Endpoint Protection

 View Only

  • 1.  Upgraded to 12.1.5, clients no longer updating definitions

    Posted Mar 03, 2015 04:03 PM
      |   view attached

    I am trying to get our Symantec install dialed in and I'm having a few issues. Bare with me as I just started messing with this, as the people who were 'maintaining' this software have left. I'm just going to go over what I've done so far and then the problem with them not updating. Hopefully I've done nothing terribly wrong.

    So we had issues with a location being slow (different geographical location) and all of them were severely out of date. Turns out they were getting updates from the internet as opposed to our manager this whole time symantec was installed. So I have changed that, but then this triggered a full update (only allowed 5 revisions of updates...) to pull from the SEPM. This killed the network. So I went into communication settings and unchecked "Download policies and content from the management server" under Communication Settings to stop the clients from getting updates temporarily and rebooted SEPM. This seemed to stop them all from flooding the server. 

    I took this as an opportunity to upgrade to the latest version (They were using 12.1.3) so I backed up the DB and did the upgrade. Then I transfered the new client with the latest definitions down to the location and pushed it out over the LAN to get them up to date manually. Very smooth transition so far. 

    So to avoid this again, I read up on GUP's. So I configured two computers down there. We have two subnets down there, connected on the same LAN. So what I did was the following:

    Multiple Group Update Providers: Specified two rules, each IP I listed I want to be the respective GUP's for that subnet
    Explicit Group Update PRoviders: PC 1 is configured to be available for Subnet 2 and vise versa.

    From the documentation it says Multi GUPs will be available for just those subnets, then if that fails goto the explicit list, then the SEPM. Basically I want them to take care of their respective subnets and if that one fails, it goes to the other on the same LAN. (Someone correct me if I'm wrong if this is not how it works)

    Anyways after settings this all up, everything seems to be good. I turn back on "Download policies and content from the management server" and waited a full day and none of my clients are updating at any of our locations (last update was 2/27 definitions). I have been researched some more to debug this and discovered the SyLink logging. I've enabled that to look at the logs, but I can't make much sense of it. I can see it getting the requests, and I just see it doing backoff increments after finding no GUP (my subnet has no GUP). The troubleshooting portion of SEP says I have the latest version, says it checked today, and that the connection status is Connected.

    Any help would be appreciated, included is the long sylink log.

    Attachment(s)

    zip
    Sylink.zip   36 KB 1 version


  • 2.  RE: Upgraded to 12.1.5, clients no longer updating definitions

    Posted Mar 04, 2015 12:26 PM

    ...another thing you can do is run the symhelp tool on the affected client

    Download the Symantec Help (SymHelp) diagnostic tool to detect Symantec product issues



  • 3.  RE: Upgraded to 12.1.5, clients no longer updating definitions
    Best Answer

    Broadcom Employee
    Posted Mar 04, 2015 12:33 PM

    Hi,

    Thank you for posting in Symantec community.

    It's important to know how clients decides to download contents from GUP or not

    1) SEPM will generate the globalIndex.xml and globallist.xml periodically from the information clients posted.
    2) Client checks whether GUP is configured by LU policy;
    3) Client downloads the globalIndex from SEPM. Based on the checksum of globallist.xml included in it, client determines whether SEPM has updated globallist.xml;
    4) If SEPM publishes a new globallist file, client downloads it and reset the active GUP list in local memory.
    5) Client filters out the addresses of the different subnet in globallist.xml;
    6) Client tries to connect the remained addresses one by one until finds an available GUP, it iterates in the order of the addresses in globallist.
    7) If none of the GUPs in globallist can be used, try the pre-defined GUP in LU policy.
    8) If pre-defined GUP is unavailable either, to determine whether to bypass to SEPM based on the "bypass" setting

    If all types of Group Update Providers are configured in the policies on a Symantec Endpoint Protection Manager, then clients try to connect to Group Update Providers in the global list in the following order:

    Top down execution of GUP providers.

    • Providers on the Multiple Group Update Providers list, in order

    • Providers on the Explicit Group Update Providers list, in order

    • The Provider that is configured as a Single Group Update Provider

    What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?

    http://www.symantec.com/docs/TECH196741

    Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

    http://www.symantec.com/docs/TECH198640



  • 4.  RE: Upgraded to 12.1.5, clients no longer updating definitions
    Best Answer

    Posted Mar 06, 2015 02:47 PM

    Thanks. I discovered the problem. The GUP list is blank, so the client was not wanting to connect to the management server since I set it to Never connect. Although this is odd since the client in question has no GUP in the subnet, some others do. I guess the GUP policy was still applying to that client. I have since divided up the LiveUpdate policy for each GUP and it works fine.