Hi,

I have multiple groups in which 3 or 4 among 10 have the same policy number as per SEPM and the others do not have the same policy number as per SEPM and they are unable to take update from the GUP.

I believe since the clients are not able to update policy the client is unable to take update from SEPM.

Troubleshooting done:

- Created a New group and moved the clients to it still the same issue( Policy is not udpated on SEP)

- Manually deleted serdef.dat and .bak still the same issue( Policy is not udpated on SEP)

- Ran a repair on those clients still the same

Need your assistance.

start with this

Troubleshooting Policy Changes

http://www.symantec.com/business/support/index?page=content&id=TECH105907

see this

Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity

What is the status of these clients (online/offline) on server or on clients?

replace the sylink file on these clients.

Are they inheriting from the parent group or not?

Enable sylink debugging on one affected client and post here for review:

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

Hello,

Troubleshooting Policy Changes

http://www.symantec.com/business/support/index?page=content&id=TECH105907

Symantec Endpoint Protection (SEP) 12.1 client is maintaining multiple virus definitions versions on servers

http://www.symantec.com/business/support/index?page=content&id=TECH180056

Drive Space used by Virus Definitions Updates

http://www.symantec.com/docs/TECH141811

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

http://www.symantec.com/docs/HOWTO59193

Disk Space Management procedures for the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH96214

Hi darrengray,

Please have a look with the below threads,

Troubleshooting Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH105894&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D139029426365930ndCgQ9L25ZNzhPo58AqM1UL1OlUH4W7XO3e

Hi,

Thank you for all your comments, sorry about the delay

Note: Before i started troubleshooting i had

No of groups - 2

No of clients in each group  : 10

No of clients with updated policy and definitions in each group : 3

No of clients which did not updated policy and definitions in each group : 7

Troubleshooting done:

* Created a new group and moved all the clients to that group - Policy number didnot change

* Pushed out new sylink file from SEPM - Policy number didnot change

* Ran sylink monitors and noticed error ; "Signature verification FAILED for Index File Content.. " in Check Point 4 and "Sylink Comm.Flags: 'Connection Failed' = 1, 'Using Backup Sylink' = 0, 'Using" in Check Point 8

* Tried googling the error and found TECH102900 did it and the clients did not report back to the same group but reported to a different group( branch clients)

* They had updated the policy of branch clients group.

* After a day i moved the clients from the branch clients group to the respective group(Group A )

* After i moved them to Group A  two out of the 7 clients took the policy from the group the remaining 5 are yet to pull updates.

* I manually updated the sylink file on two clients but in troubleshooting after a short while it showed the respective group on the client.

* I left it over the weekend and checking now  on Group A only two are left to take policy. The remaining 8 clients have showing the same policy number as per Group A but they are not updated!

* I did the same as i did for group A on group B but group b has not taken a policy and update

Hi,

Does you have tried to reinstall sep client with new package ?

Repair the sep cleint from add or remove program.

Hi,

I thought i would do that but its not just for 2 groups its with multiple groups and more than 70 clients and doing a re-install didnot seem like a solution so i ruled out re-install or repair.

What SEP version are you using ? Does you have recently migrated new sepm version ?

Signature verification FAILED for Index File Content - Clients are green in the SEPM, but show offline.

Hi James007,

I did come across this document in the past  bu since i have not done anything in regards to .jks file in the past 8 month, i did not do this.

I suggest you can open support ticket.

How to create a new case in MySymantec

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

• United States: https://support.broadcom.com (407-357-7600 from outside the United States)
• Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
• United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_t...

Can you check if you find any .err files as mentioned here

1. Browse to \Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agentinfo

2. Look for any .err files or tmp files & Dat files

3. If you find anything which is not processed by sepm then it might be the reason for the client data loss

4. Stop SEPM services from services.msc 

5. Delete all the files inside the location \Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo

6. Restart the SEPM services.

Check the SEPM now if still issue persist go for step 7

7. Run the Management server configuration wizard.

Note: While running Management server configuration wizard it requires Database password. if you running SEP 12.1.2 it wont prompt you for DB password.

Kindly update us the status .... thanks 

Hi,

I did find .dat and .tmp but from what i see i understand that .err is error file and what is .dat and .tmp.

I did as you instructed will update you within a day or two, please explain what is a .dat, .err and .tmp.

whatever is in outbox will be taken by the clients

whatever is in inbox will be taken by SEPM.

.err files will not be processed by SEPM. .Dat files will contain policies and virus defs info..tmp is anyfile which created during Extraction of these info ( AFAIK)

Please keep us posted.

Hi,

Still the clients are not able to update the policy number and hence unable to update AV definitions.

Enable the Sylink Debugging and Post the logs.

now the SEPM is updated with the policy serial number?

is client communicating with SEPM? if yes, enable sylink log and share it here.

Hi Rafeeq and pete, 

Do you want sylink monitor and debug log or only sylnk monitor log?

Sylink monitor log sir , let it run for atlest  4 hearbeat cycle, we will see why they are not able to download policies..