Security Virtual Appliance(SVA) reporting on Symantec Endpoint Protection Manager (SEPM) may be incorrectly showing an "unknown" for client status.

book

Article ID: 158631

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Clients showing "unknown" in SEPM even though they are assigned an SVA by policy.

SEPM > Monitors > "Security Virtual Appliance" tab only shows a few clients  per SVA.

SEPM > Clients > "Security Virtual Appliance" column shows, offline, unknown, not applicable.

 

Symptoms:  No errors.

SEPM > Monitors > "Security Virtual Appliance"  shows the SVA as expected but never "all the clients".  Instead shows clients connected as a subset of the total numbers like 0, 1, 2, 3 ... never all of the connections.

SEPM > Clients > "Security Virtual Appliance" column shows, offline, unknown, not applicable and a few correctly shows the associated SVA.

 

Cause

Root cause is that the SVA and Clients check in to the manager asynchronously. Client only check in to the SVA when a manual or scheduled Scan is initiated.  This means that the SVA will not have client information until a client checks in. The SVA and Client checks into the SEPM according to the sylink.xml information.

SVA install instructions advise customer's to use an exported sylink.xml file from the Symantec Endpoint  Protection Manger (SEPM). A default SEPM install, has the sylink.xml set to PUSH mode with a heartbeat of 5 minutes (300 seconds).  In this case the exported sylink.xml file from the SEPM was  set to PULL mode with a heartbeat of 30 minutes (1800 seconds).  On some clients the scans will take less than 30 minutes and the log data sent to the manager will be stale and NOT real time.

 

NOTE:  When the SVA cache is cleared (sudo restart vsic) or (sudo stop vsic; sudo start vsic)  The client view of  The Security Virtual Appliance column will again change to unknown until the the next time the Client does a full scan and the SVA checks in.

Resolution

Option 1:   Install the SVA using a sylink.xml file using PUSH mode and a heart beat of 5 minutes.

Option 2:   Manually edit the SVA sylink.xml file located at  /etc/symantec/sylink.xml and change it to PUSH mode. 

Option 3:  Uninstall the SVA, and then REINSTALL the SVA using a PUSH mode sylink.xml file

 

Applies To

Topology: 1 Manager  12.1RU3
15 VM servers with a approximately  10-15 clients per VM
15 SVA's  installed one on each host server. 

Attachments

Security Virtual Appliance tab.PNG get_app
Security Virtual Appliance Client tab.PNG get_app