A Symantec Endpoint Protection agent is unable to complete the registration process with its Manager

book

Article ID: 157773

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A Symantec Endpoint Protection (SEP) agent is unable to complete the registration process with its Manager (SEPM). It is possible to see it in the expected group but its status is offline.

Replacing the sylink.xml file, resetting the hardware ID or reinstalling the SEP agent do not help.

The SEPM and other SEP clients do not have any problem.

Packets capture shows that the SEP agent is properly sending the registration request and getting the confirmation of the same from the SEPM.

 

In the SEP client, under Help > Troubleshooting > Connection Status, this message is displayed:
Not connected.Error details:
Solution
This is a general error message indicating that communication with the server failed. Run the Symantec Endpoint Protection Support Tool (SST) to diagnose the problem.

SST report shows:

Connection status: Not connected.
Error1:113
Error2:8
Other:Error in registration response (8).

 

In the sylink.log, the registration fails due to ERR to query content length; differently from similar issues, there is a 200 OK confirmation here:

12/11 13:59:06.765 [5624] <SendRegistrationRequest:>http://<SEPM's IP>:8014
12/11 13:59:06.765 [5624] 13:59:6=>Send HTTP REQUEST
12/11 13:59:06.859 [5624] 13:59:6=>HTTP REQUEST sent
12/11 13:59:06.859 [5624] 13:59:6=>QUERY return code
12/11 13:59:06.859 [5624] 13:59:6=>QUERY return code completed
12/11 13:59:06.859 [5624] <SendRegistrationRequest:>SMS return=200
12/11 13:59:06.859 [5624] <ParseHTTPStatusCode:>200=>200 OK
12/11 13:59:06.859 [5624] <SendRegistrationRequest:>ERR to query content length
12/11 13:59:06.859 [5624] <SendRegistrationRequest:>Content Lenght =>
12/11 13:59:06.859 [5624] HTTP returns status code=200
12/11 13:59:06.859 [5624] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED
12/11 13:59:06.859 [5624] <SendRegistrationRequest:>COMPLETED, returned 1

 No errors in AgentRegister-0.log from the SEPM (only with finest debugging).

In the packets capture, several DUP ACK are logged.

Cause

Old NIC's drivers have been identified on both involved systems, version 9.3.39.0 on the SEPM and 9.12.13.0 Rev A on the system with the SEP client, they are from 2008.

Resolution

Upgrading NIC's drivers on the problematic system.


Applies To

Windows 2003 32 bit with a DUAL card of Intel PRO 1000 NICs