Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Slow network after upgrading to Endpoint Protection 12.1.2 MP1from previous version

Created: 16 Apr 2013 | 147 comments

We have all options installed on our clients. with the previous version (prior to 12.1.2 MP1) our LAN network worked fine. we were able to run our ERP software which resides on our domain controller.

After upgrading SEPM to the latest version, it sent upgrades to all clients & servers on our network. after which, we have difficulties running our ERP software.

after several hours of checking, found that when i disable Network Threat Protection, the ping time to our domain controller is 1ms. when the NTP is activated, the ping time is 54ms.

after googling around & still could not find solution for what may have gone wrong, i have disabled NTP on all our XP workstations. the surprising fact is that this network slowness only affects XP PCs & not Win7 PCs or Servers.

My setup is as follows:

All servers have basic protection. ie. Antivirus & proactive Threat protection.

All clients have full protection. ie. all options.

what after upgrade is causing my ERP software to work very very slowly (after one click, we have to wait for 1min or so). whereas other network based software like browsing internet, email client IM etc works properly.

I have also added our ERP application to exception list but of no use.

Guys please help me as this is the first time in 4 years that i have such issues with SEP.

regards SRI.

Operating Systems:

Comments 147 CommentsJump to latest comment

dee mcclanahan's picture

Ok, silly question, how do I disable the NTP?  I go to Clients, select Clients tab, right click on a workstation and select Disable Network Threat Protection.  But after 5 minutes it is re-enabled on the system.

Information appreciated.

dee mcclanahan's picture

Doing it that way, the NTP is re-enabled within about 5 minutes.  Is it from under the policies tab of CLIENTS... then Location Settings, Server Control, Server Settings, then "Amount of time bfore re-enabling NTP"

Brɨan's picture

Yes, you need to adjust that time.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Schmoo's picture

I've found that doesn't always work and when it does, only works for a short period or until the client reboots.  Also disabling NTP at the policy level and refreshing the policy on the client doesn't work either.

The only thing working for me is uninstalling the client from the workstations and pushing out the previous version of the client.  You also need to configure the server to NOT automatically update the clients assuming you leave the server on the broken release which I am doing.

Justin Dybedahl's picture

Koosah, while SEP is a great product and all, just like every Symantec product lately, Symantec fails at QA testing.  There seems to be no QA testing done on this product as this is the SECOND time that I will probably have to roll back to 11.x on 1,500+ clients because of a NTP issue.  My first issue was with the dial-up freeze bug and XP.  That took 9 months for Symantec to get off it's lazy bum and provide a fix. This is NOT ACCEPTABLE.  I hear all these great things about SEP 12.x and how it's loads better than SEP 11.x but how in gods name can I upgrade when the product is riddled with bugs that prevent me from upgrading?  Pretty soon, I'm wanting to bet that my management brings the hammer down, says enough is enough, and we switch to something else.  If this is scheduled for RU3's June release, that is beyond rediculous.

Brɨan's picture

My two cents worth but when a new release, specfically an RU, comes out, I sit on it for 2-4 weeks tp see what issues/bugs appear. I've never upgraded to an MP and never will unless a specific issue I'm seeing is fixed. Hasn't happened to this point with either 11.x or 12.1.

I also have the luxury of having a test environment but I realise that many, if not most companies do not have this luxury. I found this bug within an hour of being notified a new release was out, downloading, and upgrading my test environment. I knew it was going to cause some huge headaches.

I guess my point is to test before deploying if you can. Even if you upgrade the production SEPM, you can deploy to a small mix of clients before uprading the rest of the environment. Perhaps full trust is being out into the product that it is defect free?

I certainly have no clue on other coporations procedures and policies but I know mine. If didn't test before deploying and an issue was found, I would be looking for another job. But as I said, I have the luxury of a test environment.

I'm just curious as to how others handles this? It seems that when a new release is out, some just upgrade immediately (no testing). At least I've seen a few on the forums with this mentality...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Hepco_EJP's picture

I'd love to have a test environment!  Unfortunatley no chance of that at present.

What I tend to do is to upgrade a small selection of machines, generally my department.  They all sit next to me and we can fix any issues that arise pretty quickly.  This time I also used some VMs to test on.  2 of the machines upgraded were XP and showed the symptons straight away, the other w7 machines, are of course fine.

I will be interested to see what fix Symantec come up with, as I believe its a problem with the Teefer2 driver. 

Tom.T's picture

Just wanted to chime in on this thread that we're having the same issue here at our location.

All of a sudden Access applications located on one of our file servers started running very, very slowly.

Didn't change anything in the database, the only thing that changed was we upgraded SEP.

Anyway, found this thread and disabled NTP on our file server and now everything is fine.

I hope Symantec addresses this issue as to not have NTP running on our most important server due to a performance hit kind of defeats the whole purpose of Endpoint.

Very annoying.

indecision

AndrewIT's picture

there is another problem with win 7 clients (i think win 8 also)

if you want the SEP icon near the clock (bottom dx on the application bar) and you do the right setting, after a reboot you lose this and you have to do it again

ddorton's picture

I am having the same issues with XP and Windows 7 clients logging into a 2003 32bit server.  Withdrawing the firewall policy helped.

What is the best method to revert to the previous version on the server and all client computers?

John Santana's picture

So when this issue going to be fixed ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Brɨan's picture

Slated for RU3 last I heard.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John Santana's picture

Thanks Brian !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

hndygmc's picture

I am experiencing the same problems described throughout this thread.  Upgraded to 12.1.2100.2093 client and all applications appeared to work fine with the excption of our main application, which is an ACCESS and SQL combination.  This application slowed to an absolute crawl.

After uninstalling and reinstalling, researching on the net, I removed the firewall and on the first few machines it appeared to fix the problem, but it returned.  I finally disabled the Proactive Threat Protection on all the PC's (all xp sp3) and all is well.

It is hard to believe that Symantc was not aware of this issue b4 releasing this version and that it has not been fixed yet.  It isn't like this is a free piece of software.

Brɨan's picture

Haven't seen PTP come into play with this issue so it may be something new. May need to call support if you have time.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

The Issue is similar to the Symantec Known issue with SEP 12.1 RU2 MP1. The issue would be resolved in the upcoming new release SEP 12.1 RU3.

Network performance slows on Windows XP with Symantec Endpoint Protection 12.1 Release Update 2 Maintenance Pack 1 installed

http://www.symantec.com/docs/TECH205741

To work around this problem, use one of the following:

1) Disable / Uninstall the Network Threat Protection firewall on affected computers.

Here's the command to disable NTP via command line:

To disable NTP: smc -disable -ntp

and

To re-enable NTP: smc -enable -ntp

If the SEP client UI is password protected:

smc -disable -ntp -p <password>

To Uninstall the NTP feature:

Please Create a custom package (with NTP feature) and assign the Auto-Upgrade package to the groups. For the steps, check these Articles:

http://www.symantec.com/docs/TECH164754

http://www.symantec.com/docs/HOWTO80780

NOTE: A restart of the client is required to uninstall NTP completely.

2) Withdraw the Firewall policy in the Symantec Endpoint Protection Manager (SEPM) for groups containing affected computers.

  • Login to the Symantec Endpoint Protection Manager (SEPM).
  • Click Clients and select the Client group containing the clients you wish to disable the firewall on.
  • Click the Policies tab.
  • For each of the locations you wish to disable the firewall:
  • Click Tasks>Withdraw Policy Next to the Firewall policy.

3) Migrate affected computers to Windows Vista or higher.

4) Revert affected computers to the a previous version of the SEP client.

I would suggest you to create a Case with Symantec Technical Support and PM me the Case #.

How to create a new case in MySymantec (formerly MySupport)

http://www.symantec.com/docs/TECH58873

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

RamaG's picture

We are upgrading to this MP1 version (12.1.2.1) specifically because it is a Maintenance Patch of the RU2 and supports Windows 8 and Win Server 2012, and we use the NTP extensively (please don't suggest to turn it off). The SEPMs upgraded without an incident. The clients not so much.

Test Results:

1. Definitely affects XP. Just tested on a variety of workstations, pings and file transfers were down to a crawl.

2. Someone mentioned Windows server2003 is also affected, although the KB article doesn't mention it. Can anyone confirm Server 2003 is also affected by this release? I'll do my own testing, and post results here soon.

3. No issues observed with Win 7.

4. Can't even install the client on vanilla Win 8 logged on as admin!!, it rolls back when it comes to "Installing content" stage (manual install, full protection). Anyone had this issue?

5. Havent tested on Server 2012 yet,will test and post result.

This is getting a bit annoying. Very average QA by Symantec on this one. Hope it is sorted out soon.

Brɨan's picture

The KB references xp/2003 clients. I take 2003 to mean server 2003.

For Windows 8, see this KBA for a possible reason.

Symantec Endpoint Protection client fails to install to recently updated Windows 8 computers

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:TECH203996 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2013-03-18 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2013-05-15 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL http://www.symantec.com/docs/TECH203996

Try disabling windows defender and remove KB2781197 and try installing SEP again

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

RamaG's picture

Thanks Brian,

One of the client installer screens recommends disabling Windows defender, and has a checkbox to disable it.

Will try manually.

John Santana's picture

AN please let us know how you go here RamaG

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

andrewparkes's picture

So it is yet another release of SEP that seemingly lacks any sort of quality testing. I had planned to upgrade today/tomorrow, glad I found this. Certainly will not be upgrading.

Its about time symantec actually tested these products properly instead of releasing them full of errors. Whilst they are at it, it might be an idea to improve their so called technical support a bit to, as thats equally as bad as their testing abilities!

RamaG's picture

Further to my previous post, following are the test results for SEP 12.1.2.1 (RU2MP1) client with full protection on vanilla OS.

Tests: Record ping times to gateway, record time to copy a large file (~250mb) to the client workstation. (Isolated test network with very low/controlled activity).

Process: Run tests before Installing client. Run tests after installing client. Repeat tests with client installed but disabled.

Observations:

Windows 7 64bit, Windows 8 workstation enterprise 64bit, Windows Server 2008 enterprise edition 64bit, Windows Server 2012 evaluation edition 64bit: No adverse network performance observed with SEP installed/enabled, No change to ping times, the copy times increase by a minute or so, throughput decreases by a few KB.

Windows XP SP3, and Windows Server 2003 R2 Ent edition 32/64 bit: As confirmed by Symantec, Adverse network performance was observed: Ping times increased from <1ms to 20+ms, File copy times almost doubled with SEP installed/enabled. The moment you disable the client, ping returns to <1ms and copy times return to expected values. Repeatedly performed enable/disable and the result is consistent.

These are the OSes we have/will have in our environment hence only tested these.

We will NOT be deploying the latest RU2MP1 client to XP and Win 2003 as RU1MP1 works quite well on them.

We are happy with RU2MP1 client performance on Win7, Win8, Server 2008, Server 2012.

Understandably we'll have a few versions of clients on the network, but hopefully one version across the network in future. Our GUPs are XP, will have to move the role to Win7 machines. Hope XP and server 2003 is gone from the network soon.

At least we now know where we stand with this version :-).

dee mcclanahan's picture

Would you please describe how one might tell the MP version?  I'm seeing alot of MP1 and MP2 and RU2... etc. in the comments above.

All I see on my SEPM is "12.1.2015.2015".

Brɨan's picture

12.1.2015.2015 is RU2

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

dee mcclanahan's picture

Thank you Brian for replying, but how does "12.1.2015.2015" translate to RU2?  Is it the first "2015", or the second?  I'm assuming that it isn't the "1" following the 12.

What does the "1" signify?  Is that the MP1 people are referencing?

Brɨan's picture

12.1.2015.2015, the 12.1 means SEP 12.1. The numbers after show the versions.

RU2 is also known as 12.1.2 or 12.1.2015.2015

RU2 MP1 = 12.1.2100.2193

There probably is some madness behind it that Symantec can explain better but I just look at the first 3 digits in the version number to get an idea of what it's at.

This KBA shows the ones previous to RU2:

What are the version numbers available for the Symantec Endpoint Protection Client and Manager 12.1?

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:TECH188174 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2012-05-07 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2012-05-07 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL http://www.symantec.com/docs/TECH188174

Not sure why it hasn't been updated to the latest....

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Brɨan's picture

Release notes are out for 12.1 RU3

Symantec™ Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.3 Release Notes

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:DOC6549 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2013-05-31 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2013-05-31 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL http://www.symantec.com/docs/DOC6549

I don't see this issue listed in the fix notes. Can someone verify that I'm not missing it?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

dee mcclanahan's picture

Heh.

Which means, it has not been fixed in this version.  Oh well, so much for caring about customers.  I'm actually hoping that this was due out for a while now and the fix for this current issue will be done as a hotfix. You know.. because the issue is SO URGENT!

Brɨan's picture

I'm hoping I just missed it in the release notes...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

RamaG's picture

Pay attention to release notes people!, It's one of the top three issues fixed including Windows 8 installation issue.

Page 7:

New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 3 (12.1 RU3):

http://www.symantec.com/business/support/index?pag...

Extract from the link:

Network performance slows on Windows XP with Symantec Endpoint Protection 12.1.2 MP1 installed

Fix ID: 3180923

Symptom: Computers experience network performance problems when the Network Threat Protection (NTP) firewall component of the Symantec Endpoint Protection 12.1.2 MP1 client is installed and enabled. Symptoms include:

  • Copying files from a network location over Windows File Sharing takes significantly more time.

  • Programs that are started from a network share take significantly longer to load.

  • Ping responses take longer to return.

Solution: Modified the firewall to call the correct notification routine for Windows XP.

I can't see 12.1.3 on fileconnect yet, but when it becomes available, I'll test and report.

Brɨan's picture

Good to know. First time I've seen this particular link.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMBgurus's picture

Where are people finding the RU3 release as I do not see it on fileconnect either and I am a partner and Endpoint certified and do not see it under either the client acccount or Partner account.

Brɨan's picture

Not out yet, should be within the coming days though.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Brɨan's picture

This has been fixed in 12.1 RU3. I've been testing and it looks good.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

dee mcclanahan's picture

Thank you Brian, that is good to hear.

Would you mind telling us how\where we might be able to get ahold of this new version?

Did you have to call to get it?

Justin Dybedahl's picture

You should be able to download it from the FileConnect portal.   I had to call in because it wasn't showing for me.  They gave me a temporary serial number so that I could download it.  So far I can confirm that this fixes the issue at hand.  This time I'm going to slowly roll this out and hope for the best.

Brɨan's picture

It came up on FileConnect for me.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Justin Dybedahl's picture

It would have for me too but it seems that since we have licensing for Protection Suite (which includes SEP), Symantec delays it for those customers a couple of days.  Well according to what I was told by Symantec that is.

M_P_'s picture

I've several SEP serials, but none, at present time, let me see (and download) the latest release!...

megamanVI's picture

Do you have access to a ver 11.x client install? I would try removing 12.x and put 11.x on. That seems to work a lot better in some cases like this.

Brɨan's picture

No need. It's fixed in 12.1 RU3.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ioannis Mallios's picture

I had to ask for a temp SN from support to be able to download 12.1.3 .

After initial test problem for slow xp machines with 12.1.2 seems to have been solved.after upgrading the client to 12.1.3

Unfortunately now i have a different problem in my upgraded server with Live Update not downloading new definitions.(error in revocation data)

I'm not sure if this is an issue with 12.1.3 or it has something to do with the fact that i'm using a trial licence

Anyway, i had to open another case with symantec for this new issue devil

dee mcclanahan's picture

Well, don't think it is related because my 12.1.2015 has stopped auto-updating as well.  Our "liveupdate" button used to be greyed out for the users.  Now it is not and it is not auto-updating for the last couple of days.

SameerU's picture

Hi Brain

At one of our customer we have facing the same issue and we upgraded as per your suggestion in the link.

Still the issue persist.

Regards

Brɨan's picture

The issue has been fixed in RU3

Call support if you still experience it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

M_P_'s picture

Hi to all,

now I can see 12.1.3 available on FileConnect, BUT, Symantec folks, note

the field "Available date "(Jun 2011) is WRONG!!!

roberto021781's picture

you need to replace your windows xp to windows 7 if your computer reach the specipecation for that windows. I try all ready that in my client after i install the endpoint 25. One of the program very slow acess in the data base both SQL and access. then i format and replace the windows then its ok now very fast.

SameerU's picture

Hi

Have you got a chance to upgrade to SEP 12.1.3

Regards

HansZ's picture

+1 I agree, problem is still existing, very bad

Windows 7 > copy a 3GB ISO file to an ESXi datastore on the local network is taking 1 HOUR!

NTP off > same file takes ~3 minutes

Symantec, will you fix this?

jl80's picture

This issue exists in Windows Server 2008 R2 as well.  Same issue in 12.1.3 and 12.1.4 as well.  Very frustrating.

hforman's picture

In case anyone is still working on this:  12.1 RU2 MP1 introduced a problem with the firewall: teeferx.SYS.  If you install 12.1.3 (12.1 RU3). The problem will go away provided that you are installing the master server ANd the clients including the NTP/FIREWALL component.  If the teefer driver does not get updated when you upgrade, this will not help.  Updating the master alone will not do a thing.

HansZ's picture

hforman: this is interesting but I do not get your recommendation.

Master server? This is always the first place will get the update anyway. From there I initiate the client updates with the client packages included in the update of SEPM. Can you please explain this a bit more clearly, thank you.

I just realize now, why there are many SEP installations in the wild that have only the AV module installed...