Hi,

I am newbie to SEP. Existingly we do have 20 PCs are running fine in SEPM.

Recently we had newly installed 10 client windows 7 64 bit but all 10 clients doesn't have the green dot and also show offline in SEPM. 20 PCs are still working fine.

Things we had done:-

1. Ping SEPM server from client vice versa (successful)

2. Browse the web page from client (successful)

3. Telnet to SEPM server with port 8014, 9090, 443, 80 from client (successful)

4. Run command from client  nestat -np TCP | find "8014" and status show ESTABLISHED to SEPM server. 

5. Replace the sylink.xml from working client to affected client

6. Reinstall SEP to affected client

7. Turn off Windows Firewall from client

8. Delete the legacy proxy setting from client

But still we are having issue with this 10 client PC.

Here is an error log from one of the clients as well

12/06 14:54:08.420 [2108:3600] <SyLink>[MakeRegisterData] registration Hardware Key=1E7B97EE1E47C6AB3ED2D97831AD5155
12/06 14:54:08.420 [2108:3600] AH: Setting the Browser Session end option & Resetting the URL session ..
12/06 14:54:08.581 [2108:3600] <ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR
12/06 14:54:08.581 [2108:3600] <SyLink>[SendRegsitrationRequest] Request Result= 5
12/06 14:54:08.587 [2108:3600] ###### Set ACSConnec offline
12/06 14:54:08.587 [2108:3600] CProfileMgrManPlugin::ReceiveMessage: enter
12/06 14:54:08.587 [2108:3600] ProfileMgrMan: ReceiveMessage with msg id 262146
12/06 14:54:08.587 [2108:3600] CProfileMgrManPlugin::ReceiveMessage: exit
12/06 14:54:08.587 [2108:3600] AVMan: Entering ReceiveMessage with msg id 262146
12/06 14:54:08.587 [2108:3600] AVMan: Leaving ReceiveMessage
12/06 14:54:08.587 [2108:3600] LUMan: Entering ReceiveMessage with id 0x40002
12/06 14:54:08.587 [2108:3600] AtpiMan: Entering ReceiveMessage with msg id 262146
12/06 14:54:08.587 [2108:3600] AtpiMan: Leaving ReceiveMessage
12/06 14:54:08.587 [2108:3600] BashMan: Entering ReceiveMessage with msg id 262146
12/06 14:54:08.587 [2108:3600] BashMan: Leaving ReceiveMessage
12/06 14:54:08.587 [2108:3600] RebootMgrMan: Entering ReceiveMessage with msg id 262146
12/06 14:54:08.587 [2108:3600] RebootMgrMan: Leaving ReceiveMessage
12/06 14:54:08.587 [2108:3600] RepMgtMan: Entering ReceiveMessage with msg id 262146
12/06 14:54:08.587 [2108:3600] RepMgtMan: Leaving ReceiveMessage
12/06 14:54:08.587 [2108:3600] SubmissionsMan: Entering ReceiveMessage with msg id 262146
12/06 14:54:08.587 [2108:3600] SubmissionsMan: Leaving ReceiveMessage

Help would really be appreciated as I am stuck at a loose end!

Thanks.

Did you restart your SEPM server?

let us know the result of Secars Test

https://support.symantec.com/en_US/article.TECH102682.html

seems like you have some sort of proxy or firewall in between SEPM and client which could be filtering HTTP traffic

What is the exact version of SEP client do you have installed? Earlier version of 12.1 did not support Windows 10.

Yes, we did restart the SEPM server several times.

We also do the Secars Test and the web page displays "OK".

12.1.1101.401 RU1 MP1

We are installed into 10 client PC which are running on Windows 7 64 bit.

were these clients cloned with same hardware ID? If yes then only one will show green dot and cloned will not show up.

try this

Duplicate Hardware IDs result in only one client showing up in the Symantec Endpoint Protection Manager for multiple systems

https://support.symantec.com/en_US/article.TECH97626.html

What are the clients that ARE working? Same setup and specs as the ones not working?

Hi Brian,

Yes, all clients are having same setup and same specs (same brand and model as well).

Sitting in same VLAN, joining same domain, applied same windows patches and GPO.

That's why it sound weird.

Hi Rafeeq,

Thanks for the reply.

Nope, all clients are fresh installation PC.

I found some errors in ersecreg.log. I had check and confirm the hardwarekey for all clients are different. 

11/04 09:15:59 [2156:3500] 5 No legal HostID or GroupID in response from server.

11/04 09:15:59 [2156:3500] 10.3.2.35<AgentInfo DomainID="F5C64C8A0A03011F008D2E3731D9680E" AgentType="105" UserDomain="MYS.ABC.INTERNAL" LoginUser="AbbyyFTP" ComputerDomain="MYS.ABC.INTERNAL" ComputerName="MYSLATIFAH01" PreferredGroup="My%20Company%5cClient" PreferredMode="1" HardwareKey="E40611297110B561C70E48A89F88CE63" SiteDomainName=""/>--FAILED

11/04 09:17:35 [2156:3432] 5 No legal HostID or GroupID in response from server.

11/04 09:19:20 [2156:3488] 10.3.2.11<AgentInfo DomainID="F5C64C8A0A03011F008D2E3731D9680E" AgentType="105" UserDomain="MYS.ABC.INTERNAL" LoginUser="MYSMAKH01" ComputerDomain="MYS.ABC.INTERNAL" ComputerName="MYSMAHZULS01" PreferredGroup="My%20Company%5cClient" PreferredMode="1" HardwareKey="702EEE230AA777259627149CD2012D90" SiteDomainName=""/>--FAILED

Not sure what does it mean with "No legal HostID or GroupID...."

can you move one of the affected client to a different group in SEPM?

and do a smc -stop and smc -start on the client.

and also on the present group - right click - properties and check if you have blocked any new clients

Rafeeq,

Tried but still no luck.

The "Block New Client" checkbox is untick.

Hi Lawrence,

did you try to replace the sylink file manually in any of the pc ?  if yes whats the result 

by any change are you running the SEPM in a client os (like xp,7, or 8) , if yes you have change the commucation mode from pull to Push.

also please check if the machines are affected by duplicate IDs  by following the below article

Repair duplicate IDs on cloned Endpoint Protection 12.1 clients

Hi Praveen,

Yes, we did replaced the sylink file (from working PC) manually but it doesn't work.

We run the SEPM from server (2008 r2) directly instead of client OS.

We had checked and confirmed that the machines do not have duplicate IDs. 

BTW, I had turn on the Apache HTTP Server Access log on the SEPM server and below is the info for one of the affected machine (10.3.2.151).

10.3.2.151 - - [09/Dec/2016:12:49:04 +0800] "POST /secreg/secreg.dll?l=2 HTTP/1.1" 500 538
10.3.2.8 - - [09/Dec/2016:12:49:10 +0800] "GET /secars/secars.dll?h=DCF36D21106DD2E7B7806C290E2952762144E9FEFD9EBD40A712D24B403236A92B786C7BF01275745870C8E24564B5F7C7220F451F2BAC3B30A608766126D89167D4B69731D410AD17E1EDB0DED02268EF16CC37A75C4411A1FE4E3F8D4F28C28DA23EF1629A191F5AFE324AB59C179395A34ABB112B217A44209C5C387ADBE69D3201217C5011A71D773FCF69CB96344E1F13C00C4284F811ACAD635258E5868F69FFD14DA70FDE076D70064AE227CD635B15373A8D3F790152A0729DCE6CB7382C93A2628E2F83F42E1B48CEB1C81915D348914A85AB410D92D29345073B5A2FF26C8FD35B9BB280C7C0AC3E59FE1312A6DE8F5505764451674953C18585A96227F1BAC78A69FF394CF82E08D520CB7275CA1C2B7BB79BD0E6253D62BECAF38719EE05FC4784E1474C91201C172074F2FDC7BB3A275C0E0A56BEFFC7F5F8E4E1098577C9CE9439D4370779BE1BD575F602A7736E12D6D8447DDFA090198802DBDE69602A11ED9DA759ED973A77B5F1A0B33D9B583C4AA1CFFCE338717CF4889B14B6E995AB2B42BB95DE3CA0E797E3CC3DE45B0535F13353E939E18EEACB30340F018577EDD6EAAE31F98F4D0DC2A83CEDE8DF31E48F3715F57E196A05A438E262AA54F169D4019C8839D8A0F1A5E9 HTTP/1.1" 200 2234
10.3.2.8 - - [09/Dec/2016:12:49:10 +0800] "GET /secars/secars.dll?h=E4A74B53297BF93450B0AD8C916E0D53AC34FC75657AA25655D856B2FDC717F08FAEE178759B915BA1854C97DBC43DA98BDF3B45439C9CEF6C8C0B50D0CC80D9B2396A2634DF54CB4D54E0A1D8A4D4E6BC8B5D12CA38429028CAE72C5151CC46EB5C849AEAE024F2DF3EEF41012D48391298BC7BC8B1DEBB66868E14F14B1E97040424DAE2A3152ED4F18321C8F944D479CF17F0785504588544E96933786698C509715E11094BD4B3CDA2F38017E78539103802AC9EC35FEAF4AB5CEB6CE36BAAE41766BD6A4FCC7F3824E688E1F877BE22EF682332FB7485784298B415B72C074409839784C2E1BEFED06A3321F40937819B319849BA368D541CA2C6CC772BF9E5FBC127D778C5464BD1AFE3768B326F526E9CADB89847AF8B3B3C587614B1079FB647E847CFD1364FFDFBDF258CB0206370CE966D72B90AD48EAA10AB3D911DBDE11D30CB7F04BB1DCE224E430A1A2752A963AFF6653655702AAD06AF7B4AA36ED7B2E104707EA90BEBD933696366691779774E2162FA65DB77CCE6932294692A07C0E2C21B0219A12D9B9199BD2F HTTP/1.1" 200 36
10.3.2.151 - - [09/Dec/2016:12:49:11 +0800] "POST /secreg/secreg.dll?l=2 HTTP/1.1" 500 538
10.3.2.151 - - [09/Dec/2016:12:49:11 +0800] "POST /secreg/secreg.dll?l=2 HTTP/1.1" 500 538

Any idea what does it mean?

Hi Praveen,

By the way, we had run the ClientSideClonePrepTool.exe but still the same.