Endpoint Protection

  • Private Community
 View Only

  • 1.  mfn_DoGetGupList200 - CheckSum do not match!

    Posted Apr 11, 2012 06:25 PM
      |   view attached

    Hi there. I'm just looking for clarification.

    We have two SEPM servers running v11 RU6 MP3 load balanced with one SQL backend DB. (We will not upgrade to RU7 anytime soon). Some of our workstations have these entries in their Sylink.log file.

    01 <mfn_MakeGetGupListUrl:>Request is: action=320&hostid=839D8714xxx...
02 <GetGupList:>http://10.65.12.25:30066/secars/secars.dll?h=F622A4D0xxx...
03 <GetGupList:>SMS return=200
04 <ParseHTTPStatusCode:>200=>200 OK
05 <mfn_DoGetGupList200>Content Lenght => 452
06 <mfn_DoGetGupList200>Got Gup List from server, read bytes=452
07 <mfn_DoGetGupList200> CheckSum do not match!
08 <mfn_DoGetGupList200>Content Size=3547
09 <mfn_DoGetGupList200>completed
10 <GetGupList:>RECEIVE STAGE COMPLETED
11 <GetGupList:>COMPLETED

    My concern is Line 7 and line 8. Does this mean that the GUP list on 10.65.12.25 is corrupt? Workstations connecting to SEPM server 10.65.27.96 do not have the Checksum error. Yet GLOBALLIST.XML files on both servers are 3547 bytes large; i.e. they are the same size.

    Sylink log file attached.

    Attachment(s)

    txt
    M64003DVT42S_SyLink_Log.txt   1.97 MB 1 version


  • 2.  RE: mfn_DoGetGupList200 - CheckSum do not match!

    Posted Apr 11, 2012 10:47 PM

     

    Were there any change in the GUP list? Size may not reflect a replacement of a GUP at times & since there is a change the Checksum might vary.



  • 3.  RE: mfn_DoGetGupList200 - CheckSum do not match!
    Best Answer

    Posted Apr 12, 2012 01:52 PM

     

    Hello Ian_C.,
     
    First off, thanks for including the Sylink log in your original post. Proactive data gathering is always appreciated!
     
    Before I begin, I am curious whether you see any SEP clients which use GUPs AND connect to the SEPM with the IP 10.65.12.25 update content? If you can determine whether this issue affects all clients which use GUPs and connect to this SEPM (or only a subset of those machiens), then that is a pretty good indication that this issue is SEPM-side.
     
    All that being said, I feel there is a pretty good chance either one of two things is happening.
     
    1. The SEPM's GUP List (globalist.xml) is corrupted as you hypothesized. (The SEP client expected the GUP list to be 3,547 Bytes in size, but it ended up being 452 Bytes.)
    2. There is a caching proxy between the SEPM and the SEP client which is giving the SEP client a cached copy of the GUP list which, being different than the GUP list the SEPM has, does not match the checksum the SEP client was told to expect.
     
    It is a fairly simple process to delete the existing GUP list from the SEPM and have the SEPM recreate it. See my steps below. Try it out and then monitor to see if the issue changes. (I would suggest gathering another Sylink log if the issue is not resolved.)
     
    FORCING THE SEPM TO RECREATE THE GUP LIST:
    - Stop the service named: Symantec Endpoint Protection Manager
    - Go to: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\gup
    - Delete globalist.dax
    - Delete globalist.xml
    - Start the service named: Symantec Endpoint Protection Manager
    - The GUP list (globalist.xml) will be recreated almost immediately, but it may take some time before it is populated with the IPs of GUPs again.
    - Monitor the SEP clients to determine if they begin updating.
     
    If they do not begin updating, gather another Sylink log (for an extended period of time like last time) and attach it to a reply so I can look at it.
     
    Regards,
    James


  • 4.  RE: mfn_DoGetGupList200 - CheckSum do not match!

    Posted Apr 12, 2012 05:06 PM

    GUP list has not changed in the previous 2 months.

    I decided to change the GUP list & criteria. This changed the file size. I could see the new file size being requested, but checksum error remained.



  • 5.  RE: mfn_DoGetGupList200 - CheckSum do not match!

    Posted Apr 12, 2012 06:53 PM

    James-x was correct.

    Deleting GLOBALIST.XML and GLOBALIST.DAX resolved the problem. Clients communicating with both servers now do not have a checksum error.

     

    The file size shrunk from 3547 bytes to 100 bytes on both servers. Now on 10.65.27.96 the file size is still 100 bytes while on 10.65.12.25 globallist.xml is 3697 bytes and globallist.dax is 468 bytes. I'll give it some time and wait for synchonisation to complete.



  • 6.  RE: mfn_DoGetGupList200 - CheckSum do not match!

    Posted Apr 12, 2012 07:13 PM

    I am curious whether you see any SEP clients which use GUPs AND connect to the SEPM with the IP 10.65.12.25 update content? If you can determine whether this issue affects all clients which use GUPs and connect to this SEPM (or only a subset of those machiens)

    Noticed this on one machine that had a very high bandwidth utilisation. Double checked two other machines for similar behaviour. Trying to find machines matching your criteria will take a bit of detective work.

    good chance either one of two things is happening

    globalist.xml is 3547 bytes large, globalist.dax is only 452 bytes in size. Could SEPM be sending the XML file instead of the DAX?



  • 7.  RE: mfn_DoGetGupList200 - CheckSum do not match!

    Posted Apr 13, 2012 11:15 AM

    Hello Ian_C.,

    I'm glad to hear that your issue is now fixed!

    I've created a knowledgebase article based on this thread so that future searches of our KB should turn it up. It is here: http://www.symantec.com/docs/TECH186369

    Thanks for following up with a status update.

    Regards,

    James