Video Screencast Help

Unmanaged clients and secars.dll SEPM problem

Created: 20 Feb 2008 • Updated: 21 May 2010 | 15 comments
JT2's picture
I've been dealing with this for two weeks, looking out for every possible solution in this forum, but no luck.
Correct Installation. W2K server and IIS 5.
Another Tomcat installation disabled and the PHP being used is the one with the SEPM.
User permissiones everywhere are OK.
SEPM MR1 works correctly, service initialized, login correct, no errors, just that clients are "not updated".
Installation pushed to clients and installed correctly.
Commands on clients appear to "work", but after that you can see that they never were runnned. No policy updates, nothing.
No management green dot in any client.
Tried SylinkDrop with the temporary group sylink.xml. It drops it, but client never updates policies.
IIS logs:
The server is always doing this.. - W3SVC1 XX 80 GET /secars/secars.dll action=238 200 0 168 176 0 HTTP/1.1 localhost Java/1.5.0_14 - - - W3SVC1 XX 80 POST /secars/secars.dll action=235&reset=1 200 0 262 238 0 HTTP/1.1 localhost Java/1.5.0_14 - - - W3SVC1 XX 80 GET /secars/secars.dll action=38&usn=2 200 0 171 181 0 HTTP/1.1 localhost Java/1.5.0_14 - - - W3SVC1 XX 80 GET /secars/secars.dll action=36 200 0 824 185 31 HTTP/1.1 localhost Java/1.5.0_14 - -
seems fine.. http code 200
For all the clients, the log goes like this... - W3SVC1 XX 80 GET /secars/secars.dll h=BIG STRING 200 0 213 843 0 HTTP/1.0 Smc - -
so this also seems OK. http code 200
The secars.dll test gives OK in all its variants...
from the server and the clients, it works ok with this in "server"
ip address
and from the server, this also works ok.
Also changed debugging in Tomcat to level 4.
SEVERE errors, but just information about the server in:
Catalina log gies like this when starting SEPM
2008-02-20 11:48:18 EngineConfig: EngineConfig: Processing START
2008-02-20 11:48:18 CoyoteConnector Coyote can't register jmx for protocol
2008-02-20 11:48:18 CoyoteConnector Coyote can't register jmx for protocol
20-feb-2008 11:47:59 org.apache.coyote.http11.Http11Protocol init
INFO: Inicializando Coyote HTTP/1.1 en puerto http-9090
20-feb-2008 11:48:02 org.apache.coyote.http11.Http11Protocol init
INFO: Inicializando Coyote HTTP/1.1 en puerto http-8443
Starting service SCM
Apache Tomcat/4.1.31
Has valid SAV license
Info>> No SNAC license file in E:\Symantec EPM\tomcat\etc\license
And then just SEVERE with the server information..
The worst part is in
2008-02-20 11:48:18.133 GRAVE: Schedule is started!
2008-02-20 11:48:19.086 GRAVE: StateCheckpointTask connect to secars failed: SERVICE NOT AVAILABLE
2008-02-20 11:48:19.258 GRAVE: IISCacheTask connect to secars failed: SERVICE NOT AVAILABLE
Secars is in IIS as low process... and then
Using SylinkWatcher Monitor... got the following error in every client:
02/20 12:40:38 <mfn_MakeGetIndexUrl:>Request is: action=12&hostid= BIG STRING
02/20 12:40:38 <GetIndexFileRequest:> HUGE STRING
02/20 12:40:38 <GetIndexFileRequest:>SMS return=400
02/20 12:40:38 <ParseHTTPStatusCode:>400=>400 Bad Request
02/20 12:40:38 HTTP returns status code=400

02/20 12:40:38 <GetIndexFileRequest:>RECEIVE STAGE COMPLETED
HTTP error 400....   and if I change the process to Medium Grouped level, instead of a 400, it's a 503 error.
But the SEPM manager works perfectly and the secars hello communication test from every client also works correctly.
Anyone has seen this before?
I've runned out of ideas for solving this.

Message Edited by JT2 on 02-20-2008 04:28 AM

Comments 15 CommentsJump to latest comment

bkuser's picture
When you close all the explorer windows on a client and then reopen it and type in the following:
where server is the ip address of SEPM.
Do you get a windows pop up that asked for user name and password?
JT2's picture
Always returns an OK and never asked for any password within the explorer. Tried this with the ip address and also the servername, so it's resolving the name correctly and IIS responds correctly to the request. Anonymous users allowed in IIS , with no IP filtering and in the folder where secars is, access is also set to the computers in the domain, the IUSR account and authenticated users too, just in case.
I also tried it all the way around, creating ip rules and not allowing anonymous users.. it asked for a password and always returned an OK too.
The only problem is when it's trying to update the policies.
With the Sylink monitor, I always get the same 400 error, bad request.
I just saw this post:
But I'm not sure about what password is it about, because the only two passwords I've setted up are for the admin and the embeded database. I don't know about any password for client-server communications or where this can be setted up...
I've even disabled the certificates for authenticating the server in the general policies and with a fresh install, to see if it fixed the problem, but it stills gets a http error code 400 in the sylink monitor, and a 200 code in the IIS log.
bkuser's picture
Try this... I had a problem you kinda had...
I had green lights next to the computer names... when I pushed the install packages they installed no problem but from the client I noticed that the I was seeing the words "Waiting for updates" on the front pages of the client consoles.
When I tried to do an update on the policies, I was reading the logs on the client noticing that the polices were failing.  Well, what I did was that on the SEPM server I went to the security tabs of the drives and folders of prgram files and clicked added the Everyone group of the domain.  I went ahead and allowed full control to everyone.
I then restarted the server and restarted the client.  I noticed that the updates started working.  I waitied a little while.
Then I went ahead and down graded the security permissions for the everyone group to Read & Execute (Allow), List Folder Contents (Allow), and Read(Allow).  Everything else was unchecked.  I rebooted the server again.  For some reason Authenticated users didn't work this way but I had to have the everyone permission set.
Try this out and see what happens.
JT2's picture
Tried it. Same result.
Clients in Sylinkwatcher monitor always get a 400 response from server.
But the http://servername/secars/secars?hello,secars test always returns an OK.
Paul Murgatroyd's picture
have you logged a support call? this sounds like something that should also be worked through our support teams

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed:

JT2's picture
Not yet.
I'm trying to solve it because if everything in SEPM is working, except that, it's a bit intriguing.
Looking to see if a miracle happens..
But I think I'll have to do it because I think I've tried everything I can think of.
bkuser's picture
I don't think I'm on MR1... and it working okay.  Place a call to support team... I think this is really botched up and sometimes hoping for miracles will take you out to years of work.  If everything is working and not the updates then I think It's giving you attitude.
JT2's picture
Well, I solved the problem thanks to this post.
The client-server communications password was a normal one (strong I mean), but with a simple 4 character password and a reinstallation (again) it worked right from the beginning in every client.
Paul Murgatroyd's picture
documentation says this should be 1-32 ALPHANUMERIC characters, is this what your original password was?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed:

JT2's picture
The original one was just of 10 alphanumeric characters, nothing weird... but changing it to 4 simple numbers made it work after many reinstallations and tries....
mattebury's picture
Is there no other way to change this password?  What a pain!
JT2's picture
I wish.... but I didn't find any other way, but maybe there is....
tbramell's picture

I think I am having the same issue as the original poster but I only have managed clients - not updating defs - 400 error code using the sylink monitor tool, etc...


I am on MR2/2.

Is there a convenient method of changing the password that the clients use to comm with the server or am I faced with reinstallation?  If I have to reinstall, do I need to reapply mr2 when finished?

Sure would be nice just to run a tool that changed this...



Thanks in advance.

TSorensen's picture

Just a bump to see if there's an easy fix to change the password for client-server communications. Have 3000+ agents deployed and not interested in redoing the deployment, would prefer to change it and do sylink dropper if i abolutely have to.i didn't think the password could be an issue but i am second guessing that since it is over 10 alphanumeric characters.

Paul Murgatroyd's picture

once installed, its not designed to be changed, even if you could, it would change the certificate for the SEPM anyway, so your clients would still have difficulties connecting to the server because their sylink.xml wouldn't contain the right information.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: