Endpoint Protection Small Business Edition

I'm having a problem getting my SEPM Clients to grab the latest Virus Def from Manager, and the clients aren't even grabbing it from Symantec like it was setup to do. This started right after I upgraded from 12.1.4023.4080 to 12.1.5. I've been using 12.1.4023.4080 from Feb 2014-2015. All the online clients are reporting the current date in the "last time status changed" column aka Mar 17th, they all have a green dot but with a vius def date ranging from feb 19 to Mar 16, depending on the machine. 

Server 2008 R2, Clients on Windows 7 SP1

Any ideas on what I can do to fix it? 

Thanks

The SEPM is updating from Symantec LU though? Has the LU policy been modified lately?

You can enable sylink debugging on an affected client to see what is going on.

Enable sylink debugging for Endpoint Protection clients

http://www.symantec.com/docs/TECH104758

If you update a client manually by running LU, does it update?

May also want to run the symhelp tool on one affected client to see if it returns errors

Troubleshooting computer issues with the Symantec Help support tool

http://www.symantec.com/docs/HOWTO80839

SEPM have the latest definition downloaded. LU policy have not been changed recently.

If i go to the client itself and manually run a Live update, it works but shouldnt SEPM be able to take care of it?

Yes and that's what I wanted to verify, that they could update if forced to go to LU.

I would suggest enabling sylink debugging as a first step and let it run thru a few heartbeat attempts so we can see the comms

Hi Brian,

I've ran the Sylink debugging, and then we did a Live Update this morning.

Thanks for your help!

Attachment(s)

SyLink.docx   175 KB 1 version

Please see the attached sylink file

Attachment(s)

SyLink_1.docx   175 KB 1 version

Quick question - are these clients supposed to get updates from a GUP or the SEPM?

I am not 100% sure how to answer your question. It is setup to do Single GroupUpdate Provider IP and the IP is the SEPM Server's IP.

I didn't change any of the settings when I upgraded from 12.1.4 to 12.1.5.

Looks liek you're using a GUP for content delivery.

Select the "Group Update Provider" button

Within there, look at the "Maximum disk cache size allowed for downloading updates (MB):"

Is it set to the default of 500MB?

If so, you need to bump this up, preferably to 1024 or more.

A full definition size is something like 560MB+ and this setting as is is causing your issue.

Yes that might be it! Mine was set to 500MB. Do I need to do anything else after I save it?

Should not need to. The clients should pickup the change on the next heartbeat in. You can monitor the progress to see if they start updating.

You have enabled Sylink after running liveupdate manually on the clients. from the client log I can see that none of the defs are application and it never started download.

I've increased it to 1024 the other day, it didn't seem to have updated a lot of computers so I turned it up to 2048 this morning. I've tried to send an Update Content command to a few machines and my computer which has a Def dated Mar 9th, but yet after the update content command ran 100% according to the Monitor, my computer is still reporting Mar 9th both on the SEPM client list and on my machine.

Any ideas?

Run SymHelp and view the reports.  There is a report that will test client to manager communications, definition corruption, installation corruption, etc...  You can also use SymHelp to enable and disable sylink debug logging.

How to run and use Symantec Help (SymHelp) reports

SymHelp Results

Everything else is fine.

Any ideas?

Any ideas on how to fix? Anything would be greatly appreciated at this point!

"I am not 100% sure how to answer your question. It is setup to do Single GroupUpdate Provider IP and the IP is the SEPM Server's IP."
~~~~~~~~~~~~~~~~~~~~~~~
SEPM is already providing content for clients. If all the clients are on a local LAN, there are no bandwidth limitations, or clients on the other side of WAN links, and SEPM server load and performance are all OK, I would not use GUP.

Setting SEPM server as GUP as well is not recommended.

It's my opinion to uncheck 'Use Live Update Server.' SEPM server provides client management, and also WAN BW resource conservation by having only SEPM server get updates, then publish updates for clients. This does create a single point of failure in the SEPM. I've intentionally crashed the server and had it back up the same day. DR instructions for recovery are pretty simple.

Are clients all in the same group? Above sylink log seems to indicate only one group - Full Time. Do you have different groups with different policies? Are you using Windows firewall, SEP firewall, or no firewall?

Are clients on the same VLAN?

A quick cheat to see if clients can reach server: http://<ServerIP>:8014/content/contentinfo.txt will show content monikers.

How full is HD on server?

My actions are to restart workstation if possible, or restart client service. (SMC -stop, SMC -start)
Restart client service on GUP, waiting at least 2 minutes between stop and start.
Copy a .JDB file to \incoming\ folder (Third party updates must be enabled, and this is not invasive - user won't notice, or be alerted to update)
Go to client and run the .exe update.

And sylink log file is usually very helpful.
Line 1235:...GUP type: Single Group Update Provider last GUP type: Invalid Group Update Provider type
Request for content is sent to SEPM to create delta content. OK. Some content will always come from SEPM regardless of GUP presence.
Then this client attempts to get content from GUP, which is SEPM server...and failing.

I would start by unchecking "Use Group Update Provider" and waiting for about 2 hours.

Any update on this?

Just figured it out yesterday. Apparently it wasn't any corrupted live updates, it was the TCP/UDP Ports needed to be opened on the firewall. Somehow it is now using 2967. The instant I turned off the firewall, all the computers started to grab the definitions. And this port isn't listed in the ports SEPM uses.

2967 is used by GUP , its between GUP and clients.

Clients/GUPs communicate over tcp 2967

Communication ports used by Symantec Endpoint Protection

Well I didn't change anything since I've moved SEPM to this server 2 years ago, and everything was working fine until I updated from RU4 to RU5 so it must have deleted/change something during the install.