.

Solution

The legacy proxy settings can be removed by performing the following steps:

1.   Open the registry (Start->Run->type "regedit").

2.  Go to HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\connections

3.  Delete the registry keys "DefaultConnectionSettings" and "SavedLegacySettings".

4.  Reboot the machine.

Note:  These registry keys will automatically regenerate after reboot of machine.

Also, this also could be caused due to incorrect proxy server information in the following registry location: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings

Removing the incorrect proxy info from this key and then rebooting allowed the client to communicate normally.

One important thing to keep in mind is that any incorrect proxy information must also be removed from the following two locations as well:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

If the settings are not removed from these two keys, they will repopulate the Internet Settings key after every reboot.

Remove the incorrect proxy information from all 3 registry locations noted above, then reboot.

Just to add, in many of my cases, where was an issue with the System Account at User Proxy Level. They had to Bypass the Proxy on the server.

Hope that helps!!

Client/server communications are all ok. I am not disabling the firewall as exceptions have been setup and its worked fine for over a year.

On the second solution it doesn't work and I can't follow the IIS sugestion as I am running IIS 7 on Windows SBS 2008. I tried to delete the registry keys but this didn't help either.

Hello,

This could possibly occur when Symantec Web Server had as execution permission = Script and Executable.

Could you make sure the Symantec Web Server had as execution permission = None or Read.

By changing the permission to None the client would be able to register with the SEPM and communicate as well.

To change the permissions -

1. Open the IIS Manager
2. Go on sites and Click on the Symantec Web Server
3. On the below  right hand side, double click on Handler Mappings.
4. Go on the top right hand side and look for the Edit Feature Permission
5. Set the permission to Read or None.

Hope that helps!!

The permission already seems to setup ok. However when I tried to access the web based console on one of the clients after I clicked logon a got window that appeared saying:

server communication error

(xhr.status:12019, xhr.statusText:Unknown, statusText:error)

Would you like to refresh?

with a yes or no option below

Hello,

Please follow below steps :-

1.)Open IIS Manager.

2.)Right click on your application pool and select "Advanced Settings...".

3.)Change "Enable 32-bit Application to True.

4.)Click "OK" to finish.

5.)Restart IIS, which can be done by going to Start > Run, type IISRESET and click OK.

Hope that helps!!

That doesn't work either I just get a lot of error on the event log and the SEPM service keeps stopping with error code 4096. Also the server and clients are all 64 bit machines.

HI,

The manager is not supported on a WIndows 7 system.

All clients are 64 bit and I am running SEPM on a 64 bit Windows SBS 2008 server which I previously stated. Also like I said before I have had symantec running for over a year and the current set-up is exactly the same, the SEP clients and SEPM server only stopped communicating when I reinstalled SEPM.

I also run the troubleshooter and got this message:

Issue	The client cannot communicate with some or all of its Symantec Endpoint Protection Managers
Overview	This reports the results of a secars test to the FQDN and IP address of the servers listed in sylink.xml. The tests have a timeout of 20 seconds for connection, send and receive functions.
Product	Symantec Endpoint Protection
Category	Status
Subcategory	Communications
Click for more ->	Troubleshooting Client/Server Connectivity
Status	Error
Tests	Error The Secars communication test failed for these consoles: Site Port Http Code Error LHRUK01 8014 0   Information Sylink.xml lists the following Symantec Endpoint Protection Manager: Priority Address DnsIP 1 192.168.16.3 192.168.16.3 1 LHRUK01 192.168.16.3 Information The registry value 'GlobalUserOffline' in the registry key: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows \CurrentVersion\Internet Settings was not found. Ok None of the listed Management servers have a DNS error. Ok The Secars communication test worked with these servers: Site Port Http Code Error 192.168.16.3 8014 200   192.168.16.3 8014 200

Also on the event log I can see this error:

Source: Secars; Event ID: 4097

Failed to start Radius Server.The radius port may be used by another process.

Check this artical.

http://www.symantec.com/business/support/index?page=content&id=TECH103105

I run a netstat and nothing is listening on 1812

Hi,

Can't reboot (stil office hours) so will only find out later if it works. I assume it's ok to do all that and do a reboot when everyone is away. Also I'm guessing I change the registry settings on the server?

That didn't work either.

Thanks for the suggestions so far but none of them have seemed to worked. This has been a problem for a week and computer won't be getting up to date definitions now.

Are there any more fixes this is a problem that needs to be resolved.

Attached is a screen print of the SEPM console and the SEP troubleshooting window. The policy numbers are correct and the clients are checking in regularly.

Please check the port in Sylink on which port its communicating.

Run the Management Server Wizard Console to change the port

Regards

I looked at the sylink file and the port is as follows

<Server HttpPort="8014" Address="192.168.16.3"/>

<Server HttpPort="8014" Address="LHRUK01"/>

And the other ports are -

• Server Port - 8443
• Web console port - 9090
• Database server port - 2638

So should the port number in sylink match one of the above three, if so which one?

I also downloaded sylink monitor so please find attached the log from that (sylinkmonitor.txt) and also the client management debug log (debuglog.txt)

This problem is starting to get very frustrating and I have been working on it for over a week now.

Help is greatly appreciated!

Attachment(s)

debuglog_3.txt   42 KB 1 version

sylinkmonitor_2.txt   14 KB 1 version

Hello Mr. Steven.

Your logs show there is an HTTP 500 during registartion. This means the client contacted SEPM (or, at least a web server) and SEPM said "Error!".
Since this is a registration error, we know it is not a Certificate/Signature issue because the client checks that after it downloads the Index file -- but we haven't gotten to that stage yet.

This type of issues sometimes happens when the client sends up some bad piece of information in the registration, or if something in the data didn't agree with the SEPM database. I would troubleshoot these types of issues by starting with the server.

1) Check the scm-server-0.log file. You should be able to search for 500 or SEVERE. See if you can find any errors here. There should be an error about your client registration. It could be there is a Client ID mismtach, or encryption key mismatch.

2) If you haven't found a useful error there, go to the Secars.log and Secreg.log. These should be located under inbox\logs. These should contain information about the registration error.

Once you have this information, you should be armed with, or at least able to post make, information about the actual registration issue. Again, it is usually some ID mismatch, or data indigestion.

I hope that puts you on the right track. Please post the errors you find in the log files if you're not sure what the errors mean.

Try You can create a group and export Syslink.xml and replace atleast 1 or 2 system and check system update or not ?

You can Rasie a support ticket

http://www.symantec.com/support/assistance_care.jsp

Hello Ghent,

The scm-server-0.log looks ok. I can't seem to find the secars.log or the secreg.log files. However I did find the log file exsecars.log. It looks slightly promising but I am unsure what the errors mean.

08/20 11:13:46 [9448:7164] Secars ISAPI Starting

08/20 11:13:46 [9448:7164] Failed to call bind! ErrorCode=10013, Port=1812
08/20 11:13:46 [9448:7164] Secars ISAPI Started

08/20 11:13:46 [9448:7164] StopServer Succeed.

08/20 11:13:46 [9448:7164] StopServer Succeed.

08/20 11:13:46 [9448:7164] Kcs=1C5F5124AD441F150CD7FCBEBBE1E472

08/20 11:13:46 [9448:7164] StartServer Succeed.

08/20 11:13:46 [9448:4424] Get CPU counter failed. Error code: 0xc0000bc6

08/20 11:13:46 [9448:4424] Get memory counter failed. Error code: 0xc0000bc6

Thanks for your help so far.

Please do the following and revert back

Stop SMC using the "smc -stop" command. (Start > Run > "smc -stop" > Select OK)

2. Empty the HardwareID registry value under HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink to blank.

3. Delete or rename the file:  C:\Program Files\Common Files\Symantec Shared\HWID\sephwid.xml

4. Start SMC using the "smc -start" command. (Start > Run > "smc -start" > Select OK)

Regards

Thanks for the suggestion, but unfortunatly that didn't work. The hardwareID changed in regedit and in the sephwid.xml file however the client is still saying the SEPM server is offline and vice-versa.

Regards

James

When you said you recreated the servers and used the old domain ID, you only have one chek fulfilled. Can you confirm that you also imported the old SEPM keystores again to have the same key based on the same encryption key?

Furhtermore you have written something about RADIUS? Can you confirm that you dont use IPsec and therefore dont have a a problem with the Windows Firewall as this would be required by Microsoft to have a functional IPsec?

Hope one of these 2 clues can help solving it

cheers toby

I recently used the symantec clean wipe tool and re-installed everything. (still having the same problem though) So the top part doesn't really apply.

IPsec isn't used and I have tried to test the connection between the SEPM server and SEP client with the firewall switched off. So I believe that my current set-up should support symantec flawlessly, but it looks like I am missing something!

Attached is an up to date debug log from the SEP Hep and Support -> Troubleshooting -> Debug Logs -> Client Management -> View Log

Thanks

Attachment(s)

Debuglog_0.txt   44 KB 1 version

Hi,

So there isn't much here to see (I believe the CPU and memory counter errors are not important). But I do noticed the bind failure for the Radius port. I'm not sure if this is causing the issue or not.

In anycase, we still need to find the source of the HTTP 500 error. Here is the next set of steps I would recommend.

1) Look in the IIS Access logs (or Apache Access logs, for anyone reading who has 12.1+). The access logs WILL have the HTTP 500 -- although the access logs aren't likely to have a whole lot of information about "why", we should get every datapoint possible -- it might help.

2) Let's try solving the RADIUS port issue. Here is a command that will disable the Radius port in 12.1, I forget if this works in 11.6 or not. I don't think it does, but try it (It can't hurt):
a) Open your sepm\tomcat\etc\conf.properties file.
b) add the line: scm.radius.enabled=0
c) Save the file
d) Restart SEPM.
e) See if the error is the SecReg-0.log goes way.

On Windows 2008 SBS, I believe the RADIUS port is used by some "Remote Desktop Gateway" serivce. It's a service that allows you to RDP into the box remotely, I forget the excat name. This conflicts with the RADUIS port that SEPM setup incase you have SNAC. If you don't use SNAC, you don't need this port. In 12.1 I personally worked with making sure this port is disabled by default unless you actually have SNAC so you don't get this conflict issue.

3) If 2 didn't work, try disabling the Remote Desktop Gateway service just to test things out (that is, if your not using it to connect remotely.) Just to see if getting rid of the port conflict fixes the issue. If it does, and you need the Remote Desktop Gateway serivec, we'll troubleshoot that later.

4) If nothing has worked so far, let's turn up the log level in Secars to help us track down the error. One of two things is going to happen:
a) You will see the error is Secars.log, and it is likely to be helpful.
b) You will not see the error is Secars.log.

If you do NOT see the error is Secars.log after you turn on the debug mesages, it means the request is NOT getting to Secars.dll. This means that the request is getting stopped by IIS itself.

The flow is: Client > IIS > Secars > Tomcat > (Tomcat talks to database) > Send reply back to Secars > Send reply back to IIS > Send reply back to Client.

So first we'll start at Secars. Normally this is where you can find the error if it's anything to do with SEPM. If there is no error, then it's an issue with IIS and you've got to hunt down the IIS access logs -- you may have to enable the.

So, to enable Secars debugging logs do the following:
Open the regstry and browse to:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SEPM\
(Note, since you're on 64 bit, you have to browse to the Wow6432Node key)Find the key "DebugLevel"
Set it to 4 (Decimal).

Open the SEPM\tomcat\etc\conf.properties.
Find the line scm.log.loglevel=
(If it's not there, create it.)
Set it to scm.log.loglevel=FINE

Save the file, restart the server.

Now, have you client attempt to log it. It should get the Error 500.
Note: Secars.Log does not write "live". It writes it batches, so after you get the error you have to wait a few minutes for the logs to be written to the disk. Or you can just stop IIS to flush the logs immediently.

Check the logs for the error. Again, if it's not there, you've got to troubleshoot IIS. If it is there, then we should have something to work with.
Debug logging takes a lot of space, and can hinder performance. So you'll want to remove it when you're done troubleshooting.

Hello,

I managed to resolve my issue. I realised I had two entries in the firewall exception rules for opening port 1812 so I removed the symantec one I created. Then I disabled the network policy server services as this wasn't being used.

I then followed this document - http://www.symantec.com/business/support/index?page=content&id=TECH102909&locale=en_US

....and did a repair install of SEPM.