Endpoint Protection

Hello,

Our site has 6 SEPMs. One of the SEPMs were not connected to database, i.e. I would log in and get error, "Unable to Connect To Server"

I restarted SEPM

I rebooted the Server

First time I logged into SEPM, HOME, MONITORS, and REPORTS were blank

Second time I logged in, everything is up and running.

Question: What on Earth happened? How to avoid this?

I attached the scm-server-0.doc (seems I cannot upload .log onto Symantec Connect).

Please tell me how to interpret this type of log. What information do I look for?

Attachment(s)

scm-server-0.doc   2.25 MB 1 version

 SEP 11.0.6100  

do you remember the time these events happened?

There was notification that SEPM database has gone down on Aug 23rd, 8:47AM

RSASKA,

I have a decent idea what caused your Home, Monitors, and Reports pages to be blank.

The Symantec Endpoint Protection Manager uses two database connectors to connect to its database backend: the Microsoft ODBC database connector and the JDBC (Java Database Connectivity).

ODBC handles the connections for the first three tabs in the SEPM (Home, Monitors, and Reports). The JDBC handles connections for the other tabs in the SEPM.

It is likely that the Microsoft ODBC was unable to connect to the database for some reason and caused your blank screen issue. I've seen this happen before, but it is unusual for the problem to fix itself.

As far as reviewing the scm-server-0.log file goes, it is best to start at the bottom of the log and work your ways upward because new log entries are appended to the end of the file. Look for entries indicating that some sort of an error occurred and then search our knowledgebase (link in my signature) or search Google for the errors.

Regards,

James

>>

The Symantec Endpoint Protection Manager uses two database connectors to connect to its database backend: the Microsoft ODBC database connector and the JDBC (Java Database Connectivity).

ODBC handles the connections for the first three tabs in the SEPM (Home, Monitors, and Reports). The JDBC handles connections for the other tabs in the SEPM.

<<

That is so facinating. I mean, using a product, then understanding how it is built.

Hi RSASKA,

Here's a couple of lines and what they mean:

> 2011-08-23 03:48:41.805 SEVERE: scm.server.version = 11.0.6100.645 

That confirms you are on SEP 11 RU6 MP1.  (If you want to stay with SEP 11 at the moment, I recommend upgarding to RU7- many important fixes and improvements!) 

>2011-08-23 09:38:39.665 INFO: ============ Not match any item in OU, preferred group: My Company\Default Group =============
><?xml version="1.0" encoding="UTF-8" ?>........<SSAProduct Version="11.0.4010.19" />

Are there clients which are having trouble registering and being placed in their own group-?  There are 77 entries about clients which the SEPM had to "think about" where to place.  Maybe some AD OU's have been changed or moved-?  (There is likely no cause for concern, unless you are seeing clients who stay stuck in the default group)

Some of those clients are quite old - MR5, RU5, RU6, etc.  Again, I definitely receommend upgrading for the sake of security and stability.

> <SSAProduct Version="12.5.0001.8888" />

Hunt through the log for an entry with that version number--- that's a SEP for Mac client that seems to be damaged.  It needs to be upgraded to SEP 11 RU6 MP2 or later in order to function correctly.

There are a couple of error messages about deadlocks, etc- those will likely be resolved or improved by upgrading.

Hope this helps!

Mick

Mick,

Thank you for this advice.

But are you able to tell the probable reason that this SEPM went down? A restart of SEPM and reboot of the workstation brought it back online, but why did it go down?

Hello RSASKA,

The scm-server-0.log file is cleared every time the SEPM service is started.

Unfortunately, since server was rebooted in order to resolve the issue, the log would have been cleared of any potentially helpful entries.

I don't believe that it will be possible to know the exact cause of the problem, now that it is no longer occurring.

James

I don't see any clear reason in the posted log.

Thanks and best regards,

Mick

>>Are there clients which are having trouble registering and being placed in their own group-?  There are 77 entries about clients which the SEPM had to "think about" where to place.  Maybe some AD OU's have been changed or moved-?  (There is likely no cause for concern, unless you are seeing clients who stay stuck in the default group)<<

I'm currently working with Symantec on this issue.

My boss wants to know why this SEPM went down, while the other SEPMs in the site were fine. What answer do I provide? What is a probable cause, considering the log was wiped with the SEPM went down?

Unless the service has been restarted twice, you can collect scm-server-1.log and it will have data from the previous run time. This may hold the key to what happened. Also, if this server is using SQL, you will want to check Windows event logs, around the time it went down, for both the SEPM server and the server running SQL. You may also find important data in the SQL <database>\MSSQL\LOG folders within the error log.

Then I can look at these logs as well