Endpoint Protection

 View Only
  • 1.  SEP agent Migration to a new Replication Partner

    Posted Apr 04, 2021 03:37 AM
    Hi everyone, I have 2 SEPMs running 14.3 MP1. Both of them are configured as replication partners. The plan is that we will migrate all of SEP agents connecting to SEPM-1 and once all agents are moved over to SEPM-2 we will de-commission the SEPM-1. To achieve this we have set up the below MSL List for this Migration.

    Priority-1, SEPM-2 FQDN and IP

    Priority-2 SEPM-1 FQDN and IP

    However, once we applied this MSL to one of the existing groups in SEPM-1, we saw around 80% agents of that group connected to the new SEPM but the 20% is still being connected to SEPM-1. These 20% agents have reachability to SEPM-2 and can connect to it over port 443 and 8014.

    Is there a reason why these 20% didn't connect to SEPM-2 as the MSL is dictating them to connect to SEPM-2? 

    What is the best way to troubleshoot and know why these didn't connect to SEPM-2?

    Thanks

    ------------------------------
    Symantec Enthusiast
    ------------------------------


  • 2.  RE: SEP agent Migration to a new Replication Partner

    Posted Apr 04, 2021 02:12 PM
    Anyone???

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 3.  RE: SEP agent Migration to a new Replication Partner

    Posted Apr 05, 2021 11:54 AM
    appreciate any feedback on this. Thanks

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 4.  RE: SEP agent Migration to a new Replication Partner

    Broadcom Employee
    Posted Apr 05, 2021 08:39 PM
    Hello, the best way is to use wireshark and look at the communication if it was able to successfully connect to SEPM2 based on HTTP traffic. Because you configured the MSL with 2 SEPMs, it will always try to fall back to P2 if for any reasons it wasn't able to established with SEPM1.

    Another way to try is to use a single client which has this known issue, and assigned it to only connect to SEPM2 without a P2 connection and see if that connection holds. If it doesn't, that SEPM2 might be potentially overwhelm.

    Remember once you migrate to SEPM2, your MSL on that group should only mentioned SEPM2 as P1, you don't want your clients to be bouncing back and forth.


    ------------------------------
    Sr Manager, Product Management
    SEP Survey https://forms.gle/UTjw14f6Gr8VAm4N7
    ------------------------------



  • 5.  RE: SEP agent Migration to a new Replication Partner

    Posted Apr 07, 2021 06:48 PM
    Hey,

    Did you check indeed that there is accessibility to the Priority 1 list ? There is currently no way within a single MSL to configure both 443 and 8014 at the same time. It's either SSL or not ? What's the current MSL configuration - http / https ?

    Answering those question might help you too :
    1) Is it specific OS / version being affected ?
    2) Did you check that those 20% audience is having the latest policy set ?
    3) Is it a specific network segment being affected ?
    4) If possible from a client not migrating to the P1 SEPM list run a network test for both 443/8014 - that can be secars, telnet or ps test-netconnection
    5) From a client end ( or from the SEPM P2) the client should have uploaded sylink events, can you check and see if there are connection attempts to P1 ?
    6) Worst case scenario is collect a SymDiag from an endpoint not switching to the new P1 while debug logging is enabled and send it out to support. There is also a sweet way to troubleshoot it on your own, enabling the communication debug ( if WinOS) - https://knowledge.broadcom.com/external/article/151291/how-to-debug-the-symantec-endpoint-prote.html#SMC . It will generate a plain text log that's pretty easy to read.

    Cheers ;)


  • 6.  RE: SEP agent Migration to a new Replication Partner

    Posted Apr 08, 2021 07:00 AM
    Hello everyone, thanks for your replies. I do really appreciate.

    I checked couple of agents physically which are reporting "online on remote site" status in SEPM console. 

    When I checked the server connection status on the SEP agent itself in Help > Troubleshooting , it shows me that it is connected to the priority-1 SEPM. However, when I check the SEPM console itself, it shows me that it is connected on remote site.

    Is there a reason why it is showing like this?


    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 7.  RE: SEP agent Migration to a new Replication Partner

    Posted Apr 08, 2021 06:05 PM
    any feedback is highly appreciated.

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 8.  RE: SEP agent Migration to a new Replication Partner

    Broadcom Employee
    Posted Apr 08, 2021 09:05 PM
    Since you have SEPMs in replication, you will see a lag until the information is replicated. SEPM used 2 x heartbeat to determine if a SEP agent has not checked in, and will mark it as offline.

    ------------------------------
    Sr Manager, Product Management
    SEP Survey https://forms.gle/UTjw14f6Gr8VAm4N7
    ------------------------------