Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Slow network after upgrading to Endpoint Protection 12.1.2 MP1from previous version

Created: 16 Apr 2013 | 147 comments

We have all options installed on our clients. with the previous version (prior to 12.1.2 MP1) our LAN network worked fine. we were able to run our ERP software which resides on our domain controller.

After upgrading SEPM to the latest version, it sent upgrades to all clients & servers on our network. after which, we have difficulties running our ERP software.

after several hours of checking, found that when i disable Network Threat Protection, the ping time to our domain controller is 1ms. when the NTP is activated, the ping time is 54ms.

after googling around & still could not find solution for what may have gone wrong, i have disabled NTP on all our XP workstations. the surprising fact is that this network slowness only affects XP PCs & not Win7 PCs or Servers.

My setup is as follows:

All servers have basic protection. ie. Antivirus & proactive Threat protection.

All clients have full protection. ie. all options.

what after upgrade is causing my ERP software to work very very slowly (after one click, we have to wait for 1min or so). whereas other network based software like browsing internet, email client IM etc works properly.

I have also added our ERP application to exception list but of no use.

Guys please help me as this is the first time in 4 years that i have such issues with SEP.

regards SRI.

Operating Systems:

Comments 147 CommentsJump to latest comment

SebastianZ's picture

What was the previous version you were using? Was it as well 12.1 or some 11.x?

pete_4u2002's picture

are you seeing the issue with all clients or specific machines?

did you reboot the machines after upgrade?

SebastianZ's picture

SEP 12.1 RU2 MP1 does includes several changes to the NTP/Firewall Teefer driver as per notes:

http://www.symantec.com/docs/TECH204685

- possibly one of the changes is causing the issue observed by you. Would recommend to open the case with Symantec Support to investigate the problem.

newafricahotel's picture

hi pete_4u2002 the problem is with all XP workstations. yes all workstations have been restarted.

Hi SebastianZ Thank you for the assistance. i have created  a support case for this the case no. is #04142243. Right now i have disabled NTP for all XP clients, which is not an healthy situation. i only hope the issue is sorted out otherwise i have no other options but to go  back to earlier version i had. 

.Brian's picture

This is irrelevant

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

I've noticed this when I upgraded my test lab. I've narrowed it down to the firewall. If you disable just the firewall, the issue goes away. Withdrawing the policy does not work.

I have not yet opened a case but that will be what is needed here.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

If the cause is in the firewall driver, withdrawing the policy won't change anything as the driver is still loaded on the machine. Let us know how the troubleshooting goes in the case you opened. Thanks

newafricahotel's picture

Hi Brian81, i have tried disabling firewall & then application device control & then intrusion protection. with either one disabled or all these disabled together did not solve my problem. however, by disabling NTP from clients windows sorted out the issue until NTP is enabled again. 

i have opened a case & awaiting reply. 

.Brian's picture

I upgraded from 12.1 RU2 and noticed it immediately. In my case, I found it was the firewall. I use both ADC and IPS as well but it made no difference when either were disabled. It always came down to the firewall for me.

Hopefully, they get you sorted out quickly.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

newafricahotel's picture

Hi Brian,

in my case even if i withdraw all firewall rules to all groups, the network is still slow until i disble NTP completely. 

until i get response from Symantec support team, i have created an deployment package without NTP & slowly deploying to all xp clients. 

AndreasHe's picture

Hi all.

we've the same problem and no solution.

Only disable the firewall on Windows XP helps.

If someone have a solution, please send me.

regards

.Brian's picture

You need to call support so they can troubleshoot this. This appears to be new to 12.1 RU2 MP1.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JnascECSI's picture

We are also having the same issue now with ping times along with all XP machines now taking for ever to print to network printers also. Seems from what we can see now any XP machine that tries to print to a network printer goes in to this very slow spooling process then let's say you try to print 8 pages it will die after printing 2-3 pages.

Watching the actual print job via the windows print job window just shows it spooling the data very slowly now. I put EP on the printer server hoping that might help but it did not. we are running EP 12.1.2100.2093 with full protection and the client policies are the defualt's with just a couple minor changes.

.Brian's picture

Disable the SEP firewall and see if the issue goes away. It should. Currently working with Symantec on this as new changes to the teefer driver in RU2 MP1 may be the cause.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pjbotes's picture

Hi Brian81, any news on this?  I'm having the same issue.  Disabling the firewall and Intrusion prevention via policy is my current work around on the problem.

.Brian's picture

I've sent all logs that Symantec support has requested to them. They said they would get back to me in a day (has been two so far).

The only workarounds are to either remove the firewall component (You can leave IPS installed) or disable the firewall.

The tech I spoke to did mention this was a known issue for XP SP3 but does not know about Windows 7/8.

I've only seen this on our XP SP3 test machines. We have since stopped testing since we won't roll this version out.

My guess is this will be a code change so a new release will fix it unless they do a point patch (PP) to address this specific issue.

That's all I got, will post back when I get more from Symantec.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

M_P_'s picture

Hi Brian81,

I'm having the same issue, for now I've resolved following your suggestion, thanks.

Can you kindly keep us informed about youùr interaction with Symantec?

Thanks again...

.Brian's picture

I've sent all logs that Symantec support has requested to them. They said they would get back to me in a day (has been two so far).

The only workarounds are to either remove the firewall component (You can leave IPS installed) or disable the firewall.

The tech I spoke to did mention this was a known issue for XP SP3 but does not know about Windows 7/8.

I've only seen this on our XP SP3 test machines. We have since stopped testing since we won't roll this version out.

My guess is this will be a code change so a new release will fix it unless they do a point patch (PP) to address this specific issue.

That's all I got, will post back when I get more from Symantec.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

newafricahotel's picture

Hi all,

I am also waiting for Symantec Support to provide me with the log tool to extract log from windows xp client do that i can send it to them so that they can come up with an solution. 

.Brian's picture

Download SymHelp and check the "Full data collection for support" option. This is what they will need.

Symantec Help (SymHelp) Download

Article:TECH170752  |  Created: 2011-09-29  |  Updated: 2013-04-19  |  Article URL http://www.symantec.com/docs/TECH170752

untitled_9.JPG

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ambesh_444's picture

Thumbs up Brian81...!!!!!

My vote for you.

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Koosah's picture

Here is what should be collected if you suspect you have this issue and want to contact support.

1.Create an allow all rule and move to the top and check to see if issue goes away.(It should not)
2.Wireshark, WPP and Symhelp all collected from the same time. Start wireshark and wpp logging, replicate issue note time, replicate issue again and note time.
3.Disable firewall and replicate the issue not happening and note time, replicate issue and note time.
4.Collect wireshark, wpp and support tool all from the same time.
5.Contact support.

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

.Brian's picture

Creating rules does not fix it (at least in my case). Whatever change that was made to the teefer driver seems to have negatively impacted performance. Monitoring read/write performance of svchost.exe during file copies over the network with firewall enabled and disabled is pretty dramtatic.

As an example copying a 250Mb file over the network (3 hops) with the firewall enabled took 4 minutes and with the firewall disabled it took 10 seconds.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Koosah's picture

The rule is not expected to fix anything. Its what backline is requesting. If you do all the items in my post you will speed the process of backline determining the cause.

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

.Brian's picture

Than I hope to get a call some time soon to finish the steps you outlined as they only collected logs and had me reproduce the issue.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

This only looks to affect XP machines in my case. Just tested on Windows 7 and it works as expected.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

newafricahotel's picture

Hi All,

Yesterday i had sent the log report files from XP Machine & SEP12 server PC & am waiting for an fix. 

Let's hope this issue is identified & fixed asap. 

Keym00's picture

Same here .. I've also opened a case with Symantec and have referenced this thread

.Brian's picture

Thanks, keep us updated.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Keym00's picture

Symantec is wanting to gather WPP logs and supplied this link

http://www.symantec.com/business/support/index?pag...

I would have thought Symantec could easily replicate the issue in their lab environment as this is just simple file sharing between client/server .. maybe more, but that's the bulk of it for us anyway

I would like to have a copy of the previous version though as we were a couple revisions behind before deciding to roll out this upgrade.  I have to say .. never before have we deployed a release that had this much of a negative empact...just surprising this wasn't caught in pre-release testing phases

Hywel Mallett's picture

Another +1 here. XP clients affected, ping times go from <1ms to ~40ms, network performance falls through the floor, running at about 1% of normal speed. Removing the NTP component solves the issue. Looking forward to an update to resolve this, then if one's released I'll wait a few days then check in here to see what others have found before I try it!

.Brian's picture

I'm working with support so I will post back with updates.

You don't need to remove the entire NTP component, only the firewall. Or if the firewall is already installed, it needs to be disabled.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ioannis Mallios's picture

Exactly the same problem here. Fresh instaled xp clients with 12.1.2 MP1 and firewall enabled have aprox. 40 ms pings to local gateway and are very slow on network access operations.

Vista and Windows 7 clients work fine.

I already have opened a case with Synantec since 22 Apr but still waiting for a solution.

.Brian's picture

Only XP is affected. Current workaround is to either disable the firewall via policy or remove the firewall component.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

DCourtel's picture

What is the Symantec Official recommandation for this Release, regarding this bug ?

Can we push SEP 12.1 RU2 MP1 to clients, except on Windows XP ? Or do we drop this MP1 and wait the next release ?

Thanks.

DCourtel.

End User Support Technician

Publish Third Party Applications in Wsus : http://wsuspackagepublisher.codeplex.com/

.Brian's picture

Only affects XP. You need to either disable the firewall or remove only that component. Works fine on any OS higher than XP.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

DCourtel's picture

Yes, I know that. But does it worth to deploy this release if a new release is out in few weeks to correct this bug ?

DCourtel.

End User Support Technician

Publish Third Party Applications in Wsus : http://wsuspackagepublisher.codeplex.com/

.Brian's picture

A new release is probably more like a couple months away so it's up to you to decide.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

DCourtel's picture

whaaw, pretty much impressive. I can't beleive that a World leading security company can afford to wait as much as 2 months to fix such a bug that impact all Windows XP SP3 with firewall.

DCourtel.

End User Support Technician

Publish Third Party Applications in Wsus : http://wsuspackagepublisher.codeplex.com/

.Brian's picture

Last I saw RU3 (if called that) was scheduled for June.

Again, if they determine, they could do a release before or maybe even a Point Patch  to address this.

I have no knowledge of it though, just speculating.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pandher's picture

i think i will delay my plans of this maintenence patch then since we have a lot of XP machines and we had already had our troubles with NTP. We disabled it 2 years ago...

I think Symantec needs to relook at it s NTP thingi...

DCourtel's picture

On our environnement, 40% of Win XP and 60% of Win 7 !

I think we will deploy 12.1 RU2 MP1 only on Win 7 and wait for the next release for Win XP.

DCourtel.

End User Support Technician

Publish Third Party Applications in Wsus : http://wsuspackagepublisher.codeplex.com/

Ioannis Mallios's picture

I dont know the status of similar cases opened with Symantec for the same  issue, but in my case i have just received an email (a week after oppening the case) , to <<Collect the symhelp and TSE debugging logs>> and forward them to support

It seems that at least in my case, even if the problem looks the same like others in this thread , Support needs more information.. I'll post any progress here.

GD Sec's picture

Just opened a case with Symantec Support about the same issue.  This is being reported by others as well.  Supports advice at this time is to roll back to a previous version.  This is impacting 2003 and XP clients.  

.Brian's picture

Thanks for posting the link to this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Schmoo's picture

FWIW,

I'm having the problem with all the clients I upgraded.  Turning off NTP fixes the problem but at least in my case, the firewall had nothing to do with it as it wasn't ever installed on the clients.

Also, this is not happening on all XP workstations - maybe 30%.

.Brian's picture

So only IPS component is installed and functioning?

This would seem to be a separate issue from the one described in this thread. I wuold suggest a support call.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Schmoo's picture

Might be a different issue but the symtoms and the fix are the same.  Disable NTP and life is good.

.Brian's picture

The only other piece of NTP would be the IPS so this could be something new.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

DLS91316's picture

This is ridiculous. Big company like Symantec is not fixing the problem quickly as we have not heard anything except "Symantec is aware of this problem and will update this document when a solution becomes available"

We are having similar problem as our XP machines connected to small business server 2008 running extremely slow after upgrading to SEP12.1.2. As many above suggested we are disabling NTP that is only solution for now. Symantec need to solve this problem now otherwise our trust on Symantec will go away and many of us (like me) will have to find alternate software.

Koosah's picture

The only reason you would have needed to go to mp1 would be if you had any of the issues that were fixed by the release. If you dont then just uninstall the affected machines and install ru2 and be done with it, then wait for the release. This is not affecting all XP machines so not everyone is even having the issue.

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

Nimroid's picture

Any news? We're also facing the same problem on XP machines, so NTP is disabled. But it's not an elegant solution...

.Brian's picture

I would highly suggest opening a case and referring to this thread and this KB article:

http://www.symantec.com/business/support/index?pag...

It is being worked on.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

SameerU,

This is a known issue between the XP OS and SEP firewall. Take the time to read through the thread to know this before posting irrelevant questions.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SameerU's picture

Hi

Whether the slowness is specific to the Operating System

Regards

.Brian's picture

Yes, to XP only. Read the KB article about it:

Windows File Sharing slows on Windows XP with Symantec Endpoint Protection 12.1 Release Update 2 Maintenance Pack 1 installed

Article:TECH205741  |  Created: 2013-04-30  |  Updated: 2013-04-30  |  Article URL http://www.symantec.com/docs/TECH205741

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ioannis Mallios's picture

After sending the debug and symhelp logs to symantec i had the below answer from support by email:

<< Symantec is aware of this issue and an etrack has been created.Will escalate the case to the backline team.Refer the below document. http://www.symantec.com/docs/TECH205741 >>

.Brian's picture

This issue requires a product update in order to resolve. It is being tracked for next release. No further details.

It only affects SEP RU2 MP1 on Windows XP and Windows 2003 machines. Workaround is to either rollback to SEP 12.1 RU2 or remove or disable the firewall component.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

uplrichie's picture

This link is not working any more, http://www.symantec.com/business/support/index?page=content&id=TECH205741 Getting page cannot be displayed.

This is very annoying. Everytime we upgrade something major issue occurs. When we upgraded to Endpoint 11.0 all our file servers running windows 2008R2 went crazy.  Only last week we upgraded to 12.1.2 and now all our XP machines are very slow. Symantec needs to clean up their act or loyal customer like me will move on to other products

uplrichie's picture

Yes its working now, i hope they fix this over the weekend, i dont want to be grilled in the monday morning staff meeting

.Brian's picture

This will be fixed in a product release. No date has been announced.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Koosah's picture

This will not be fixed over the weekend. The build the fix is in is still in prebeta testing. If you need a solution now just uninstall the client and install the ru2 build or disable the firewall if you cannot uninstall them.

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

Koosah's picture

Endpoint Protection is a great software and on the top of the game for protection. I hope all of you understand Symantec is doing what it can to resolve the issue and there are work arounds that you can do in order to stay protected and not be affected by this issue.

If you only have a few machines just uninstall the software and install the 12.1.2 client. The only reason you would need mp2 would be if it resolved a defect you were dealing with its not needed otherwise.

 If you have too many machines to perform this process you can choose to disable the firewall. You will want to make sure you have your perimeter firewall configured!

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

Keym00's picture

Out of curiosity .. where could we obtain the release just before MP1 if we didn't have it already?  Our serial number only shows access to 12.1.2 MP1

Koosah's picture

I believe if you login to file connect and select 12.1.2 mp1 it will also contain the base 12.1.2 build. If you cannot find it you can pm me your serial and I can see if I can locate it and send you the directions.

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

Keym00's picture

Yep .. sorry I just overlooked it

Out of curiosity .. if I remove the MP1 package from the group and apply the RU2 package, will the package auto deploy and group members automatically downgrade?  Or is it suggested that you manually remove MP1 from each client machine before installing/deploying the original RU2?  I'm guessing removing MP1 before deploying RU2 is the answer, but I thought I'd still ask since the manual removal involves touching each machine

Koosah's picture

It would look at the package and see that its older than what was installed and not install it. Removing the version before installing the old R2 would be the process you would need to do. If you want to automate it you could use sepprep to remove it before installing the new build and that could be deployed from the manager.

SepPrep

http://www.symantec.com/business/support/index?page=content&id=TECH148513

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

Keym00's picture

Thank you for this .. this tool looks to be very useful and not just for the issue at hand.  Removing Norton and MSE are common practice before deploying SEP .. the automation of that process will come in handy

Koosah's picture

Yes, its a very good tool. The newer version of SEP has a thirdparty removal tool built in that can be deployed but i still like this tool better because of the versatility.

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

AndrewIT's picture

i have this problem on every XP clients. my SEPM is on a server with win 2003 R2 SP2 -> it is affected by the problem
can we know when the problem will be resolved ?

.Brian's picture

It's being tracked for the next release. No date has been given yet.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Koosah's picture

Andrew,

If this is greatly affecting you I would recommend you use the below sep prep install tool to remove the existig client and install the previous 12.1.2 client. This should take about the same amount of time as an upgrade and will resolve your issue right now.

SepPrep

http://www.symantec.com/business/support/index?page=content&id=TECH148513

If you have any issues with the setup of this you can always ask for assistance or contact support.

Regards!

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

Schmoo's picture

Anyone had any luck using the SepPrep tool?  I followed the instructions and when I run it on a client I get messages like "a later package is installed" or whatever and it closes.  I do have RemoveSymantec=Y set in the .ini file.

Well, nevermind.  I have a 3rd party remote uninstall program I'll use.

Keym00's picture

I was going to test this out on Wednesday, so I haven't given it a shot yet.  Did you make sure to rename setup.exe in your installation package to sepsetup.exe (or however you wish to reference it)?  Then you would want to rename SEPprep.exe (or SEPprep64.exe) to setup.exe.  Otherwise I would think it would run as an upgrade and thus give you the message you received.

Schmoo's picture

Yes, I followed the directions to the letter.  I'm using a different method now so will not be pursueing that avenue anymore.

Schmoo's picture

I very well could have screwed something up with the renaming.  I deleted everything so I can't go back and look.

Bobinazee's picture

I have to say that I am also seeing this on my Windows XP machines. But, Windows Vista and Window 7 are also showing higher ping rates than normal. It also affected my Windows Servers. After receiving complaints of slow response time from one of our file servers, we removed SEP and immediately saw significantly improved performance. 

I am now reverting to an earlier version of SEP.