Endpoint Protection

Right now, I am trying to troubleshoot one of our GUPs (SEP 11) that Netflow Analyzer has shown to transmit "Unknown Application"

While I was in the process of configuring Wireshark on GUP, on the lower right hand side a pop-up from SEP shield says "Location has been changed to GUP_OFF_LOCATION", and the green dot disappeared ---- I had previously configured locations based on whether GUP can connect to SEPM or not.

So when I opened the Client Management Logs, here is the record:

6166 1/14/2014 4:26:43 AM Information 12070900 Start serving as the Group Update Provider (proxy server). 
6167 1/14/2014 4:26:43 AM Information 1207020E Location has been changed to GUP_ON_LOCATION. 
6168 1/14/2014 4:28:09 AM Information 12071007 New virus definition file loaded. Version: 160113v. 
6169 1/14/2014 6:12:52 AM Information 120B0007 Failed to connect to all GUPs, now trying to connect SEPM 
6170 1/14/2014 12:33:33 PM Information 12070304 Disconnected from Symantec Endpoint Protection Manager  
6171 1/14/2014 12:33:35 PM Information 12070301 Connected to Symantec Endpoint Protection Manager  
6172 1/14/2014 1:33:37 PM Information 12070304 Disconnected from Symantec Endpoint Protection Manager  
6173 1/14/2014 1:33:40 PM Information 12070900 Stop serving as the Group Update Provider (proxy server). 
6174 1/14/2014 1:33:40 PM Information 1207020E Location has been changed to GUP_OFF_LOCATION. 
6175 1/14/2014 1:37:05 PM Information 12070301 Connected to Symantec Endpoint Protection Manager  
6176 1/14/2014 1:37:09 PM Information 12070900 Start serving as the Group Update Provider (proxy server). 
6177 1/14/2014 1:37:09 PM Information 1207020E Location has been changed to GUP_ON_LOCATION. 
6178 1/14/2014 1:37:10 PM Information 12070301 Connected to Symantec Endpoint Protection Manager  
6179 1/14/2014 1:37:10 PM Information 12071007 New virus definition file loaded. Version: 160114b. 
6180 1/14/2014 6:38:10 PM Information 120B0007 Failed to connect to all GUPs, now trying to connect SEPM 
6181 1/14/2014 9:37:36 PM Information 12070304 Disconnected from Symantec Endpoint Protection Manager  
6182 1/14/2014 9:37:40 PM Information 12070900 Stop serving as the Group Update Provider (proxy server). 
6183 1/14/2014 9:37:40 PM Information 1207020E Location has been changed to GUP_OFF_LOCATION. 
6184 1/15/2014 12:46:52 AM Information 12070301 Connected to Symantec Endpoint Protection Manager  
6185 1/15/2014 12:46:52 AM Information 12070304 Disconnected from Symantec Endpoint Protection Manager  
6186 1/15/2014 12:46:57 AM Information 12070301 Connected to Symantec Endpoint Protection Manager  
6187 1/15/2014 12:46:59 AM Information 12070900 Start serving as the Group Update Provider (proxy server). 
6188 1/15/2014 12:46:59 AM Information 1207020E Location has been changed to GUP_ON_LOCATION. 
6189 1/15/2014 12:47:02 AM Information 12071007 New virus definition file loaded. Version: 160114i. 
6190 1/15/2014 12:47:11 AM Information 12070301 Connected to Symantec Endpoint Protection Manager  
6191 1/15/2014 8:47:43 AM Information 12070304 Disconnected from Symantec Endpoint Protection Manager  
6192 1/15/2014 8:48:58 AM Information 12070900 Stop serving as the Group Update Provider (proxy server). 
6193 1/15/2014 8:48:58 AM Information 1207020E Location has been changed to GUP_OFF_LOCATION. 

Is there any explanation to this erratic behavior?

What happens if you do an smc -stop/start? Does it connect back and start acting as a GUP again?

I see this all the time with some of my GUPs (75+)

It occurs mostly with my remote GUPs over a slower line.

Ideally, we would need to see the sylink log to see what is going on.

I tried SMC -STOP/START and now works

Will run sylink log

I see this all the time with mine but a simple smc -stop/start always brings it back online and acting as a GUP again.

I've never been able to capture a sylink log simply because there is no way to predict it and don't spend the time looking at it. It may happen once or twice bi-weekly for me.

If you can get a sylink log though that would be great.

Attached is the sylink logs

Are there any clues to why this is happening?

Attachment(s)

Sylink_18.zip   46 KB 1 version

Found in sylink:

01/15 10:48:23 [6932] <SendRegistrationRequest:>SMS return=500
01/15 10:48:23 [6932] <ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR

Try this:

http://www.symantec.com/docs/TECH168828

It seems point to SEPM on XP SP3 but I doubt you're running SEPM on XP?

You can also check this one:

http://www.symantec.com/docs/TECH155738

And these are debug logs

Attachment(s)

debug_1.zip   128 KB 1 version

And wireshark capture from one GUP to all our SEPM servers

Attachment(s)

sepms_835.pcap_.zip   25 KB 1 version

Seeing these:

01/15 09:47:09 [6744:1624] GUProxy - Is this computer a GUP Server? [0]
01/15 09:47:09 [6744:1624] GUProxy: StopGUPServer
01/15 09:47:09 [6744:1624] GUProxy: StopServerMonitor
01/15 09:47:09 [6744:1624] GUProxy: StopListenThread
01/15 09:47:09 [6744:4940] GUProxy: invalid socket on accept, error 10004
01/15 09:47:09 [6744:1624] GUProxy system event - type 0 - desc <Stop serving as the Group Update Provider (proxy server).> - extra <(null)>

However, I'm not finding relevant info in the Symantec KB. I'll keep looking
 

The 500 INTERNAL SERVER ERROR seems to be the issue

Sylink is also pointing to another error:

503 SERVICE NOT AVAILABLE

A quick search of the KB points to this article:

Client status is offline. Error 503=>503 SERVICE NOT AVAILABLE.