Video Screencast Help

Workstations are not installing updates. Bad phone support. (SEPM 11.0.6)

Created: 15 Nov 2012 | 6 comments

I am having some serious issues here.  Both technological issues, and the lack of support from the phone hotline.

I have a few workstations at one of my customers offices that seem to be downloading definitions, and then failing when it attempts to install them.  It then procededs to redownload the definitions 1 hour later.

I did my usualy searching, and found that the workstations were showing a event ID 13 in the application log.  Source was SECLU.exe

I found this page:

That led me to this page:

I then tried to find this utility on symantecs webpage, no luck.  (Yes I know it says contact tech support)

So I contacted tech support.  I tried to explain to the gentleman what I needed, I even tried to get him to go to the tech page, and he would not.  I was told that someone would get back to me.  Seriously?  I have an angry customer, whos network is going to a standstill every hour, and I get told that I will be contacted about where to get this tool.  Not to mention the fact that I just wasted like 2 hours trying to get ahold of this tool. On top of it, the confirmation email had the tool misspelled.  

I am very upset at the level of service.  I have numerous customers that use SEPM, considering all of the issues we had with 11.0.7, and the difficutly I have had with support, I am starting to wonder if I need to start pushing an alternative solution here.

Ohh, and you could have saved me a lot of time and trouble by making the tool available online.  


Comments 6 CommentsJump to latest comment

ᗺrian's picture

You can try clearing out corrupted definitions on the 11.x client by following this KB article

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

how do workstations are configured to take the udpates ? from internet or from sepm?

if from internet check if you user proxy or any content filtering firewall.

click on start run

type luall.exe

what do you get?

Cameron_W's picture

The reason why the first person you talked to did not hand out the tool is because that was most likely a HUB agent who only creates and dispatches the case.

Is the customers entire network going down from a few machines pulling down definitions? If the whole network is actually down and you tell the agent this the call will be transferred to a agent live, rather then a callback model.

Are you sure that clients are actually re-downloading definitions? as that error can be attributed to quite a few different issues. Because of this support normally wants to collect a few additional logs to confirm what the actual issue is before handing out a tool that is going to clear out all of the definitions on a client and may not even resolve the issue.

If I was able to help resolve your issue please mark my post as solution.

ken_r's picture

Yes their branch was going down.  They have a single T1 at that office.  We are working on setting up a GUP at that branch, but do not have a machine ready for that yet.

I am relativly certain that it is redownloading definitions.  The server that is running the console, only runs the console.  There were large amounts of data going back and forth between these clients and the console.  When we killed the sepm on the server then the traffic immediately stopped.  There are no user accessible shares on that server either.

The workstations are set to get their updates from the console first, and to fail over to the default liveupdate server.  They are only scheduled to download updates after 6 pm.  They then have a 2 hour randomization and a 1 hour retry interval.  The clients are checking in to the console, and preforming regular scans.  They do not show the latest definitions though.  The workstations do have the correct policy serial numbers.  Whatever they were doing, they were doing it outside of acceptable hours.  I could care less if they use up all the bandwidth at night updating, I cannot have it during the day though.

Cameron_W's picture

Did you run the tool? Did it fix your issue?

If it did not I would recommend calling into support so some troubleshooting can be performed to isolate the issue as currently the only data we are working with is "workstations were showing a event ID 13 in the application log"

What would most likely be asked for to start with would be the following.

1. SEP support tool (SST) from both the SEPM and a client showing error.

2. Sylink log on a client to monitor client/SEPM communication.

3. You said you are seeing large amounts of traffic, what program are you using to monitor this traffic, does it show the traffic going over 8014? If there are logs showing this that would be helpful as well

What I am getting at is it often difficult to diagnose a issue with 1 error message and recommend a tool that may not fix the issue. I hope it does for you but if it was my support case I would be asking for the above data to start with.

If I was able to help resolve your issue please mark my post as solution.

ken_r's picture

The traffic information is coming from the routers.  (Cisco routers)

Here are a few chunks of information, these were all one minute time frames while the problem was occuring.  I am going to list a few of them, and the numbers are for Packets/Bytes.  Right next to those numbers I am placing the average for the other workstations at the office at that time.  When Syamntec isnt acting up the problem workstations have similar numbers.

1296/1821312  Other WS avg: 16/3897

1164/1610142  Other WS avg: 23/4589

2951/4146772  Other WS avg: 18/9301

You can also watch the activity in Performance monitor on the Win 7 workstations.  I can get you a screen print of that if you need.

Here are some of the client server logs showing that it is continually redownloading.  I have removed PC and usernames, but all three are for the same PC and user.

11/15/2012 16:25:02,Client has downloaded the content package,(Workstation),(User),Default,av,Site av

11/15/2012 16:08:00,Client has downloaded the content package,(Workstation),(User),Default,av,Site av

11/15/2012 14:47:59,Client has downloaded the content package,(Workstation),(User),Default,av,Site av

Will run the tool and do more diag tomorrow.