Cleveland Security User Group

Hey folks,

About two weeks ago we lost our SEP 11.0.5 server.  It had about 180 clients attached to it.  We still have a SAV 10.1.8.8000 server that runs the other 1200 nodes on our network.  We have not migrated fully yet.

Something happened to the SEP server which was Server 2008 STD 32-bit.  I rebuilt a server, restored from backup and nothing worked.  So I rebuilt the server from scratch, added it to the domain and kept the same name and IP address.  I found the old 'domain name' or 'GUID style domain name' for the old SEP domain.  I followed the steps needed to 'manage' that domain and then stuff started to populate into the default group.  I recreated the other groups that I could remember.  We only had about 6 or 7.   I did upgrade the SEP server to version 11.0.6a and about 10-12 clients now have that version.  They are communicating fine.

After that every client was listed as "not reporting status".  I read a little bit and found I could do the 'sylinkreplacer'.  So I did that and I used the proper sylink.xml file for each of our groups in SEP.  Now out of about 186 clients we still have about 30 that say "not reporting status" under the Antivirus Status portion.  However "Firewall Status" says "enabled" which used to also say "Not reporting Status" so it seems that some things are getting updated and some are not.

Any ideas would be greatly appreciated.

Thanks! :-)
David Lowry -MCSE, MCP+I, Linux+
Network Analyst

Initiate a full scan on these group of clients from SEPM

SEPM - Clients- Group - right click -run command on group -run full scan

or try on each client individually.

Thanks Vikram!

I'll give it a shot and report back.

I tried that and it didn't work.  I just went into one of my servers that was giving the 'not reporting status' message and it said 'SEP was malfunctioning' via a little pop-up bubble and the shield didn't have the green dot but instead the yellow dot.

I'm reinstalling on this server to see what happens.  That would really stink to have to reinstall to like 30 clients having some at different sites.  Hey, whatever I have to do......I'll do. ;-)

Thanks! :-)
David Lowry -MCSE, MCP+I, Linux+
Network Analyst

My bet is that SECARS communication isn't working, but SECREG communication is.

Gather some Sylink logs from the non-working clients and we'll see what they say.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090611252048

Follow these directions to create a package and push the install over the top of the previous, this should reset the client communication and allow them to connect if they don't have another communication issue.

Title: 'How to create a client install setting to remove previous logs, policies and reset the client-server communication settings.'

Document ID: 2009042408004148

> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042408004148?Open&seg=ent
 

If you're getting yellow dot that means somethings gone wrong..however you can try manually replacing the sylink.xml on one of these machines.

When we had this issue, this is what we did to resolve:

If you install the client and the green dot doesn’t come up:

1. Open SEP on the client
2. Click “Help and Support” --> Troubleshooting
3. Click Import…. under communication settings
4. Browse to:  \\yourserver\installdirectory
5. Select the sylink.xml file
6. Unfortunately, we had to do this manually on a number of workstations after the upgrade, but it did work.

We've also seen the green dot go yellow after a policy update and then go back to green after some period of time, anywhere between 2 and 20 mins.

This is from the perspective of a desktop support person; it's just what our network admin told us to do. I hope it helps...

Well I have a testbox that this is happening on so I have attached the debug log.  I know it's long and I don't know what I need to post so I posted the entire thing.

File is attached....

Cheers,
David Lowry -MCSE, MCP+I, Linux+
Network Analyst

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090611252048

Enable Sylink Debugging and post Sylink.log

Here ya go.....

I replaced my corporate domain name with ---myworkdomain.com---

Cheers,
David Lowry -MCSE, MCP+I, Linux+
Network Analyst

Try deleting these clients from SEPM console then on any of the client right click on the SEP icon and Update Policy.

If doesn't help then 
Do you have Proxy on these clients ? Try this

Back up registry
1. Click Start, and then click Run.
2. In the Open box, type regedt32, and then click OK.
3. Locate HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections.
4. Right Click on Connections from the menu, click Export.
5. In the Save inbox, select a location in which to save the .reg file, type a file name in the File name box, and then click Save.

Remove DefaultConnectionSettings & SavedLegacySettings
1. Delete the following registry keys:
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
2. Reboot the system.

Nothing has worked thus far so here is what I'm doing.  Thinking that maybe there is something wrong with the "default group" and the fact that I am having most client problems within that group I created a new group just called "computers" and I have moved the clients into that new group.  We'll see what things look like tomorrow morning. ;-)

I'll keep you posted.  Again, thanks for your help everyone!

Cheers,
David Lowry -MCSE, MCP+I, Linux+
Network Analyst

Create a install package using this 
http://service1.symantec.com/support/ent-security.nsf/docid/2009042408004148

and deploy it to these clients.

Already created an install package doing exactly what you suggested Vikram.  Thanks for the suggestion though.

Attached is a picture of my SEP Console with the user login names grayed out. 

Not sure what else to do.  Hmmm..... I'm gonna keep looking.

Try this
http://service1.symantec.com/support/ent-security.nsf/docid/2008070912051548

Also check if you have too many dat files in
\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox folder

Did what the link suggested. Everything  checks out. 

Also, their are no DAT files in that folder at all.........only more folders.

Still at a loss.

Happy Friday.

Do you have any Group Policy applied on any of the SEP services ?

David  - I have the same issue with a handful of clients as well. Maybe 5 out of 200+ won't connect.  I'll try to update if I find any solution. Running into dead ends on my side as well. Already ran the CleanWipe utility from Symantec and installed clients with new package, copied over Sylink.xml from a working SEP client PC, etc. Nothing works.  After doing some internet searching I found a few people who resolved their issues:

https://www-secure.symantec.com/connect/forums/sep-installs-no-green-dot-no-server-communication 
- this person found a registry entry blocking communications on their trouble PCs. This issue wasn't the case for mine, but maybe it will help you

http://98.129.119.162/connect/forums/sep-client-offline-without-green-dot
- this guy solved his by downgrading SEP on the client to 11.0.4000. Not really ideal if you ask me, but if it gets the clients communicating with the SEPM then I guess it's better then nothing. I don't really buy this solution since 95% of my SEP clients are communicating just fine.

Wow, I fixed my issue. I doubt it will be the problem with yours, but you never know.

I checked my gateway settings in my TCP/IP properties and turns out all the machines having problems communicating with the SEPM server had incorrect gateway values for some reason. This is odd since these PCs were running SEP and other web/network based apps fine before this so you would think an incorrect gateway would have popped up issues a long time ago. I'm not sure how they got changed, but that's my problem, not a Symantec one :)   Once I changed the gateway to what it should have been, the green dot came back and communication between the SEP clients and SEPM started almost instantly.