Endpoint Protection

any idea?

thanks

TIME_WAIT means it's waiting for a reply or connection
this often happens when a port is activated and the connection has not yet
been established.

May be clients certificate does not match the  one on sepm server. So they cannot eastablish communication with the  sepm server.

You could use wireshark tool on a client, or on sepm...it's output would be  more useful.

Replace sylink.xml file on a client and see...

"

If NetStat says a connection is in the TIME_WAIT state, it means the client has already disconnected. So if you see several connections in TIME_WAIT it is not a 'simultaneous' connection. It is common for a client to connect to the sever multiple times, generating several TIME_WAIT connections. But a client normally has one, or sometimes 2 ESTABLISHED connections if it is downloading Liveupdate Content.

"

If you give netstat -n 

you should be able to see the connections between sep and sepm (port 8014), 

Hi There,

Please use the netstat -a -b and let's chck which process uses time_wait and where it is connecting to!!

Thanks,

Narendran K

If this is on the Symantec Endpoint Protection Manager Machine, try restarting the the Symantec Endpoint Protection Manager and see if Time_Wait goes away.

If this does not help, if possible restart the Server.

what is the version of your symantec endpoint manager

Port leak on Symantec Endpoint Protection Manager
Fix ID: 1183253
Symptom: Symantec Endpoint Protection Manager becomes deaf as clients download updates, CLOSE_WAIT sockets are not closed, and the server is out of ports and becomes deaf to the console. As this continues, at some point you can no longer remote desktop to the server. When the server is full, 3500 sockets are in CLOSE_WAIT, almost all the rest are in TIME_WAIT, and there are 15 or so talking to the database and clients. As time passes, the CLOSE_WAIT sockets slowly rise.
Solution: Symantec Endpoint Protection Manager process no longer has CLOSE_WAIT states after clients download updates, preventing the leaked ports from monopolizing all the server's ports.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008022713201148

11.0.5002.333

I have been experiencing this same problem since March.  Ever since RU5.  We are currently at RU6a and still have this problem.

Constant and continous errors is the logs - over and over again

Address already in use: connect [Site:sepm] [Server:sepm]

Failed to connect to server.

SEPM "works" but is slow.  I have had a ticket open with Symantec for at least 5 + months. We are not running replication.

If this was fixed in MR1 - it reappeared in RU5.

@Nardoni: Hi, what database are you using?

Mon_raralio - Hey there.  We are running an off box SQL Database.

I would assume if your client are in Pull mode, which means they connect to the SEPM based on what the heartbeat is set to. Ex. every 20 minutes...when they are not connected they will be in TIME_WAIT. If they were in Push mode (constant connection) this obviously would not be happening then.