Endpoint Protection

We just implemented SEPM 12 and I start to see some LINUX or WINDOWS clients shown disconnected or did not report to SEPM on time, and definition are behind. I check second clustered SEPM server and they are online and available. After few minutes they are back.

When I run Replicate Now, they are available on both SEPM servers.

Sometime I get also "Online On Remote Site", sometime icon change to Online or Offline...

The client (server) side has no changes.

I have two SEPM server installed (Windows Server 2012) with embeded database replicated settings I set to "Auto Replicate (Let the installation instance decide when to do  replication)"

Thanks

PS: I found this article, but I am not sure if this is related to my case: http://www.symantec.com/connect/forums/how-do-i-deal-client-lost-connection-sepm-11

Have you seen the connectivity from client end.is it online or offline?

hi,

can you check in eventlogs if httpd.exe is crashing..

Hi,

Thank you for posting in Symantec community.

It's not recommended to set the replication to Auto. 

Here are the best practice:

Best Practices for replication:

  1. For more than 3 sites or 1,000 clients: No more frequent than once per day  

  2. Versions of the Policy Manager have to be the same.

  3.  Replication schedules should not overlap.

  4.  If replicating over WAN, only replicate the logs.

  5.  Number of replicated sites should ideally be kept below 5. Ratio will be 1:4 ( i.e 1 primary : 4 seconday )

  6. The value of  “Content revisions to keep” should be set to a  lower value.

  7. If you have configured multiple replication partner then always make sure that the replication schedules won't overlap .This situation can lead to Database Deadlock issues. 

I think it's working as expected, when replication is configured clients will show online on directly connected SEPM and other SEPM will show it as a 'online on remote server' with red arrow. It means it's a replicated client.

Could you share the Management Server List (MSL) screenshot. You may see it under Policies --> Policy Componenets --> Management Server Lists

Make sure SEPM is up to date & at least once replication is successfully completed also.

The clients are online, becuase on second SEPM they are online...

Here is the actual status from both SEPM's servers...see attached picture.

On left site is primary SEPM server, on right site is secondary replica SEPM server.

All in the list are linux servers...

Hi...from where?

Event viewer -> windows logs-> application logs

Thaks for your answer.

Here are my comments:

1. I have two sites and less then 200 clients.

2. I installed same version os SEP and clients everywhere as this is a new build up.

3. I set to Auto, as I got best result in the Clients list of the monitored servers...before there were many offline servers status.

4. thanks for hint...I unchecked "Replicate client packages and LiveUpdate content between the local site and this partner site" - (How then I get LiveUpdate content on second SEPM server?)

5. I have only one replicated partner on second site.

6. I set 3 related to recomendations from this link (http://www.symantec.com/docs/TECH104845)

7. irelevant in my case as I have only one replica partner

MSL I configured to use HTTPS comunication protocol:

Here i the example ho I configured (no real IP's or hostnames):

Priority 1

192.168.1.10:443

SEPM1:443

Priority 2

192.168.1.11:443

SPEM2:443

Then I red this article: http://www.symantec.com/connect/forums/sep-clients-showing-sepm-offline-after-upgrade-121-ru3

and I changed it on base of  SMLatCST's solution to use rather HTTP communication and 8014 port.

no httpd crashes on both servers...

Thanks for the update, the clients those are showing offline using imaged machine?

What do you mean imaged machine?

This is the same linux server. Just it is visible in both SEPM consoles. MSL is configure to use primary location for all clients. I could not configure to use second replica server on second site for the clients from second site. But...some clients are from got offline status in second SEPM server and they are from same site.

I don't know why after I pressed button Replica Now, I got on many of clients icon "Online On Remote Site", but after few minutes icon change to Online or Offline... It is unpredictable what status shows after few minutes...

Here is the status in few minutes back:

*edit: I pressed Refresh button few seconds after I did printscreen and "...strs01" client got offline status on primary SEPM console (left one).

I checked today one of the windows and linux sep clients -  system logs and I see that primary SEPM1 server X.X.X.1  and his partner SEPM2 X.X.X.2 got connection to client, but primary SEPM1 disconnects ocasionally.

I suppose all other clients do the same...

What cause that errors?

Thanks for answer.....

WINDOWS LOGS:

617    2/5/2015 8:45:50 AM    Information    12070301    Connected to Symantec Endpoint Protection Manager (X.X.X.1)    
618    2/5/2015 8:53:40 AM    Information    12070304    Disconnected from Symantec Endpoint Protection Manager (X.X.X.1)    
619    2/5/2015 8:53:43 AM    Information    12070301    Connected to Symantec Endpoint Protection Manager (X.X.X.2)    
620    2/5/2015 8:53:53 AM    Information    12070301    Connected to Symantec Endpoint Protection Manager (X.X.X.1)    
621    2/5/2015 8:54:31 AM    Information    12070304    Disconnected from Symantec Endpoint Protection Manager (X.X.X.1)    
622    2/5/2015 8:54:35 AM    Information    12070301    Connected to Symantec Endpoint Protection Manager (X.X.X.2)    
623    2/5/2015 8:54:42 AM    Information    12070301    Connected to Symantec Endpoint Protection Manager (X.X.X.1)    
624    2/5/2015 8:58:39 AM    Information    12070304    Disconnected from Symantec Endpoint Protection Manager (X.X.X.1)    
625    2/5/2015 8:58:43 AM    Information    12070301    Connected to Symantec Endpoint Protection Manager (X.X.X.2)    
626    2/5/2015 8:58:51 AM    Information    12070301    Connected to Symantec Endpoint Protection Manager (X.X.X.1)

LINUX LOGS:

]# tail syslog.log

00000084        01d0412bb665b504        12070301        00000000        00000000        00000000        Connected to Symantec Endpoint Protection Manager (X.X.X.1)       Smc

00000089        01d0412bc84c8fe0        12070304        00000000        00000000        00000000        Disconnected from Symantec Endpoint Protection Manager (X.X.X.1)  Smc

00000084        01d0412bc8563b12        12070301        00000000        00000000        00000000        Connected to Symantec Endpoint Protection Manager (X.X.X.2)       Smc

00000084        01d0412c4562a0b4        12070301        00000000        00000000        00000000        Connected to Symantec Endpoint Protection Manager (X.X.X.1)       Smc

00000089        01d0412c5748fec2        12070304        00000000        00000000        00000000        Disconnected from Symantec Endpoint Protection Manager (X.X.X.1)  Smc

00000084        01d0412c5752aa08        12070301        00000000        00000000        00000000        Connected to Symantec Endpoint Protection Manager (X.X.X.2)       Smc

00000084        01d0412c8d0a93ea        12070301        00000000        00000000        00000000        Connected to Symantec Endpoint Protection Manager (X.X.X.1)       Smc

00000089        01d0412c9ef159fe        12070304        00000000        00000000        00000000        Disconnected from Symantec Endpoint Protection Manager (X.X.X.1)  Smc

00000084        01d0412c9efa8420        12070301        00000000        00000000        00000000        Connected to Symantec Endpoint Protection Manager (X.X.X.2)       Smc

With reference to this thread https://www-secure.symantec.com/connect/forums/httpdexe-crashing-1215#comment-10865371 Could you check whether you have been affected by known issue?

http://www.symantec.com/business/support/index?page=content&id=TECH227632

Is there any update?

Hi Chetan.

I mentioned it above... no httpd crashes...

btw.. I made clean new installation of SEP 12.1.5...no update from previous version.

SEP clients are also installed on complete new environment.

Anyway I have opened symantec case n. 08174016 and I'm waiting for response. It is under investigation status now.

Edit: I added two linux clients into primary SEP server. I checked status on SEPM console. I see in Clients list information about Virus definitions -> Not available even I pressed Refresh button couple of time. Then I checked status on secondary SEPM server and clients have the latest Virus definitions status. So I guess, there is a problem with data replication between both SEPM servers...but I will wait for Symantec support action.

We are currently facing very high call volume and becuase of that you haven't heard anything from support yet. I can see it's severity 2 csae & I hope you will get connected soon.

answer from Symantec technician:

First of all, you need to know that this is an expected behavior for the Endpoint to sometime appear "offline" on the console. All the Endpoint clients "ping" the console on a regular basis (by default on small environment < 100 machines, every 5 minutes) to query the console for new policies/definitions to download.
I would suggest you to check the following information from the SEPM : "Last Time Status Changed" & "Virus Definitions" to have info on your Endpoint clients.

Also, you can set in the console some notifications that will be triggered based on your expectations. For example, you can trigger the Manager to launch specific scripts if X machines are outdated since X days of virus definitions.

BTW: I think that "Online/Offline/Online On Remote Site"  information was deployed for that purpose...To get information to SEPM administroator about client status. Home screen is also shows offline/online/up-to-date client informaiton in Endpoint Status. But it doesn't work well, so it is recommended do not follow that information for now. :)

# Edit

Thanks for the update. 

If all the clients are updating without any issue then you can assume everything is OK.

I totally disagree.

No one will pay for a product that will involve so much manual work, the tech has just spoke what came across his mind at that particular moment.If SEP clients are reporting to the manager on a regular basis he should have advised to change to pull mode for 30 minutes.

I am not able to find the article that would say if you have so many client opt for 30 or more minutes to prevent such kind of issues from happening. Follow the article below to change to pull mode 30 minutes

http://www.symantec.com/docs/HOWTO80912

Please work with the tech closely to find out more in regrads to this issue. The requested method might seem to be good right now to check last updated status but after a few days doing that would turn out to be a huge pain.

~Edit~

Update is not the sole purpose for one to have anitivirus, if i dont see the client online how can i state that i have control over my endpoint.