I'm having a rather odd issue.

We have an installation with 170 endpoints, 15 of which show as "outdated", but have actually the most up-to-date virus definitions. These endpoints show as connected on the console.

If I delete them, they register automatically afterwards, and now show as "updated", even though the server console still shows old virus definitions.

If I send a remote command from the console, for example a scan, the client executes it, but the server never hears about it completing.

Finally when I look at the syslog.log in the client, it doesn't have any entries saying that it connected to the server. It's almost as if it were not even trying...

The SEPM is running 12.1.1000, as are the clients.

I honestly don't know what can be happening. Does anybody have any clue?

Thanks,

Jaime

look for the communication part in the sylink log

Two things can help

1) upgrade to 12.1.3 as it seems to be a common issue

http://www.symantec.com/business/support/index?page=content&id=TECH206828

Clients do not update definitions downloaded from Symantec Endpoint Protection Manager

Fix ID: 2715989

Symptom: After the clients come out of standby, the definitions do not update until after Symantec Endpoint Protection Manager restarts.

Solution: Fixed so that LiveUpdate restarts after the client computer recovers from standby.

2)1. Browse to \Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agentinfo

2. Look for any .err files or tmp files & Dat files

3. If you find anything which is not processed by sepm then it might be the reason for the client data loss

4. Stop SEPM services from services.msc 

5. Delete all the files inside the location \Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo

6. Restart the SEPM services.

Check the SEPM now if still issue persist go for step 7

7. Run the Management server configuration wizard.

Seems odd and I doubt each have corrupted defs.

I would turn on sylink logging and let it run thru a few heartbeats and post the log here if you want it reviewed.

1) Thanks Rafeeq, but that does not seem to describe my issue, unless I'm not understanding it correctly.

2) I did all that, repeatedly, except step 7, as I'm afraid of breaking something by running the wizard. As I said, the behaviour is only on a few clients.

under SEPM - admin - servers tab

you can rebuild the indexes. can you run that to see if it completes successfuly?

simillar issue with SEPM home tab

Symantec Endpoint Protection Manager displays clients as offline even though the client is showing online

The index rebuild completes, but the issue persists.

I'm collecting the Sylink log on two machines, one that updates successfully in the console and another one that doesn't.

Once I've compared and sanitized both (and removed protected company info) I will post the results.

This is weird...

In the machine that successfully updates, I find this sequence of events:

08/27 17:08:40.838 [6636] <IndexHeartbeatProc>===UPLOAD STAGE===

08/27 17:08:40.838 [6636] <PostEvent>going to post event=EVENT_SERVER_READY_TO_UPLOAD_EVENT_LOG

08/27 17:08:40.838 [6636] <PostEvent>done post event=EVENT_SERVER_READY_TO_UPLOAD_EVENT_LOG, return=0

08/27 17:08:40.854 [6636] <IndexHeartbeatProc>===PREPARE EVENT LOG STAGE===

[stuff happens]

08/27 17:08:40.869 [6636] <IndexHeartbeatProc>===COMPRESS EVENT LOG STAGE===

08/27 17:08:40.869 [6636] <IndexHeartbeatProc>===SEND EVENT LOG STAGE===

[more stuff happens]

08/27 17:08:41.025 [6636] <mfn_PostApplication>===SEND EVENT_SERVER_REQUIRES_CLIENT_APPLEARNING ===

[more stuff happens]

08/27 17:14:02.305 [6636] HEARTBEAT: Check Point 8

08/27 17:14:02.305 [6636] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED

08/27 17:14:02.305 [6636] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0

08/27 17:12:31.508 [8448] <IndexHeartbeatProc>===UPLOAD STAGE===

08/27 17:12:31.508 [8448] <PostEvent>going to post event=EVENT_SERVER_READY_TO_UPLOAD_EVENT_LOG

08/27 17:12:31.508 [8448] <PostEvent>done post event=EVENT_SERVER_READY_TO_UPLOAD_EVENT_LOG, return=0

08/27 17:12:31.524 [8448] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED

08/27 17:12:31.524 [8448] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0

open sep interface

help and support troubleshooting

do you see your sepm server name or server offline?

These seem to be client-side issues--it doesn't look like it's trying and failing... but rather, it's not trying at all to upload logs to the SEPM. Yet the client downloads content (and presumably policy changes, too) from the SEPM.

Any differences between the SEP clients that upload logs as they should to the SEPM, and those that do not?

• Different communication policies?
• Different product versions?
• Different operating systems?
• Different SEP configurations (all components vs. AV and PTP only)?

Just trying to figure out if there is anything that stands out, configuration-wise.

sandra

Both clients are Windows Server 2008 R2 SP1, SEP version 12.1.1000.157 RU1

Both are in the same group in the manager and their Sylink.xml is exactly the same.

When I export troubleshooting information the contents of the file are word-for-word equal (except the machine-dependent information of course). Same if I export the policy.

The only difference between configurations seems to be that in the LiveUpdate configuration the one that works is configured to use Internet default settings but the one thay doesn't has it configured explicitly (correctly it seems). Configuration is locked in bothe cases and provided by the installation (hmm, maybe they were installed with different installation packages?)

If there's any difference it must be very hidden somewhere...

Any proxy configured?

the log is not complete, if you could post one complete heartbeat then it would be easy to look for session disconnent events.

Did you check Help and Support - to see if thats showing server name or server Offline.

Yes - it is showing.

Where does the heartbeat begin and end? (So I can post one entire heartbeat).

The proxy is configured, and this setup comes from the manager.

Back up registry
1. Click Start, and then click Run.
2. In the Open box, type regedt32, and then click OK.
3. Locate HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\.
4. Right Click on Connections from the menu, click Export.
5. In the Save inbox, select a location in which to save the .reg file, type a file name in the File name box, and then click Save. 

Remove DefaultConnectionSettings & SavedLegacySettings
1. Delete the following registry keys:
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
2. Reboot the system.

Heart beat starts with Stage 1 ( you can see that in the log)

http://www.symantec.com/business/support/index?page=content&id=TECH104926

post the entire log.

OK, I'll note this down to try later (clients are servers - cannot reboot them now).

Here are both logs. SylinkLog1 is the machine that works and SylinkLog2 is the machine that doesn't.

Attachment(s)

SylinkLog1.txt   210 KB 1 version

SylinkLog2.txt   125 KB 1 version

Hi

Request you to upgrade to SEP 12.1.3

Regards

I'd prefer not to, unless it's the only solution available.

So does anybody see anything strange in the logs?

Log looks fine apart failing to upload the events. Did you reboot after deleting the registry?

IE versions same on working and non working machine?

I'm pretty sure they are, although, I'll check.

I haven't been allowed to reboot them yet - will check when I can.

It is possible there may be duplicate HWID's in the environment, I have seen this throw off reporting in the SEPM before. Below is documentation on how to identify any possible duplicate ID's in your environment.

http://www.symantec.com/docs/TECH163349

Bump... The problem still exists, but in some cases it was resolved by rebooting the server. But we cannot reboot servers indiscriminately, and just rebooting the SEP service is no use. Is there any service that is known to help if restarted?