SEPM 11Ru7MP1 (11.0.7101.1056) Clients Do No Update Antivirus Definitions
I am having a problem with Symantec Endpoint Protection (SEP) managed clients receiving updates from the Symantec Endpoint Protection Manager (SEPM).
The SEPM and clients are on an isolated network that doesn't have internet access. The SEPM server has recent updates (2012-02-02) from the downloaded JDB file (http://www.symantec.com/business/support/index?page=content&id=TECH102607).
I initally encountered this problem with SEPM 11 RU6a (11.0.6005.562). After hours of research and troubleshooting, it appeared that an upgrade to the newest version of SEPM would resolve the problem. I unisntalled SEPM 11 RU6a (and deleted the SEM5 database) , uninstalled SEP from the clients, and restarted. After installing SEPM 11 RU7 MP1 (11.0.7101.1056), updating the definifitons, configuring the groups, users, policies and deploying to clients, the clients still fail to dowload updates.
The clients are communicating with the SEPM. They recieve policy, but don't update content.
I enabled the Sylink monitor debugging (http://www.symantec.com/business/support/index?page=content&id=TECH103369&locale=en_US) and here is an excerpt of the log:
02/14 20:20:03 [3304] <LUThreadProc>@@@@@@@@@ LU DEBUG ONLY- Download file failed due to wrong file size.
FileName:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{1CD85198-26C6-4bac-8C72-5D34B025DE35}1202020021.TMP Expected file size: 164989324
02/14 20:20:03 [3304] SyLinkDeleteConfig => Deleting instance: 00000000036319F0
02/14 20:20:03 [3304] </CSyLink::LUThreadProc()> This link (which is commonly suggested as a resolution to this type of error doens't apply or resolve the problem (http://www.symantec.com/business/support/index?page=content&id=TECH105695&locale=en_US).
It nice that a product, out of the box, doesn't function. Good work.
Comments
is the client on SEP 11 RU 7
is the client on SEP 11 RU 7 MP1?
is the client to get the updates from SEPM or GUP?
is it possible to upgrade GUP to also the latest version if it has not been done.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Yes, the client is SEP 11 RU7
Yes, the client is SEP 11 RU7 MP1.
The client is configured to get updates from the SEPM (not a GUP).
proxy?
Hi,
the article mentioned by you is usually appropriate for this error.
The size of the file is wrong because something between the client and the manager altered it, for example a proxy able to unzip, scan and zip again the files.
You really need to focus on the route taken by content updates, Wireshark will help you.
Regards,
Giuseppe
Usually is fine, but in this
Usually is fine, but in this case, it doesn't resolve the problem.
The SEPM is also a client. It can't update its own definitions.
There are no proxies between the server and workstation. I doubt that a wireshark would help. There are no other network problems that indicate packet dropage.
LiveUpdate Configuration
Hi,
- Please go to: Control Panel --> Symantec LiveUpdate --> Update Cache tab
- Send the values for Maximum Cache Size and Current Cache Size
- Do this on the SEPM and some a few clients
I change the Update Cache -
I change the Update Cache - Maximum Cache Size from 2,000 MB to 3,999 MB.
The Current Cache Size is 0.00 MB
From the client, I iniated an Content Update. It failed with the same error message.
comments
The SEP client installed on the SEPM does not work differently than other clients. If there is something in the middle, it is usually true for that client as well.
You don't need a packet dropage to get that issue, it is enough that, for example, a proxy is unzipping the liveupdate files, scan them and zip again. A wireshark capture is still worth, is there is no proxy, you will see if the communication is altered by something else.
Regards,
Giuseppe
are there SEPM's in load
are there SEPM's in load balance ?
can you pass on full sylink log?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
There is only one SEPM. Here
There is only one SEPM.
Here is the Sylink log:
proxy? (again)
Hi,
The error message you're getting is very popular in the presence of proxies. Maybe there is one? The ISA Firewall Client maybe installed? Anyway, if you could provide the full LU log file of SEPM it would be a great help.
Also, I always blame the LU component for 90% of problems with SEP, so please follow the steps in the KB article below and see how it goes:
http://www.symantec.com/docs/TECH138384
If this fixes it and correctly updates definitions for the SEP client installed on SEPM, then the problem will be most probably that LU was not completely removed when you uninstalled SEP from your client machines to do the upgrade.
HTH
I highly doubt that there was
I highly doubt that there was a problem uninstalling the LU. As the post indicates, this problem occurred the with the previous version of SEP (11 RU6a). Since this error occurred before and after the upgrade, it leads me to believe it is something else.
Not to mention, the Live Update control panel opens wihout error.
Venik,
Venik,
The error message in your original post was syaing the file size was incorrect and that the system was expecting a larger or smaller file.
The original post was also from Feb. 02. Later on, logs from Feb. 14.
Today, Feb 20, are you still having the same problem with the original file from Feb 02? Or are you updating the definitions every day and have downloaded today's definitions and are experiencing the same problem?
* * * * * *
Errors in your logs
* * * * * *
1- 02/14 20:04:57 [7352] <Start>Unable to create Session with 'User Proxy' settings - Proxy Server: Error Code: 87
2- 02/14 20:08:45 [6312] <IndexHeartbeatProc>Sylink Comm.Flags: 'Connection Failed' = 1, 'Using Backup Sylink' = 1, 'Using Location Config' = 0
02/14 20:08:45 [6312] <IndexHeartbeatProc>Connection Failed! No. of tries = 1
* * * * * * * *
There are also some logs about the system going to the backup of Sylink.xml file.
02/14 20:06:36 [6312] <SwitchSylinkConfig:> Switching from sylink.xml..
02/14 20:06:36 [6312] <SwitchSylinkConfig:> Failed to switch to use SyLinkEx.bak
02/14 20:06:36 [6312] <SwitchSylinkConfig:> Switching from SyLinkEx.bak
* * * * * * * *
This all points to a communications issue.
Can you successfully telnet to the server (SEPM) on port 8014?
As the post describes. the
As the post describes. the only noticible problem is content update. The client receives policy from the SEPM. The client processes commands from the SEPM. The client can request and receive policy from the SEPM.
The sylink log file has this line:
The last JDB file used to update the SEPM contains updates released on Feb 02. I haven't updated the JDB file since - its a waste of time since none of the clients are updating. Prior to that, I used two other JDB files.
I cannot telnet to the SEPM server on port 8014.
8014 needs to be accessible on the server
02/14 20:05:06 [6312] <GetIndexFileRequest:>http://DomainL70:8014/secars/secars.dll?h=F8BAAC53EFF8F390C9E66653AB61F7B9A66509D613A54A00697D8107C3F282C84E793663E626D0BDBB3175E8C30363963F4BC79068B14563D4D92E7ADE8950CF869CC01C9A5431580F10761D4501EF3D90705F1BBC395644ABDE20BFE4DF8A56A534992EF768FF04B04C385E9D46B2DBF6954F5FA622BF66814EB992C8CBB6B5BC550473AF5223261471AB2A4AFB30FF058406E665BF1CB1AA398CDF3936B4C2FA7C6A9724518AAB5FBA558B71E919C2634D456FA1B9E83C4C9DCB6D4262973A5AD6D8AB952ABB78033EEA8A753EE253840D1A6EF626B272041F4E42A51D77DF0B918AA6CA856F6D694073C01D7AC509FBA31A534F23867CC47B9C3FB17495BFA239B5D5E9A44D7D0077770197EC6F20EEA8AE54473670BA6C5A27241290400F4CE2673FB0CDD4C8ACB422B44328295B77796C53F56ACE1618238BF6A8340BFB2C89B7105037744988A56C72DF2361ED8EFC391F073ED0672D09FA9FB6B712E39E3ED4081C05E52DAF6F9E41CD259B31904DA74069878AC38524C87999B68C4C3A41B24C0563CA4E690CB7A9B86CB34EA47810489F8CBA1208DA0CFE66F24E4226250CBAB0F08D3305C5F7FA6F7AC969
I take it, the server name is DomainL70 (the server on which the SEPM is running)?
I also have to assume (sorry) from the logs that the server is running Server 2008 standard edition with Service Pack 1.
Which brings to the next questions.
- When you setup the server (SEPM) did you use the standard SEPM setup and default port of 8014?
- Windows Firewall is enabled or disabled?
- The server is running SEP client; with or without the Firewall component?
* * * * *
**Note**
You do NOT need to enable the "telnet server" feature on the server in order to be able to establish a connection.
** End note **
This page indicates that the comm port between the server and the client is port 8014.
http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/edda0cd89141a6788025734e004b6a02?OpenDocument
Without you being able to telnet to said port, this is the underlying problem.
Server: Windows 2008 R2
Server: Windows 2008 R2 SP1
Server Name: DomainL70
The SEPM was setup with the defaul port 8014.
The windows firewall service is enabled, but before SEPM (and SEP install), the windows firewall was configured to not protect on any of the three profiles.
The SEPM server and clients have the firewall component. The results are the same when it is disabled.
Although telenet isn't connecting, the server is responding on port 8014. I know this from performing the 'hello secars' test described in this document: Testing Communication from an Endpoint Protection client to the Endpoint Protection Manager (http://www.symantec.com/business/support/index?page=content&id=TECH102682). The test was successsful.
This also might help
*** Taken from SATYAM PUJARI ***
Open 8014 in the Firewall.
The Symantec Endpoint Protection Manager (SEPM) use two web servers: Internet Information Services (IIS) and Tomcat. IIS uses port 8014 - Tomcat uses port 9090 and 8443. The communication between IIS and Tomcat uses the HTTP protocol. IIS uses port 9090 to talk to Tomcat, Tomcat uses port 80 to talk to IIS.
Client-Server Communication:
For IIS SEP uses HTTP between the clients and the server. For the client server communication it uses port 8014 .
Remote Console:
9090 is used by the remote console to download .jar files and display the help pages.
8443 is used by the remote console to communicate with SEPM and the Replication Partners to replicate data.
Considering your scenario...
Just open 8014 in the firewall .Clients will connect to this port for communication.
SEPM is listening on port 8014 and waiting for connection.
You dont need to open ports (1024-65535) in the SEPM system.The concept is simple..When a client connects to a Webserver at some port [i.e 80 or 8014 ] it needs to open a random port in the local system to establish the communication ...that's how TCP/IP sockets work.
Simple example...
When you connect to google.com at port 80 You need to open a random port (i.e. 3355 )in the your machine aswell so that the webserver should also be communicate with you right ? That happens in the background but that's why random ports are used.
To see it..Just open some websites ..go to command prompt and type netstat -nao
Go through this chart....IT clearly states that for client-server [SEPM] communication you need to open 8014
source: http://service1.symantec.com/SUPPORT/ent-security....
* * * * * *
Link to the original Thread here:
https://www-secure.symantec.com/connect/forums/sep-port-clarification
Would you like to reply?
Login or Register to post your comment.