SEP SVA performance issue or system unresponsive after upgrade VMware tool set

book

Article ID: 159149

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading the VMware tool set for the Guest Virtual Machines (GVMs) there is a performance impact experienced on the virtual machines, communication impairment between the virtual machines to the Symantec Endpoint Protection (SEP) Security Virtual Appliance (SVA), or the SVA may become unresponsive.  Other symptoms may include:

  • SVA's operating system system partition "/" is out of space due to a flood of error entries in "/var/log/messages" faster than can be managed which can run the system out of free disk space.
  • Continual purging or lack of new entries created in the local cache of the SVA

The SVA communicates with the virtual machines using an intermediary mechanism Virtual Machine Communication Interface (VMCI) that provides a fast and efficient communication.  vShield uses a thin agent (EPSEC) for virtual machines to offload security events which is included in VMware Tools Thin Agent VMCI driver. The Symantec SVA relies on the this communication layer and mechanism.

The bulk of "/var/log/messages" EPSEC entries are comprised of the following event types.

 

  • %TIMESTAMP% %SERVER% mono.bin: [ERROR] (EPSEC) [0x692] Event subtype = 256 is invalid. Event Id = ########
  • %TIMESTAMP% %SERVER% mono.bin: [ERROR] (EPSEC) [0x6ac] Event subtype = 257 is invalid. Event Id = ########
  • %TIMESTAMP% %SERVER% mono.bin: [ERROR] (EPSEC) [0x69c] Event subtype = 259 is invalid. Event Id = ########
  • %TIMESTAMP% %SERVER% mono.bin: [ERROR] (EPSEC) [0x6a7] Event subtype = 4098 is invalid. Event Id = ########
  • %TIMESTAMP% %SERVER% mono.bin: [WARNING] (EPSEC) [0x6b1] Got event ######## with an unsupported version ######.
  • %TIMESTAMP% %SERVER% mono.bin: [ERROR] (EPSEC) [0x6b1] [email protected]=####: Event id: ########.Unsupported version ###### was requested.

Cause

The Symantec SVA is not using the most current version of the VMware EPSec library. The VMware Endpoint Driver is backwards compatible and supports earlier versions of the EPSec Library. The errors observed are a symptom of a failure in the version negotiation required for backwards compatibility.

Resolution

This issue affects ESXi 5.1 and ESXi 5.5 environments and is documented in VMware KB: 2077305. A fix has been released in ESXi 5.1P06 and 5.5U2. Please contact VMware Support for migration assistance.


Applies To

Symantec Endpoint Protection Security Virtual Appliance 12.1 RU2 and newer

VMware ESXi server software

  • ESXi 5.1 prior to 5.1P06
  • ESXi 5.5 prior to 5.5U2