Twin Cities Security User Group

We are using SEP 11.0.6.  We have a number of servers that write data to a SAN device via iSCSI connections.  When the volume of data is high (or even when a single large file is copied , 1+ GB) the iSCSI connections to the SAN are dropped and a server restart is required to resolve.  We have traced the cause of the issue to SEP (NTP and IPS seem to be the culprits).

Do you have a patch or some other fix for this issue?

Did you check the firewall logs which is causing the issue?

do you mean disabling NTP resolves your issue?

is it the firewall or IPS signature? tweak the rules if it appears in the logs

can you post the logs?

Firewalls are disabled (for both Windows and SEP).  It is very easy to verify that it is SEP causing the problem.  I set up a small test environment, if NTP is enabled the connections drop and the file transfer is locked up.  If I turn NTP off and run the same test there is no problems.

Yes, disabling NTP resolves the issue.

Another side effect is that there doesn't seem to be a way to disable NTP via the SEPM, so whenever a machine with SEP is rebooted, NTP re-enables itself (the default setting).

you can assign a new package with NTP removed if you dont want NTP in your environment.

http://www.symantec.com/business/support/index?page=content&id=TECH90936&locale=en_US

We deployed SEP to our servers without NTP. We were advised by Symantec to deploy AV only to our servers.

It's pretty common to NOT deploy NTP to servers.  I do that in many cases for servers that see more than 20% link utilization on average during production hours.  If the server is barely used/accessed, and has very little to no LAN traffic, I do enable NTP, or if the server is public facing in a DMZ, I do enable NTP.

In your case with iSCSI, you will want to probably disable NTP, or  find a way to unbind those services from the actual adapter if possible.  It escapes me if that is possible in SEP, I dont think so, so I would advise to just turn off NTP on the iSCSI enabled hosts.

Thanks to everyone for your input.  My initial thought was to create another client group for the servers and disable NTP for that group.  I first wanted to verify that there wasn't a patch, exception or setting that would resolve the issue while leaving NTP enabled.

We are also getting errors relating to LiveUpdate.  I don't thinks it's related to the NTP issue because were are getting it on servers that don't use the iSCSI connections.  The error repeats all day long (I imagine because it is continually retrying the updates).  Anyone have any insight for reolving this issue?

Event Type:        Error
Event Source:    SescLU
Event Category:                None
Event ID:              13
Date:                     10/26/2010
Time:                     1:21:41 PM
User:                     N/A
Computer:          STPDC1
Description:       LiveUpdate returned a non-critical error.  Available content updates may have failed to install.

See this KB for Event ID 13 errors-

http://www.symantec.com/business/support/index?page=content&id=TECH94248&actp=search&viewlocale=en_US&searchid=1288127806175