Endpoint Protection

I've had this issue a few times over the past couple of weeks and on multiple devices.  I am running 11.0.6300 on all my devices.  The GUPs are Windows 2003 servers and they are also set to be unmanaged detectors.

I get calls from users saying that they can't get connected to the server and when I run netstat, I see hundreds of established connections between the GUP and the SEPM server.  Running the netstat with the "-b" switch shows that the executable is SMC.exe.  Below is a small sample of the results of netstat.  During this particular netstat collection, there were almost 1,600 connections to the SEPM server, going up to TCP port number 4998.  When this happens, the connections stop at port 5000.

It appears that the server is overwhelmed with these connections and will not respond to any network requests - mail, shared folders, pings, etc.  After 5 - 10 minutes the server will respond again, however the connections to the SEPM are still established and within 30 minutes, the server will appear offline again.  Shutting down Symantec will get the server to respond normally again, however once Symantec is turned back on, within a few minutes it is again unresponsive.  The only way to completely resolve the issue is to reboot the server, after which everything is fine for days until it happens again.  I should mention that during these times, CPU and memory use are normal - it is only the number of TCP ports in use that is abnormal.

There doesn't seem to be any warning as to when it will happen, either.  After it happened the first time, I manually checked the server for a couple of days after and would see only 3 - 5 connections to the SEPM.  Then one day, users called and it was back up in the 1,000+ connections range. 

As I mentioned, this has happened on multiple servers, however for most of them, a reboot about a week ago fixed the issue and is has not reappeared.  On one particular server, this is happening every couple of days.  When this happened to that same server again today (948 connections), I checked one of the servers that I previously had this same issue with and had been rebooted 7 days ago - that server showed 6 connections to the SEPM server

Anyone know what's going on here and how to resolve?

Thanks!

for the communication settings ?

Push.

What happens if you disable the unmanaged detector feature?

Funny you should mention that - I was just about to update this thread that I was turning that off to see if it makes any difference.  Of course, with the inconsistency as to exactly when the problem occurs, I'm probably just going to need to wait a few days or more to see if it comes up again.

Hello Jamie,

What is the handle count for SMC.exe when this problem is occurring (or starting to occur)?  Is it more than around ~700?

It sounds to me you're seeing this issue here.

• The handle count for SMC.exe continually increases for an Endpoint Protection 11.0 RU6 MP3 Group Update Provider.
• http://www.symantec.com/docs/TECH157788

I've dealt with multiple customer who have run into this issue. I've never noticed the excessive connections from SMC.exe to the SEPM, but then again I've never looked for that.

If I hear from a customer "My computer which is a GUP and running SEP version 11.0.6200, 11.0.6300, or 11.0.7000 becomes unresponsive until I restart it or stop and start SMC.exe or restart the computer" then I automatically assume you're experiencing this issue and ask them to test RU7 MP1.

I suggest testing the RU7 MP1 on a couple of the affected machines. I suspect it will fix the problem.

Regards,

James

Hi James,

Thanks for the response.  I hadn't checked the handle count when I was seeing the problem.  I've been monitoring it for the past hour or so and it's been hovering around 900.

It does sound like a similar issue, although my GUPs are not servicing anywhere near the "several thousand" clients as mentioned in the KB article - it's roughly 100 clients at my largest facility.

Upgrading to RU7 MP1 is worth a shot though, so I am downloading it now.  Again, since we haven't noticed any precursor to the problem popping up, I'll probably just have to play the waiting game to see if it happens again in the next week or so.

-- Jamie

Hi Jamie,

Sounds good.

Let us know how the upgrade goes and then your results after monitoring for several days.

Regards,

James

One of my other machines that had previously had the issue pop up again today (not the same server that was rebooted yesterday).  I was able to confirm that the handle count was elevated (around 1500).  This coincided with the number of TCP connections being elevated as well, so I definitely think the upgrade to 11.0.7 MR1 will solve the problem.

I will update again in a week, unless I see the problem again before then.

Hi Jamie,

Yep. I agree. You're experiencing the problem.

Let us know once you've tested RU7 MP1 and monitored to ensure it corrects the issue.

Regards,

James

Well, it's been about a week since I've update the servers to RU7 MP1 and I have not had this issue come up again, so I think it's safe to assume that this is resolved.

Thanks again for your help.

Glad to hear it's fixed!

Regards,

James