Does Symantec recommend using auto-negotiate?
Relevant versions: ALL
Symantec usually recommends using 100 Full Duplex when problems are encountered with autonegotiate.
A lot of 100Mbps switch infrastructures have marginal auto-negotiation that do not interoperate well with some NICs. If you're having problems linking up, it is possible that the port and card do not agree on configuration (e.g., one is fixed, the other is auto-negotiate), but also possible that auto-negotiation just isn't working that well between them.
A common symptom of auto-negotiate issues is that the card will link, but the link will flap up and down, particularly under heavier load. A common solution in this case is to hard-code both the card and the port to 100 Mbps/Full-Duplex. If you're having link stability problems with auto-negotiate, you may want to try locking the port speed/duplex settings. You will need to adjust the switch to hard-code 100/FD as well on that port.
If changing the Endace (or standard NICs) from auto to 100/FD solves the problem, there is a good chance it is because the switch was already configured that way. Shops that have experienced past issues commonly make hard-coded 100/FD the standard configuration for all host systems and switch ports so that they don't have to troubleshoot incompatibilities.
The above does not just apply to Endace, nor does it only apply to the detection servers. Symantec commonly suggests hard-coding to 100/FD when there are signs of connection instability under heavy load in a Prevent implementation. V10+ Linux monitors are quite capable of dealing with saturated 100Mbps links now that often show stability issues under stress.