Endpoint Protection

 View Only

  • 1.  Trouble with GUP clients

    Posted Jun 09, 2009 10:19 PM
    Hi Guys,
    Im having trouble with my GUP clients at a state office not getting updates.

    Current setup:
    I am running SEP MR4
    The local file server is the GUP and the server at head office is the SEPM (Connected via VPN)
    The GUP machine never has trouble getting the latest defs however GUP clients are having trouble getting definitions.
    The SEPM Group contains all state office clients and the GUP is in the same group.
    The LU policy specifies to use a GUP - bypassing after 8 hours (dont really ever want to bypass)
    I have confirmed the client, GUP and SEPM are all set to the same policy revision (no issue with obtaining policies from the server).

    Please note: the GUP is 10.0.43.1 - no firewall
    The clients can telnet to the GUP on port 2967 and port 80
    The clients can connect to http://<SEPM>/secars/secars.dll?hello,secars  - OK


    I have enabled sylink debugging on a state office client (not the GUP) and restarted the SEP service (smc -stop/start) and have noted some interesting issues in the sylink output:

    06/10 10:55:22 [2196] <LUThreadProc>Starting LU download.
    06/10 10:55:22 [2196] <LUThreadProc>Got a valid context from GetCurrentServerEx
    06/10 10:55:22 [2196] <LUThreadProc>Setting the session timeout on LUSession to 2 min.
    06/10 10:55:22 [2196] <mfn_MakeGetLUFileIISUrl:>Requested Content Path is: /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/90609022/Full.zip
    06/10 10:55:22 [2196] <GetLUFileRequest:>IIS URL: /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/90609022/Full.zip
    06/10 10:55:22 [2196] <GetLUFileRequest:>http://10.0.43.1:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/90609022/Full.zip
    06/10 10:55:22 [2196] <GetLUFileRequest:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF6.tmp
    06/10 10:55:22 [2196] <UpdateLUFileList:>Updating existing Download File List with : {C60DC234-65F9-4674-94AE-62158EFCA433}90609022
    06/10 10:55:22 [2196] <UpdateLUFileList:>Updating existing Download File List Temp file name from: to C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF6.tmp
    06/10 10:55:38 [3260] <CSyLink::mfn_DownloadNow()>
    06/10 10:55:38 [3260] </CSyLink::mfn_DownloadNow()>
    06/10 10:55:41 [2196] <GetLUFileRequest:>Send Request failed.. Error Code = 12029
    06/10 10:55:41 [2196] <ParseErrorCode:>12029=>The attempt to connect to the server failed.
    06/10 10:55:41 [2196] <GetLUFileRequest:>IIS return=0
    06/10 10:55:41 [2196] <ParseErrorCode:>12029=>The attempt to connect to the server failed.
    06/10 10:55:41 [2196] <GetLUFileRequest:>COMPLETED
    06/10 10:55:41 [2196] <LUThreadProc> - GETLUFILE_CONNECTION_ERROR getting content moniker: {C60DC234-65F9-4674-94AE-62158EFCA433}; revision: 90609022 from server: 10.0.43.1
    06/10 10:55:41 [2196] LU file download failed due to HTTP error:0
    06/10 10:55:41 [2196] <CExpBackoff::Increment()>
    06/10 10:55:41 [2196] Backoff index incremented
    06/10 10:55:41 [2196] Backoff wait index: 1
    06/10 10:55:41 [2196] </CExpBackoff::Increment()>
    06/10 10:55:41 [2196] <CExpBackoff::Wait()>
    06/10 10:55:41 [2196] CExpBackoff wait time in seconds: 32
    06/10 10:56:11 [2196] </CExpBackoff::Wait()>


    It appears to try this 3 times each time doubleing the backoff wait time to 64 and 128 with the same errors each time. Then this happens.


    06/10 10:57:51 [2196] CExpBackoff wait time in seconds: 128
    06/10 10:58:34 [3260] <CSyLink::mfn_DownloadNow()>
    06/10 10:58:34 [3260] </CSyLink::mfn_DownloadNow()>
    06/10 10:59:33 [3260] <CSyLink::mfn_DownloadNow()>
    06/10 10:59:33 [3260] </CSyLink::mfn_DownloadNow()>
    06/10 10:59:53 [2196] </CExpBackoff::Wait()>
    06/10 10:59:53 [2196] SyLinkDeleteConfig => Deleting instance: 019F5600
    06/10 10:59:53 [2196] <IsLUTempFileValid:> File: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF6.tmp is currently used
    06/10 10:59:53 [2196] <IsLUTempFileValid:> File: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF7.tmp is currently used
    06/10 10:59:53 [2196] <IsLUTempFileValid:> File: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF8.tmp is currently used
    06/10 11:00:32 [3260] <CSyLink::mfn_DownloadNow()>
    06/10 11:00:32 [3260] </CSyLink::mfn_DownloadNow()>
    06/10 11:00:52 [2196] SyLinkCreateConfig => Created instance: 019F5600
    06/10 11:00:52 [2196] Importing ConfigObject: 01A8FE78 into: 019F5600
    06/10 11:00:52 [2196] <LUThreadProc> Got ConfigObject to proceed the operation.. pSylinkConfig: 019F5600
    06/10 11:00:52 [2196] <LUThreadProc>Starting LU download.
    06/10 11:00:52 [2196] <LUThreadProc>Got a valid context from GetCurrentServerEx
    06/10 11:00:52 [2196] <LUThreadProc>Setting the session timeout on LUSession to 2 min.
    06/10 11:00:52 [2196] <mfn_MakeGetLUFileIISUrl:>Requested Content Path is: /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/90609022/Full.zip
    06/10 11:00:52 [2196] <GetLUFileRequest:>IIS URL: /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/90609022/Full.zip
    06/10 11:00:52 [2196] <GetLUFileRequest:>http://10.0.43.1:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/90609022/Full.zip
    06/10 11:00:52 [2196] <GetLUFileRequest:>RESUME download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF6.tmp
    06/10 11:00:52 [2196] <GetLUFileRequest:>@@@@@@@@@ LU DEBUG ONLY- Download file failed due to wrong file size.
    FileName:C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF6.tmp Expected file size: 50642232 Actual file size: 0
    06/10 11:00:52 [2196] <GetLUFileRequest:>COMPLETED
    06/10 11:00:52 [2196] <LUThreadProc> - GETLUFILE_WRONG_FILE_SIZE_ERROR getting content moniker: {C60DC234-65F9-4674-94AE-62158EFCA433}; revision: 90609022 from server: 10.0.43.1
    06/10 11:00:52 [2196] LU file download failed due to HTTP error:0
    06/10 11:00:52 [2196] <CExpBackoff::Increment()>
    06/10 11:00:52 [2196] Backoff index incremented
    06/10 11:00:52 [2196] Backoff wait index: 4
    06/10 11:00:52 [2196] </CExpBackoff::Increment()>
    06/10 11:00:52 [2196] <CExpBackoff::Wait()>
    06/10 11:00:52 [2196] CExpBackoff wait time in seconds: 256


    This happens 3 times for LUF6 - LUF7 and LUF8
    The C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate folder on the client (not the gup) trying to update has a single LUF6.tmp file of 0 bytes in it.

    I am not sure what the problem is here, on the Group update provider, 10.0.43.1, the Shared Updates direcory is populated with a number of files including one labelled:
    "#content#{C60DC234-65F9-4674-94AE-62158EFCA433}#90609022#xdelta90608051!dax" - 301KB - which was published Today.  Numerous references are made to this file in the Sylink log above.

    Can anyone who has expertise in these debug logs please let me know if there is anything I can check to get this working.
    This is happening on numerous pcs.

    Thank you very much.


    Edit:
    I have discovered this:
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040113243148

    Which has a section clearly showing my error logs under the heading:
    "Below is what you will see in the Sylink if the GUP is off line:"

    I am not sure how it believes the GUP is offline...
    Investigating...still hoping for some tips guys.




  • 2.  RE: Trouble with GUP clients

    Posted Jun 10, 2009 01:56 AM
    SEP MR3 clients and MR3 GUPs need to be in the same Group, or share the same Liveupdate Policy.

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d0fc5181a42f684c882574f100760656?OpenDocument



  • 3.  RE: Trouble with GUP clients

    Posted Jun 10, 2009 04:32 AM
    Good comment Vikram. I has to have same group.


  • 4.  RE: Trouble with GUP clients

    Posted Jun 10, 2009 06:20 PM
    Sorry,
    Maybe you missed my first note specifying that I am running MR4 (clients and management server).

    Also,
    the GUP and clients are all in the same group +
    I have confirmed the clients and GUP are all using the current policy (applied to their group) verified as the latest on the SEPM.


  • 5.  RE: Trouble with GUP clients

    Posted Jun 16, 2009 06:36 AM
    Hi All,
    Anyone have any ideas, this issue is still present and currently updating from the SEPM.



  • 6.  RE: Trouble with GUP clients

    Posted Jun 16, 2009 06:40 AM
    Is there a Firewall in your network?
    If yes then make sure that port 2967 is Open. & try to telnet from your client to the GUP server using port 2967.


  • 7.  RE: Trouble with GUP clients

    Posted Jun 16, 2009 06:46 AM
    After going to the logs that you have attached I strongly feel that there is a firewall or internal proxy in your network.


  • 8.  RE: Trouble with GUP clients

    Posted Jun 16, 2009 06:59 AM
    I have checked more things on this
    I Feel either you have a Firewall or your GUP server does not share the same liveupdate policy with the clients or in other words it is not in the same group that the clients belong.


  • 9.  RE: Trouble with GUP clients

    Posted Jun 16, 2009 07:11 AM
     But if there is no firewall or proxy problem then  this could be an issue because of temp files in (C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF6.tmp)  The headers of the content update files are getting compressed or corrupted. These headers contain information about the size of the file that is being downloaded. Since this information is stripped, the client does not know the files size ahead of time and therefore "expects" the file size to be 0. When the file transfer ends, the reported file size does not match the "expected" size of 0, and the client believes the update failed. At the next check in, the client re-requests the same file update from GUP and the same temp file is used to store the data, so that file continues to get larger.

    then the solution should be to clear the defs & re run the liveupdate..


    Hope this will help....