How to Troubleshoot High Bandwidth usage issues in Symantec Endpoint Protection 14.2 and older
search cancel

How to Troubleshoot High Bandwidth usage issues in Symantec Endpoint Protection 14.2 and older

book

Article ID: 153899

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You discover that your network bandwidth usage is greater than normal and suspect it is related to content and definition updates between Symantec Endpoint Protection (SEP) clients and the Symantec Endpoint Protection Manager (SEPM).

Resolution

Please ensure that the version of SEP in use is RU7 MP2 or greater.  If the issue remains, the information to collect is from both the SEPM server and from some clients that are currently generating the network traffic in your environment.

Overview of log collection process:

  1. Configure the SEPM to increase the log level detail
  2. Ensure that IIS is set to log visits to the content website.
  3. Gather debug logs and SEP support tool from sample affected clients
  4. If using Group Update Providers (GUPs) gather debug logs from the GUP client
  5. Collect the data from the SEPM after allowing the clients to reproduce issue
  6. Disable debug logging on the SEPM and collect the data
  7. Generate and export useful repors from the SEPM that illustrate recent activity and client-server interaction 

Set the SEPM to log additional log detail.  On the SEPM perform the following actions:

  1. In the IIS manager, expand Web Sites and expand the Symantec Web Server
  2. Right-click Content and select Properties
  3. Check the box for Log Visits, Click Apply and OK
  4. Right-Click Secars and select Properties
  5. Check the box for Log Visits, Click Apply and OK
  6. Right-Click on the Symantec Web Server and select Properties.
  7. Ensure "Enable Logging" is checked and click on the Properties button
  8. Make a note to yourself as to the Log file directory so you can find the logs later.
  9. Click on OK
  10. Click on Apply and then OK.
  11. Exit the IIS Manager

Please make note of the folder where the log files are generated.

Collecting information from client side:

These instructions need to be performed on an example set of the clients currently causing network issues.

  1. Run the SEP Support Tool on each of the clients
  2. Enable Sylink debugging using the following instructions:
    1. Stop the SMC service
    2. Use REGEDIT to set the following value to 1
      1. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_debuglog_on
    3. Use REGEDIT to set the following value to the file path and name:
      1. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\Sylink\DumpSylink
  3. Start the smc service
  4. Wait for several heartbeats to fully finish to capture what the clients are requesting and downloading
  5. Stop the smc service
  6. Gather the sylink logs and label them from which client they are gathered using IP or machine name
  7. Disable Sylink debugging using the following instructions:
    1. Stop the SMC service
    2. Use REGEDIT to set the following value to 0
      1. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_debuglog_on
    3. Use REGEDIT to set the following value to the file path and name:
      1. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\Sylink\DumpSylink
  8. Start the smc service on the client

If the client machines are also configured to use a GUP gather the following from the GUP(s) they are configured to use and label the data accordingly.

  1. Run the SEP Support Tool on each of the GUP(s)
  2. Enable Sylink debugging using the following instructions:
    1. Stop the SMC service.
    2. Use REGEDIT to set the following value to 1
      1. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_debuglog_on
    3. Use REGEDIT to set the following value to the file path and name:
      1. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\Sylink\DumpSylink
  3. Start the smc service
  4. Wait for several heartbeats to fully finish to capture what the clients are requesting and downloading
  5. Stop the smc service
  6. Gather the sylink logs and label them from which GUP they are gathered using IP or machine name
  7. Disable Sylink debugging using the following instructions:
    1. Stop the SMC service
    2. Use REGEDIT to set the following value to 0
      1. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_debuglog_on
    3. Use REGEDIT to set the following value to the file path and name:
      1. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\Sylink\DumpSylink
  8. Start the smc service on the client

Collecting Information from the SEPM once the clients have finished reproducing issue:

  1. On the SEPM go to the folder:  \Program Files\Symantec\Symantec Endpoint Protection Manager\Tools
  2. Run the tool collectLog.cmd
  3. Save the file SEPM_logs.zip for submission
  4. Copy the current days IIS logs from the folder noted earlier
  5. Run the SEP Support Tool on the SEPM
  6. Zip up the contents of the ....\Symantec Endpoint Protection Manager\Inetpub\content

Disable data collection on the SEPM.

  1. Stop the Symantec Endpoint Protection Manager service
  2. Remove the line "scm.log.loglevel=FINEST" from the bottom of the file: ..\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties
  3. Run IIS Manager
  4. In the IIS manager, expand Web Sites and expand the Symantec Web Server
  5. Right-click Content and select Properties
  6. UnCheck the box for Log Visits, Click Apply and OK
  7. Right-Click Secars and select Properties
  8. UnCheck the box for Log Visits, Click Apply and OK
  9. Right-Click on the Symantec Web Server and select Properties.
  10. Ensure "Enable Logging" is checked and click on the Properties button
  11. Make a note to yourself as to the Log file directory so you can find the logs later.
  12. Click on OK
  13. Click on Apply and then OK.
  14. Exit the IIS Manager

It will also be useful to generate the Server Activity, Client-Server Activity and Client Activity reports from the SEPM to provide a high-level overview of recent actions.

At this point you should be able to zip up all of the collected information (logs, diagnostics and reports) together for submission to Symantec Technical Support for review.

 

Applies To

  • Sudden decrease in performance in network segments
  • Slower link segments completely saturated for example WAN
  • Abnormal network usage increase
Powered by Wolken Software