Video Screencast Help

Some Remote site GUP clients does not update virus definition

Created: 11 Apr 2013 • Updated: 19 Apr 2013 | 17 comments
This issue has been solved. See solution.

Hello everyone,

I have a serious problem since April first week.

We have done some maintenance on SEP 11 Management server on last week and everything seems to be fine after that.

But today i have noticed that most of our GUP client running on Windows 2003 Servers were not updated the virus definition. 

I tried to run "luall -control" control command on GUP and it says download definition success.

I have tested all communiction between GUP and Manangement server and all OK.

Please help me.

with regards,

Tommy

 

 

Operating Systems:

Comments 17 CommentsJump to latest comment

W007's picture

hello,

look this

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

Article:TECH104539  |  Created: 2008-01-01  |  Updated: 2011-09-15  |  Article URL http://www.symantec.com/docs/TECH104539

Look this discussion

https://www-secure.symantec.com/connect/forums/gup...

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ambesh_444's picture

Hi,

 

Check this Article:

How to confirm if SEP Clients are receiving LiveUpdate content from Group Update Providers (GUPs)

http://www.symantec.com/docs/TECH97190

I would also suggest you to check the Articles below which may interest you:

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

http://www.symantec.com/docs/TECH104539

Group Update Provider(GUP): Sizing and Scaling Guidelines

http://www.symantec.com/business/support/index?page=content&id=TECH95353&locale=en_US

SEP Content Distribution Monitor / GUP monitoring tool

http://www.symantec.com/business/support/index?page=content&id=TECH156558

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

SebastianZ's picture

Luall execution applies only to the SEP Client downloads - GUP itself does not use it.

- is the "sharedupdates" folder on GUP being populated

- what was the "some maintanance" on the Server involving? - any changes to the LU policies

- can you confirm the clients are still configured properly to ask GUPs for definitions?

- collect sylink.log on one of the clients thats supposed to take updates from GUP and does not do that:

http://www.symantec.com/docs/TECH104758

SameerU's picture

Hi

Please check whether you are able to telnet the port 2967

Regards

 

Chetan Savade's picture

Hi,

Try the following steps

1) Compare the policy serial number on SEPM and at GUP machine.

Screenshot is attached to the reference.Screenshot is taken from SEP 11.x machine.

120px_policy serial number.JPG

2) On the GUP machine check the Sharedupdates folder. Especially check the definitions dates.

3) In some cases it might required reboot of SEPM and GUP machine.

4) Try to repair the GUP SEP client through add/remove programs.

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SameerU's picture

Hi

Can you please post the Sylink logs

Regards

 

AjinBabu's picture

 

Hi, 

Please follow the below steps

1. Confirm the communication between the GUP and Client (default port is 2967)

2. Weather GUP is updating with latest definitions

3. Keep the Sylink logs from a clients which is not getting updated 

4. Check the disk space of the GUP

And Keep posted

Regards

Ajin

 

Ambesh_444's picture

Hi Tommy,

Please let me know if your issue is resolved.

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

SameerU's picture

Hi

Can you please check whether the port 2967 is opened bi-directionally

Regards

 

ajhay.siingh's picture

HI Tomy,

you can do one thing to cross check whether your GUP system is receivning update or not from SEPM. inside sharedupdates folder(Which has updates for clients), delete all the contents, or you can delete sharedupdate folder also, if you have good bandwidth between SEPM and GUP, , reconfigure GUP IP on SEPM, all packages will recopied inside Sharedupdated folder, if it is receivng updates from SEPM, it will then distribute updates to local client also. first check connectivity between GUP and SEPM and the sylink of systems under that group on which GUP configured,

Regards,

Ajay Kumar singh

Regards,

Ajay Kumar Singh (Consultant- Information Security)

 

 

Tommy Myo Min Aung's picture

Hello Everybody,

Thank you very much for all of your response.  Today when i checked Sylink logs, I have noticed that DNS could not be resolved. Our management server is in Head office let say "EVAULT.abc.local" and GUP Server is in remote site "GUP.rig.local" so they are in two different domain and no Domain trust relationship.

The two sites are connected through MPLS VPN.  

These are the detail information and test result;

Managemenet Server(named EVAULT)     172.20.0.17/24

GUP SERVER IP                                                   172.19.12.2/26 

I tried to telnet from GUP to EVAULT 

telnet 172.20.0.17 8014 (OK)

telnet EVAULT 8014 (NOT SUCCESSFUL)

 

Then i manually add the EVAULT IP to one of the client host file and after that it get connected with the Management server and start downloading the virus definition.

 

So i believed that it was an DNS issue but the question is why did they stop working which they used to working with same setting and configuration for last two years.

I found that some of the clients that they detected the management server with the IP address were up to date definition and most of the client which detected the Management server with the server name cannot update the latest definition since March 26, 2013.

 

I uploaded the both sylink monitor and waiting for your great support.

Thank you very much everybody.

with regards,

Tommy 

 

AttachmentSize
GUP_Cannot_update.7z 22.55 KB
Chetan Savade's picture

Hi,

Could you please update us which manintenace tasks werer performed on SEPM server machine?

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Tommy Myo Min Aung's picture

Hello Guys,

 

One more question,

 

Is that possible when client send <SendRegistrationRequest:>http://EVAULT:8014 [encrypted data] command, i always want to look for IP ADDRESS let's say "http://172.20.0.17:8014 instead of using server name "http://EVAULT:8014".

I want all SEP Client to look for Management server as following priority

1) http://172.20.0.17:8014 (for Local/VPN Client)

2) http://203.81.71.222:8014  (For external client for example) 

I don't want to go my DNS or SERVER name since we have so many remote site with different AD and DOMAIN.

 

with regards,

Tommy

 

 

SebastianZ's picture

This can be configured by the Management Server lists:

Creating and assigning a management server list for a Symantec Endpoint Protection Manager

Article:TECH103175  |  Created: 2007-01-31  |  Updated: 2009-01-16  |  Article URL http://www.symantec.com/docs/TECH103175

Configuring a management server list

Article:HOWTO55402  |  Created: 2011-06-29  |  Updated: 2011-12-17  |  Article URL http://www.symantec.com/docs/HOWTO55402

...as per your recommendations create a management server list that specifies 172.20.0.17:8014 as the first priority SEPM server and under priority 2: 203.81.71.222:8014. This will mean that if the client cannot reach the first SEPM it will try to connect to the second one.

SameerU's picture

Hi

Please let me know if your issue is resolved

Regards

 

Tommy Myo Min Aung's picture

Hello Everyone,

Finally i have resolved this issue by following;

1) Create custom management server list that specifies 172.20.0.17:8014 as the first priority SEPM server         and under priority 2: 203.81.71.222:8014 and assigened to relevent Group in SEPM.

2)  As i explained before, when client tried to connect to Management Server; it cannot resolve the server name "EVAULT" so i added the HOST A record in each site domain then all the client get started to connect with Management server and start updating from GUP.

Honestly, i couldn't understand how it worked for more than two years with previous Default Management Server setting  but anyway the problem has been resolved just adding manually HOST record in each individual remote DNS server.

Thanks everybody.

I will put this as a solution for this thread.

with regards,

Tommy

SOLUTION