Symantec Endpoint Protection 12.1 RU3 or 12.1 RU4 clients send repeated registration requests to the SEPM

book

Article ID: 158637

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A Symantec Endpoint Protection (SEP) 12.1 RU3 or RU4 client is seen sending repeated registration requests to the Symantec Endpoint Protection Manager (SEPM). Affected clients will send registration requests approximately twice a second.

The following lines are from an the ersecreg.log file from a SEPM whose SEP clients are affected by this problem:

02/06 13:36:39 [1652:2804] xxx.xxx.xxx.xxx--FAILED

02/06 13:36:39 [1652:1460] 503 Server is busy for Registration

Cause

This problem was introduced with changes made in Release Update 3 (RU3) to the way the SEP client handles failed registration attempts. The client enters an accelerated registration loop when the SEPM is unable to process the initial registration request and responds with an HTTP 500 or 503 response code.

Resolution

This issue is resolved in Symantec Endpoint Protection 12.1 RU4 MP1. Please upgrade affected clients to resolve this issue.

To work around this problem, configure the SEP 12.1 RU3 and RU4 clients to not automatically reconnect to the last used SEPM. To do this, change the following DWORD registry value from 1 to 0. If this registry value does not exist, create it.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\UseLastServer

Note: After making this Registry change, the Symantec Management Client service must be restarted. This may be accomplished by either restarting the computer or by running the commands smc -stop and smc -start on the client computer. See TECH103048 for more information.

Note: If SEP's Tamper Protection feature is enabled, this feature must be disabled before the registry change listed above can be made. See article TECH192023 for steps on how to disable Tamper Protection.