Troubleshooting communication problems with Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x

Article:TECH101171  |  Created: 2005-01-30  |  Updated: 2011-08-15  |  Article URL http://www.symantec.com/docs/TECH101171
Article Type
Technical Solution

Product(s)

Environment

Issue



You use Symantec System Center and either Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x. The communication between clients and servers does not work correctly. You may see one of the following symptoms:

- Clients disappear from Symantec System Center
- Clients cannot be configured from Symantec System Center
- Clients do not receive automatic virus definition updates
 


Solution



 


Before you begin: Before you follow the directions in this document, confirm basic network communication by using the ping, netstat, and telnet commands.
For directions, read Symantec AntiVirus Quick Communications Check.

If you see an error message or an entry in the Windows Event Viewer, first follow the directions in the document for that error message. You can find a list of documents that relate to common error messages in the References section of this document. If your error message does not appear in the list, search the Symantec Knowledge Base for a relevant document.




This document provides tools and techniques to help you troubleshoot common communication problems with Symantec Client Security and Symantec AntiVirus. In many cases, the procedures in this document can solve the problem. If problems persist after you complete the steps in this document, contact Symantec Technical Support for assistance. Take note of each change or discovery that you make while you use this document. Symantec Technical Support needs this information if you request assistance.


General guidelines
The following topics address the most common causes of communication problems with Symantec Client Security 3.x and Symantec AntiVirus 10.x

  • The version of Symantec AntiVirus on the parent server should not be older than the version on the clients
    Symantec recommends that the version of Symantec AntiVirus on the parent server be the same or newer than the version on the clients. For example, you may encounter communications problems between the clients that run Symantec AntiVirus 10.x and parent servers that run Symantec AntiVirus 9.x.
  • Symantec System Center and Terminal Server
    Before you install Symantec System Center on a Windows Terminal Server, the Terminal Server must be in Remote Administration mode. After you install Symantec System Center and restart the computer, you can put the Terminal Server in Application mode. When Symantec System Center is installed on a Terminal Server, run Symantec System Center locally. Do not connect to Symantec System Center by using a terminal session, regardless of whether the server is in Application mode or Remote Administration mode.
  • Symantec AntiVirus over VPN Connections
    Symantec does not provide support for the problems that are related to communication with any clients that use VPN connections to check in with their parent server. Symantec recommends that remote clients be allowed to run LiveUpdate themselves. You can create a separate client group for remote clients so that if they visit the main site, they can be managed without changing their configuration.
    For more information, read Best practices for managing laptop and mobile clients with Symantec AntiVirus Corporate Edition.



Communication model
Symantec System Center does not hold any real time data for the environment. It is only a cached copy of the information from each parent server. When a change is made in Symantec System Center, a change request is sent to the correct Symantec AntiVirus server. The Symantec AntiVirus server processes the change and then sends it to the Symantec AntiVirus clients by using the Grc.dat file. The communications process that is used is the same, regardless of where you installed Symantec System Center and Symantec AntiVirus server. If they are both installed on the same computer, the same network communications still occur.

Common communication problems
A change in a parent server's computer name causes communication to fail. If you recently changed a parent server's IP address, or if your parent server has more than one Network Interface Card, first read the documents that apply to your situation:


When you install Windows XP Service Pack 2, Symantec AntiVirus appears automatically in the list of exceptions. However, the application that is associated with the rule does not handle communication. In order to allow Symantec AntiVirus to communicate, you must create exceptions for the correct services.
For help, read the document Adding service exceptions in Windows Internet Connection Firewall to allow Symantec AntiVirus to communicate.

Troubleshoot other communication problems
When you troubleshoot communications, at least three possible points of failure exist: Symantec System Center, the Symantec AntiVirus server, and the Symantec AntiVirus client. Start with the first section, "Make sure that information in Symantec System Center is up to date" and follow the directions in the order that they appear.


Confirm the presence of the server group root certificate and server private key
Communication fails if the server group root certificate and server private key are not present on Symantec AntiVirus servers, managed clients, and the computer that runs Symantec System Center.
Primary servers and secondary servers cannot communicate if the primary server's private key is not present on each computer. Legacy clients and servers do not need root certificates or private keys to communicate.

About the server group root certificate
The server group root certificate is a file in the following format:
<server group GUID>.<sequence number>.servergroupca.cer

The following is an example of a server group root certificate file name:
80adf46b79b57b4a8ea4e0a397a37ce2.0.servergroupca.cer

About the server group private key
The server group private key is a file in the following format:
<server group GUID>.<sequence number>.servergroupca.pvk

The following is an example of a server group private key file name:
80adf46b79b57b4a8ea4e0a397a37ce2.0.servergroupca.pvk

To confirm the presence of the server group root certificate

  1. On the computers that run Symantec System Center, start Windows Explorer and look for the xxx.x.servergroupca.cer file in the following folder:

    <OS drive>:\Program Files\Symantec\Symantec Symantec System Center\pki\roots

     
  2. On primary servers and secondary servers, start Windows Explorer and look for the xxx.x.servergroupca.cer file in one of the following folders:
    • On Symantec AntiVirus Corporate Edition servers, the default location is <OS drive>:\Program Files\SAV\pki\roots
    • On a Symantec Client Security server, the default location is <OS drive>:\Program Files\SAV\Symantec AntiVirus\pki\roots
  3. On managed clients, start Windows Explorer and look for the xxx.x.servergroupca.cer file in the following folder:

    <OS drive>:\Program Files\Symantec Client Security\Symantec AntiVirus\pki\roots

     
  4. Confirm that the xxx.x.servergroupca.cer file name is the same on all computers that belong to the same server group.


If the primary server does not have a server group root certificate, do one of the following:

  • Stop the Symantec AntiVirus service, copy the file from another parent server, and then restart the Symantec AntiVirus service.
  • Stop the Symantec AntiVirus service, restore a backup copy of the pki folder, and then restart the Symantec AntiVirus service.
    For directions, see the "Restore communication with a backup copy of the pki folder" section of the following document:
    Steps to minimize recovery time in the event of a server failure
  • If you do not have a backup copy of the pki folder, follow the directions in the "Restore communication without a backup copy of the pki folder" section of the following document:
    Steps to minimize recovery time in the event of a server failure


To confirm the presence of the server private key on primary servers and secondary servers

  1. On every server in the server group, start Windows Explorer and go to one of the following folders:
    • On a Symantec AntiVirus server, open the following folder:
      <OS drive>:\Program Files\SAV\private-keys
    • On a Symantec Client Security server, open the following folder:
      <OS drive>:\Program Files\SAV\Symantec AntiVirus\private-keys
  2. Look for the <server group GUID>.<sequence number>.servergroupca.pvk file on primary servers.
  3. Look for one or more <servername>.<server group GUID>.<sequence number>.server.pvk files on primary servers and on secondary servers.
  4. Confirm that the server group GUID portion of the file name is the same for all servers in the server group.


If the primary server does not have a server private key, do one of the following:

  • Copy the file from another parent server and restart the Symantec AntiVirus service.
  • Stop the Symantec AntiVirus service, restore a backup copy of the pki folder that contains the original private key, and then restart the Symantec AntiVirus service.
    For directions, see the "Restore communication with a backup copy of the pki folder" section of the following document:
    Steps to minimize recovery time in the event of a server failure
  • If you do not have a backup copy of the pki folder, follow the directions in the "Restore communication without a backup copy of the pki folder" section of the following document:
    Steps to minimize recovery time in the event of a server failure



Make sure that information in Symantec System Center is up to date
Run the Discovery Service to make sure that Symantec System Center has current information.

To update information in Symantec System Center

  1. Start Symantec System Center.
  2. Click Tools > Discovery Service.
  3. Make sure that the correct discovery method is selected:
    • Load from cache only
      This discovery method returns information that is cached in the local registry of Symantec System Center. This information includes any server groups that have already been discovered through other discovery methods. The location in the registry is:

      HKEY_LOCAL_MACHINE\Software\Intel\Landesk\VirusProtect6\CurrentVersion\AddressCache

      No network communications are initiated for this discovery method.
       
    • Local Discovery
      A local discovery locates Symantec AntiVirus servers on the local area subnet. First, the load from cache discovery is run. Then a broadcast looks for listening Symantec AntiVirus servers on the local network over UDP port 38293 (PDS). When the server receives this broadcast, it sends an ARP request for the IP address of Symantec System Center. Once the Symantec AntiVirus server has this information, it responds to the request from Symantec System Center. Symantec System Center and Symantec AntiVirus server communicate over TCP port 2967.
    • Intense Discovery
      An intense discovery locates Symantec AntiVirus servers across multiple subnets. First, a load from cache only discovery runs, followed by a local discovery. Each domain and workgroup that is accessible from My Network Places is enumerated. Then, your primary DNS server is queried for the IP address of every computer in each domain and workgroup. At this time, the communications that occur in a local discovery to contact Symantec AntiVirus servers take place.
    • IP Discovery
      This option is on the Advanced tab. Before you use this option, consider the amount of network traffic that can occur. Every IP address in the range that you enter is queried for a Symantec AntiVirus server that listens on UDP port 38293.
      If you select IP Subnet, you can enter a range only within one subnet. If you select IP Address, you can send a broadcast to multiple subnets.
       
  4. Click Clear Cache Now.
    The cache is cleared and the selected discovery method is run. If you previously used the Importer tool, the clearing of the cache deletes all of the imported server information. To avoid having to import this information again, click Run Discovery Now instead of Clear Cache Now.
  5. If your server group appears, but you continue to have communication problems, go to the "Make sure that Symantec System Center works correctly" section of this document.
  6. If your server group does not appear, click Tools > Find Computer.
  7. Click the Network Discovery tab.
  8. In the Server Address box, type the name or IP address of the primary server in the missing server group.
  9. Next to Address Type, select one of the following, depending on what you typed in step 8:
    • Machine Name
    • IP
       
  10. Click Find Now.
  11. If the Network Discovery finds the primary server but does not add it to Symantec System Center automatically, click Sync Item.


If the communication problems persist, continue with the "Make sure that Symantec System Center works correctly" section of this document.


Make sure that Symantec System Center works correctly
The first step is to stop and restart all of the communication-related services. Not all services are present on all Symantec AntiVirus servers. If you do not see a service, skip to the next service in the list, unless the missing service is Symantec System Center Discovery Service or Intel PDS. If Symantec System Center Discovery Service or Intel PDS is not listed, remove and reinstall both Symantec AntiVirus and Symantec System Center.

To resolve problems with Symantec System Center

  1. Make sure that you are logged on as the Domain Administrator (on Domain Controllers) or Local Administrator (on Member Servers or clients).
  2. Stop the following services in the order in which they are listed here:
    • Symantec System Center Discovery Service
    • Intel Alert Handler
    • Intel Alert Originator
    • Intel File Transfer
    • Intel PDS
    • Symantec AntiVirus
    • Symantec Quarantine Agent
    • Symantec Central Quarantine
  3. Start the following services in the order in which they are listed here:
    • Symantec AntiVirus
    • Intel PDS
    • Intel Alert Handler
    • Intel Alert Originator
    • Intel File Transfer
    • Symantec Quarantine Agent
    • Symantec Central Quarantine
    • Symantec System Center Discovery Service
       
  4. In the Services window, make sure that the Local System account appears in the Log On As column for Symantec System Center Discovery Service.
  5. In an Active Directory environment, be sure that you have not enabled the "Disable the run once list" policy.
    For directions, follow the directions in the "To confirm the "Disable the run once list" policy in the Group Policy Object Editor" section in the "Technical Information" section of this document.
  6. Set the DCOM settings Default Impersonation Level to Identify.
    For help with this setting, follow the directions under "To change the Default Impersonation Level using Dcomcnfg.exe" in the "Technical Information" section of this document.
  7. In the Registry Editor, delete the IRPStackSize value.
    For help, read the document How to change the IRPStackSize registry value.
  8. If Symantec System Center is installed to an NTFS partition, make sure that the Local Administrators group (and any user that accesses Symantec System Center) has Full Control permissions for the \Program Files\SSC folder.
    For help, read the "Checking permissions on an NTFS drive" section in Troubleshooting Symantec AntiVirus Corporate Edition installations: Checking rights and permissions.
  9. Register the Symantec System Center Discovery service by typing the following command at a command prompt:

    regsvr32.exe "C:\Program Files\Symantec\Symantec System Center\NscTopps.dll"
     
  10. Confirm that the correct shares are present.
    For help, follow the directions under "To confirm and set up shares" in the "Technical Information" section of this document.
  11. If you continue to have communication problems with Symantec System Center after completing steps 1-10, try one or both of the following:
    • Install Symantec System Center on another computer in the local network.
    • Remove Symantec System Center, and then install Symantec System Center again to the OS drive. You must restart the computer twice during this procedure.


If the communication problems persist, continue with the "Make sure that the Symantec AntiVirus server works correctly" section of this document.
 

Make sure that the Symantec AntiVirus server works correctly
Follow these steps on the primary server and any affected parent servers.

To resolve problems with the Symantec AntiVirus server

  1. In the Registry Editor, delete the IRPStackSize value.
    For details, read the document How to change the IRPStackSize registry value.
  2. To rule out a problem with virus definitions, download and apply the current Intelligent Updater .xdb file.
    For help, read the "Copying an .xdb file" section in Updating virus definitions for Symantec AntiVirus Corporate Edition 10.x and Symantec Client Security 3.0.
  3. Restart the computer.
  4. Restart the Symantec AntiVirus service.
    If the Symantec AntiVirus service does not start, remove and then reinstall Symantec AntiVirus. To make sure that all program components are removed, follow the directions in the one of the following articles before you reinstall Symantec AntiVirus:


If the communication problems persist, continue with the "Make sure that the Symantec AntiVirus client works correctly" section of this document.


Make sure that the Symantec AntiVirus client works correctly

Follow these steps on the affected clients.

To resolve problems with Symantec AntiVirus client

  1. If the computer runs Symantec Client Security, make sure that the Symantec Network Drivers service is started and that the service's startup type is set to Automatic.
    Skip this step if the computer runs only Symantec AntiVirus instead of Symantec Client Security.
  2. In the Registry Editor, delete the IRPStackSize value, and then restart the computer.
    For details, read the document How to change the IRPStackSize registry value.
  3. To rule out a problem with virus definitions, download and run the current Intelligent Updater file.
  4. Restart the Symantec AntiVirus service.
    If the Symantec AntiVirus service does not start, remove and then reinstall Symantec AntiVirus. To make sure that all program components are removed, follow the directions in the one of the following articles before you reinstall Symantec AntiVirus:


If the communication problems persist, continue with the "Make sure that the Symantec AntiVirus server and client communicate correctly" section of this document.


Make sure that the Symantec AntiVirus server and client communicate correctly
Often, you can restore client communication with the parent server by dropping a copy of the parent's Grc.dat file on the client. If this step does not restore communication, and you have followed the directions in the other sections of this document, debug client-to-parent communication to find out whether the client and server can communicate.

To restore client communication with a parent server

  1. On the parent server, copy the Grc.dat configuration file from the Symantec AntiVirus program folder.
    • On a Symantec AntiVirus Corporate Edition server, the default location is <OS drive>:\Program Files\SAV
    • On a Symantec Client Security server, the default location is <OS drive>:\Program Files\SAV\Symantec AntiVirus

       
  2. On the client computer, paste the Grc.dat file into the following folder:

    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5
     
  3. On the parent server, open the pki\roots folder and copy the xxx.x.servergroupca.cer file.
  4. On the client computer, paste the xxx.x.servergroupca.cer file into the pki\roots folder, which appears under the folder that contains the Symantec Client Security files.
  5. Restart the client.
    If the client does not appear in Symantec System Center after a few minutes, follow the directions in the next section, "To debug client-to-parent communication."


To debug client-to-parent communication

  1. Start Symantec System Center
  2. Unlock the server group.
  3. Right-click the parent server, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager.
  4. Check Update virus definitions from parent server.
  5. Click Settings.
  6. Change "Check for updates every" to 1 minute.
    This change makes the clients check in with the parent server every 1 minute for a definition update.

    WARNING: Make sure that you change this setting back the previous setting when you have finished. The default value is 60.

  7. Click OK, and then click OK again.
  8. Do one of the following, depending on the operating system of your parent server
  9. Look for client information in the debug window.
    Each time a client sends a packet to the parent server, you should see the following:

    Got client packet
    Reply from <IP> - 10.0.0.1

    The IP address of the client should appear.
  10. Download and import the Debugoff.reg file to close the DOS window and turn off debugging.


To debug parent-to-client communication

  1. On the affected client, download and import the Debug9on.reg file.
  2. Look for parent server information in the debug window.
    Each time a parent sends a packet to the client, you should see the following:

    Got client packet
    Reply from <IP> - 10.0.0.1

    The IP address of the parent server should appear.
  3. If you do not see any parent server information in the debug window, restart the Symantec AntiVirus service.
    The client is prompted to check in with its parent server.
  4. Download and import the Debugoff.reg file to close the DOS window and turn off debugging.


For advanced debugging options, read the document Debugging secure communication in Symantec AntiVirus Corporate Edition 10.x and Symantec Client Security 3.x.




References
The following documents address the most common communication problems with Symantec Client Security 3.x and Symantec AntiVirus 10.x:




Technical Information
To change the Default Impersonation Level using Dcomcnfg.exe

  1. On the Windows taskbar, click Start > Run.
  2. In the Open box, type the following text:

    dcomcnfg.exe
     
  3. Click OK.
  4. Do one of the following:
    • In Windows 2003/XP, expand Component Services, and then expand Computers. Right-click My Computer, and click Properties. On the Default Properties tab, on the Default Impersonation Level menu, click Identify.
    • In Windows 2000, on the Default Properties tab, on the Default Impersonation Level menu, click Identify.
       
  5. Click OK.


To confirm and set up shares

  1. At a command prompt, type the following command:

    net share
     
  2. If you do not see the ADMIN$ and <OS Drive>$ shares listed, create them.
    Follow the directions for your version of Windows.
    • In Windows 2003/XP, at a command prompt, type the following commands:

      net share ADMIN$=C:\WINDOWS
      net share C$=C:\
    • In Windows 2000, at a command prompt, type the following commands:

      net share ADMIN$=C:\WINNT
      net share C$=C:\

  3. If you did not install Symantec System Center onto the OS drive, create a share for the drive on which Symantec System Center is installed.
    For example, if Symantec System Center is installed on drive D, at a command prompt, type the following command:

    net share D$=D:\


To disable the "Disable the run once list" policy in the Group Policy Object Editor

  1. On the Windows taskbar, click Start > Run.
  2. In the Open box, type the following text:

    mmc
     
  3. Do one of the following:
    • On Windows 2003/XP, click File > Add/Remove Snap-in > Add.
    • On Windows 2000, click Console > Add/Remove Snap-in > Add.

  4. In the Add Standalone Snap-in window, click Group Policy, and then click Add.
  5. Click Browse, and click Default Domain Policy.
  6. Click OK, and then click Finish.
  7. Click Close, and then click OK.
  8. In the left pane, expand Console Root > Default Domain Policy > User Configuration > Administrative Templates > System >Logon/Logoff.
  9. In the right pane, confirm that the value of "Disable the run once list" is "Disabled."



 

 



Legacy ID



2005033015282148


Article URL http://www.symantec.com/docs/TECH101171


Terms of use for this information are found in Legal Notices