After upgrading to Encryption Management Server 3.4 or above, hosts that were previously able to connect to the server can no longer do so.

Symantec Encryption Management Server version 3.4 or above with the following attributes:

• Multiple network interfaces.
• Each interface on a different subnet.
• Interfaces being used for different purposes.  For example, internal clients connecting to Interface 1 and external Web Email Protection users connecting to Interface 2.
• Static routing in place using /etc/sysconfig/network-scripts/route-eth* files.

Encryption Management Server 3.4 and above implements Strict mode Reverse Path Forwarding as defined in RFC 3704. This is used to prevent packets that arrived via one interface from leaving via a different interface. This prevents IP spoofing from local subnets and reduces the opportunity for DDoS attacks.

There are two possible solutions to this issue:

1. Modify the static routing files to ensure that traffic arriving on each interface can leave via that interface's gateway. Your network team may need to advise on the routes required. They may also need to modify router and firewall settings. Where possible, Symantec recommends using Encryption Management Server with the default settings of Strict mode Reverse Path Forwarding.
2. Revert to Loose mode Reverse Path Forwarding. This was the default in Encryption Management Server prior to release 3.4.

Please contact Symantec Technical Support for assistance with this issue.

Please note that Symantec Technical Support will not be able to define the routes you need but can assist in configuring the routes.

For further information please see this article from Red Hat:

Why does Red Hat Enterprise Linux 6 and above invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?