SEPM Console Policy section PAINFULLY slow after MR2 upgrade.

Updated: 21 May 2010 | 21 comments

0 0 Votes

After a successful upgrade to MR2 on the mgmt server, the console seems to work better than before - except for the policy section. What used to take a minute or so to open, takes about 4 min 45 seconds to open. Then selecting a policy to edit takes another minute or two...

Has anyone else seen this or have suggestions to fix it? This holds true for the console on the mgmt server as well as the remote consoles installed (now reinstalled after the upgrade) on our workstations.

I have already modified the Java Heap properties to 1 GB as suggested in the installation guide for large environments.

...MK_SEP_Admin

discussion Filed Under:

Security, Endpoint Protection (AntiVirus) - 11.x

Comments RSS Feed

Comments

Apr

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

how many groups do you have?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Apr

2008

0 Votes 0

mk_sep_admin

Total? Around 40. Each group, however, has about 150 locations.

It has always been a little slow because of that, I suppose, but the time to pull it up after MR2 is more than 4x as long as it was.

Apr

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

woah!

we'd generally advise no more than 64 locations per group, because as you've seen it can get a bit slow.

We have one or two large customers with 1000+ groups (however 40 groups 150 locations could have same effect) and they are seeing the same issue... if you can live without a count of how many locations the policy is applied in for now, try this:

open %temp%\sesm.xml, set the locationCounting="false" to disable displaying the count and locations associated with a policy.

Default sesm.xml is this and is auto-generated by the console
<?xml version="1.0" encoding="UTF-8"?>
<sesm>
<login locationCounting="true" option="less" vistaWarn="false"/>
</sesm>

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Apr

2008

0 Votes 0

mk_sep_admin

My sesm.xml looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<sesm>
<login option="less" vistaWarn="false"/>
</sesm>

I'll add the bit about the counting and see if that helps.

Thanks -

May

2008

0 Votes 0

mk_sep_admin

I tried this change on my workstation, but it did not seem to help. I am still having 4+ min open time to open policiy panel and over 2 min to actually edit a policy.

On the mgmt server, results were somewhat better. It only took about one minute to open the policy panel which is "normal" for us. Opening an actual policy still took a couple of minutes... much more of a delay than pre MR2.

Worth noting.... I don't know if the change for counting is working... I still get Location Use Counts for my policies.

It was a little slow before, but completely within reason for our configuration. This is far worse. Can you explain what has changed? Is there somewhere I can look for potential errors or issues in log files or database access times?

Thanks,
MK_SEP_Admin

May

2008

0 Votes 0

Corey Wilson

My question to this problem, since we are also seeing slower console performance now that we have added more groups...is why did symantec even go with a java based console to begin with? The mmc snap-in worked just fine. Not only that, but the java console wont even run on a linux based machine with default java's loaded.

May

2008

0 Votes 0

Corey Wilson

Lets put it this way. The last time I used symantec I transitioned our company to Trend Micro Officescan. Im with a new company now and the investment was already made through software assurance so Im limited in options. I do agree with you though.

May

2008

0 Votes 0

mk_sep_admin

While the Java console is not my favorite - it is very similar to the way the Sygate product line was written and I think they built off of that model for SEP.

Bottom line - since the MR2 upgrade, there are some bug fixes in the console, but the policy pane is what is incredibly slow at this point. Part of that is because of the number of groups & locations we have defined - BUT it was not this bad in MR1.

.......

In the scm-ui.log in my %temp% folder, I see the log data from my console session. The file grows to approx 710 KB once I click on the policy section. It is less than 10 KB before I take that action. I routinely see this entry, which indicates I'm likely hitting some kind of capped value:

DataobjectManager cache reached high water mark.

Is there something else I can tweak since the suggestion above did not seem to help on my workstation consoles?

Thanks,
MK_SEP_Admin

May

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

you are correct, the decision to use Java was taken at Sygate in 2002, long before we bought them. There are multiple reasons behind using Java, and MMC was considered but decided against at that time.

The SEPM is the evolution of the Sygate Policy Manager, which in its previous version was completely web based via Java (SEPM itself is still all web technology underneath, everything uses HTTP).

I've previously tested on both Linux and Mac OS and the SEPM does work on both (the sygate version was even written for all three OS's) as far as the management tiles go... the reporting doesn't because we spawn an IE session in the console window - neither Linux nor Mac OS have IE :) Reporting however works great via Firefox or Safari.

On the slowness front, yes we do have a problem with the policies tab since we moved to MR2 and are working to resolve this for MR2 MP1. The fix I posted will work, its just that you need the MP1 patched version of scm-ui.jar, if you can PM me your email address I will attempt to get you something to try so we can get some more feedback on it.

hope that clears things up, I have passed on your comments about "DataobjectManager cache reached high water mark" to our engineers who are working on the SEPM.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

May

2008

0 Votes 0

JasonDS

Paul: Is there an ETA on MR2 MP1? I am having a similar issue sine moving to MR2, the console is sloooooow.....

May

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

I believe we are aiming for code complete on MP1 by end of the week... not sure what that does for timescales though.. will try and find out...

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

May

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

there were a number of problems with SSC/MMC, in small environments it was fine, in larger environments it was unusable because it works in realtime - factor in WAN's and slow networks and it slows to a crawl - just try and change the settings on a client group that has clients and parent servers in multiple countries and you will see what I mean.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

May

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

SEPM console running on a Macbook Pro, out of the box installation, no special Java, nothing... runs from the website and even puts the icon on my desktop for me.

I don't have a linux VM handy... but I'll get a copy of Ubuntu or similar

Message Edited by Paul Murgatroyd on 05-02-2008 12:43 AM

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

May

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

SEPM running on Ubuntu, all I had to do was install Java from Sun - easily accomplised through add/remove programs in Ubuntu as there is no version installed by default.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

May

2008

0 Votes 0

Tom Mucha

Accredited

Sorry to bring a dead post back to life - but I wanted to share my pain too!

I have a client with a policy that is having the same issue since we upgraded to MR2 a couple weeks ago. Changing the xml changed nothing.

We have a seperate MS SQL server that is hosting our DB, one quick thing I noticed is that if I look in task manager (windows 2003) on the SEPM server, and on the SQL server I see the network utilization go from about 1% to 30% plus - once the utilization goes down, the management console comes back to life. I think it's pretty safe to assume that this is SEPM going to SQL for something.

Everything seems clean in the logs i've checked. I was wondering if anyone else if having this same issue.

Tom

May

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

Open the following file

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat

Change it from this:

Original:

@start "SESM" "E:\Program Files\Symantec\Symantec Endpoint Protection Manager\jdk\bin\javaw.exe" -Xms64m -Xmx256m -XX:MinHeapFreeRatio=30 -XX:MaxHeapFreeRatio=40 -Dscm.console.conf="E:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties" -jar scm-ui.jar

To this:

Suggested:

@start "SESM" "E:\Program Files\Symantec\Symantec Endpoint Protection Manager\jdk\bin\javaw.exe" -Xms1024m -Xmx1024m -XX:MinHeapFreeRatio=40 -XX:MaxHeapFreeRatio=70 -Dscm.console.conf="E:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties" -jar scm-ui.jar

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Jun

2008

0 Votes 0

Tom Mucha

Accredited

Paul - changing that bat file seems to make a difference in the console speed when looking at policies. Thanks!

Aug

2008

0 Votes 0

ch1221 2

Paul,

Thank you so much. I was having the exact issue and changing the bat file worked for me as well.

Aug

2008

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

No problem, we are going to be setting this based on your installer choices in MR3. Also with MR3 if you have changed it previously and upgraded, we aren't going to reset it (which wasn't a very good idea!)

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Mar

2009

0 Votes 0

DougAuto

Still slow...

Hi... beating this dead horse...

Running SEP 11 MR3, and the console is very slow. Particularly opening the Clients and Policy views.

Over a WAN this is nearly unusable... it took one of my admins 9 minutes to open the client view.

Are there any steps we can take to improve this for MR3 (aside from upgrading... we probably will skip MR4 and its various incarnations, and go with MR5 as we are in the middle of an MR3 deployment to 28,000 machines and won't change in mid-deployment).

Doug

Mar

2009

0 Votes 0

David Vaughan

Still slow in MR4 MP1a

I must say that even in the latest release of MR4 MP1a the console is still very slow to respond. I dont even try and to use the console locally, I RDP to the SEP server and i get better preformance. Tho is it still far from ideal.

SEPM Console Policy section PAINFULLY slow after MR2 upgrade.

Comments

Still slow...

Still slow in MR4 MP1a

Would you like to reply?

Links

Technical Support

Symantec.com

Store

Community Stats