When configuring the Symantec Endpoint Protection Manager (SEPM) Controller Connection in Advanced Threat Protection (ATP), the connection fails with, "Error: IP Address in certificate didn't match IP Address of SEPM."  The error occurs when you check the box, "Add SEPM SSL Certificate." 

Error: IP Address in certificate didn't match IP Address of SEPM.

The default self-signed certificate for the SEPM includes a subject alternative name for the SEPM IP addresses.  (All IPv4 and IPv6 addresses)  When ATP connects to the SEPM, it connects via the IP address.  When you check the "Add SEPM SSL Certificate" box in the configuration, it will verify the certificate when connecting to the SEPM.  If the IP address of the SEPM has changed, verification of the SEPM's certificate will fail because the current SEPM IP address will not match the SEPM's certificate.    

If you changed the IP address of your SEPM server after installing the SEPM, you can either change the IP address of the server back to the original IP address or you can issue a new certificate on the SEPM.  For issuing a new certificate, see Generating a new server certificate.  

Please note, issuing a new certificate can break client-server communication.  To avoid this, see Best practices for updating server certificates and maintaining the client-server connection.