Endpoint Protection

Brief history leading up to today:
On our 11.06 SEPM server, sem5.db failed and we contacted support via phone. During the support process, 11.06 was reinstalled and a backup database was used to restore the functionality. The only problem was, the backup was from a previous version and this was not discovered right away (nor did support pick up on this). Also during the re-install, the backed up keystore file was never brought into play (perhaps it wasn't necessary?). All client communication stopped. Support sent me sylinkreplacer and instructed me to deploy the default group sylink.xml to all my clients. This could only contact about 15% of the clients and maybe drop the sylink file on 10% of those. I tried to be patient when dealing with support, but due to communication problems (very poor sound quality among other things) and tired of saying what? over and over, and discovering the restored database was the previous version, I closed the ticket with the intent of using web support. I then got the SEPM databases updated back to 11.06. No client communication could be restored no matter how many tricks I tried.

In the meantime I pulled 12.1 down and decided to plunge into it. I figured I lost all communication to the clients, so I might as well. The upgrade went fine on the server, and had no problems with it. Knowing that I'll be deploying a new client to everyone, I created a new management server in Management Server Lists and assigned all the groups to it. I then exported the communication settings for each group, and used the SylinkDrop to put the corresponding file onto each computer. Now the clients are offline, but the management server shows some of them online. I have also run the 'rebuild indexes now' on the server.

If I stop then start smc on the client, a green dot will apear briefly on the icon, and then go away. In Help; Troubleshooting; management, The server's IP address will appear briefly in the Server: and then it changes to Offline. Connection status shows Last Succesful Conection as being the time that the smc service was started.

I deployed a new client using the Wizard, and made sure that the Client Install used 'Remove all previous logs and policies, and reset the client-server communications settings'. Still the same behavior, a Dot appears briefly and dissapear.

Here is a snippet of the logging from SylinkMonitor : 

07/13 10:23:03.618 [6716] <CSyLink::IndexHeartbeatProc()>
07/13 10:23:03.622 [6716] <IndexHeartbeatProc> Got ConfigObject to proceed the operation.. pSylinkConfig: 0000000002D06260
07/13 10:23:03.622 [6716] <IndexHeartbeatProc>====== Reg Heartbeat loop starts at 10:23:03 ======
07/13 10:23:04.125 [6716] HEARTBEAT: Check Point 1
07/13 10:23:04.125 [6716] Get First Server!
07/13 10:23:04.126 [6716] <GetFirstSEMServer> Selecting a random server
07/13 10:23:04.128 [6716] HEARTBEAT: Check Point 2
07/13 10:23:04.130 [6716] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
07/13 10:23:04.132 [6716] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
07/13 10:23:04.134 [6716] HEARTBEAT: Check Point 3
07/13 10:23:04.139 [6716] <IndexHeartbeatProc>Setting the session timeout on Profile Session to 30000
07/13 10:23:04.140 [6716] HEARTBEAT: Check Point 4
07/13 10:23:04.142 [6716] <IndexHeartbeatProc>===Get Index STAGE===
07/13 10:23:04.144 [6716] ************CSN=453325
07/13 10:23:04.146 [6716] <mfn_MakeGetIndexUrl:>Request is: action=12&hostid=DB1733850A000A60015EF45A9B06C82E&chk=09CEBBEEF4F52F5F354B397326022C94&ck=8FBFE2C4DE0E1BC6009E9DBF3359099F&uchk=25E4278F733E1C07391DF97133D9498D&uck=16F843CF56C9E2A3856127329F4AB2DC&hid=A0331E74639C9E8B51AC45763326D12D&groupid=416B44C30A000A6101FE93E0714A50F9&ClientProductVersion=12.1.671.4971&mode=0&hbt=300&as=453325&cn=[hex]54313132322D5669737461&lun=[hex]41646D696E6973747261746F72&udn=[hex]574954544D414E4E494E432E434F4D
07/13 10:23:04.149 [6716] <GetIndexFileRequest:>http://10.0.10.96:8014/secars/secars.dll?h=41CA8166EEFDBE829C9E580E2A6CC8D74B4D2644AA861CE049EC8105812488FD8B8FD03C55A31781A6615364CF6AEB5090903EE1C79600B48292B2C5CFFF3791F16B0532FE4D7840B1082F2C3430658660B00CB9915F050953C48CE86BDCDDCF1612058691E47309F239033D5639EA2F653F7E58F57C22EC9D8FA1210AE42819529EA4C7DDF9B16BE6E5981D0FDD534C0CFE922FAC8CC00FB9ACC0D38054E6F802FC8545F5F564AE4129A8226A4FEB3799ACA43084B479FC2379B9016D782AC7F3D597AE9A8A9E2BFBC44AD61180C0CDCBCBB841F03EF21D5FF340B1CF307413FCE4764B0F16506866504762A34159C3E319258ED0A2E283251CE016CC654E665DA3EB809D65E126F084594356D1681B3357B3F7C6EBA7CAFDA3BFFA009C3FD722B34B6F82E2FF054E0BC472CBCC980F8FB6A5D1FBE497E8F790649E262955C500F9E2C2A7175F7F56570CD868B56CA90215BF864CE497DA9AEE4F467CAD74F8D7E93E665EF1219B3E29B266A73EFC54C2E653E3C3CF8F96CE6258973DC109D9F4741200332DED7E35D13A15CECAB0E504BBCAACC726A67021D92A5A486186E8AB185A1C88D15CE1074F59575CFCBDFDA10211699499418A215359D821816B053F8364E8D6EAF3B4296DA5FB7F37A28B
07/13 10:23:04.173 [6716] <GetIndexFileRequest:>SMS return=200
07/13 10:23:04.173 [6716] <ParseHTTPStatusCode:>200=>200 OK
07/13 10:23:04.174 [6716] <FindHeader>Sem-HashKey:=>09CEBBEEF4F52F5F354B397326022C94
07/13 10:23:04.179 [6716] <GetIndexFileRequest:>Loading the current mode:1
07/13 10:23:04.180 [6716] <FindHeader>Sem-LANSensor:=>1
07/13 10:23:04.182 [6716] <FindHeader>Sem-Signatue:=>53281FE7A780E8333C276C0F6581F36C571867A99DE290318DB4426199FA2E76FF83BFE64DEF86BFF7B096A4591401935601EDE57FCC09F6748E97F52C8F2BEB8A4EE7224BFE1F39C3CBFE7F85A5EB3E8A7D16A22B31BED07AF2798FFDE8C1A1E73C726EF3A6FCC2F573006DE4E8D1536D3E293E75A1F5218C9B2F39A5A1C1EA
07/13 10:23:04.184 [6716] <mfn_DoGetIndexFile200>Content Length => 1801
07/13 10:23:04.187 [6716] <mfn_DoGetIndexFile200>Signature verification FAILED for Index File Content..
07/13 10:23:04.189 [6716] <GetIndexFileRequest:>RECEIVE STAGE COMPLETED
07/13 10:23:04.192 [6716] <GetIndexFileRequest:>COMPLETED
07/13 10:23:04.194 [6716] <IndexHeartbeatProc>GetIndexFile handling status: 101
07/13 10:23:04.196 [6716] <IndexHeartbeatProc>Switch Server flag=0
07/13 10:23:04.201 [6716] HEARTBEAT: Check Point 5.1
07/13 10:23:04.201 [6716] <ScheduleNextUpdate>new scheduled heartbeat=2048 seconds
07/13 10:23:04.202 [6716] HEARTBEAT: Check Point 8
07/13 10:23:04.205 [6716] Get Next Server!
07/13 10:23:04.207 [6716] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED
07/13 10:23:04.210 [6716] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0
07/13 10:23:04.212 [6716] <IndexHeartbeatProc>====== IndexHeartbeat Procedure stops at 10:23:04 ======
07/13 10:23:04.214 [6716] <IndexHeartbeatProc>Set Heartbeat Result= 1
07/13 10:23:04.216 [6716] <IndexHeartbeatProc>Sylink Comm.Flags: 'Connection Failed' = 1, 'Using Backup Sylink' = 0, 'Using Location Config' = 0
07/13 10:23:04.219 [6716] <IndexHeartbeatProc>Connection Failed! No. of tries = 1
07/13 10:23:04.221 [6716] Use new configuration
07/13 10:23:04.224 [6716] HEARTBEAT: Check Point Complete
07/13 10:23:04.226 [6716] <IndexHeartbeatProc>Done, Heartbeat=2048seconds
07/13 10:23:04.229 [6716] </CSyLink::IndexHeartbeatProc()>
07/13 10:23:04.232 [6716] <CheckHeartbeatTimer>====== Heartbeat loop stops at 10:23:04 ======

I am suspecting that <mfn_DoGetIndexFile200>Signature verification FAILED for Index File Content.. is pointing to the problem, but I have no idea what to do with that, or what it corresponds to. If more logs are needed, let me know and I'll supply them

Thanks in advance for any assistance.

Hi,

when the SEP client shows for few seconds the green dot and you see a signature failure, it means it is using an invalid certificate.

You should properly apply the disaster recovery procedure (use the same SEPM version, passwords, certificates, etc), if you cannot do it or you did not do it (you did not save all required files, you don't remember the initial passwords, etc), you must replace the sylink.xml in the clients.

http://www.symantec.com/business/support/index?page=content&id=TECH102333&locale=en_US

I'm sorry you did not have a good experience with the support, I see you are struggling with this issue but I am pretty sure that Symantec Support can avoid further frustration, if you still have communication issues, you can kindly ask to talk to another engineer which speaks your languange natively. You can also reopen the same case if not closed more than 10 days ago.

Its definitely the certificate issue, restore the certifcate of older time and it should help.

The backup files were pre-11.06 and because I've got 12.1 installed, I don't want to go that route (yet). I want to continue foreword with getting 12.1 going. I will read the disaster recovery closer and see where the certificate aspect comes in. I thought by creating a new server group and generating/dropping the sylink.xml file onto the client would fix that. It's not that the engineer could't speak my language, the phone (or voip, or tin cans w/strings) connection was horrible all three times I was in communication with them. Static, fading and dropouts were worse than the accent.