Clients show high CPU usage when moved to a new site in a replication environment.

book

Article ID: 171767

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You are attempting to move clients from Site A to Site B or vice-versa. The client's current group has a Management Server List (MSL) directing the client to one site. When the MSL is changed, or the client is moved to a group where the MSL has the other site as priority one, the client starts to use high CPU. Rapid auto-location switching may also be obvserved if the SEPM connection state is used in the criteria. 05/03 09:54:01.515 [10868] <mfn_DoGetIndexFile200>Index File: ... <SylinkFile Checksum="D1FEA79B858F79F6347D4B9C4E9E4F94" LastModifiedTime="02/05/2018  17:09:57"/>
...
05/03 09:54:01.516 [10868] <mfn_ParseIndexFile2>set to download new Sylink..
...
05/03 09:54:02.803 [10868] <mfn_MakeGetSylinkFileUrl:>Request is: ...
...
05/03 09:54:02.803 [10868] <mfn_SendRequestToServer:>https://ServerA:443/secars/secars.dll?h=...
...
05/03 09:54:02.826 [10868] <mfn_DoGetSylinkFile200>Parsing Sylink.xml file..
05/03 09:54:02.826 [10868] SyLinkCreateConfig => Created instance: 0AA83C40
05/03 09:54:02.826 [10868] <mfn_ParseSylinkFile>Created m_hNewGroupConfig: 0AA83C40
05/03 09:54:02.826 [10868] RemeberCurrentGroup=1,RememberCurrentPolicyMode=1
05/03 09:54:02.827 [10868] <mfn_SaveConfigFile>Write data to a temp file as C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3872.1100.105\Data\Config\Sylink.tmp
05/03 09:54:02.828 [10868] <mfn_SaveConfigFile>Writing Sylink file data of length (in bytes) 6868
05/03 09:54:02.829 [10868] <mfn_SaveConfigFile>Deleted Temp Sylink file..
05/03 09:54:02.830 [10868] <mfn_ParseSylinkFile>Now Sylink.xml is supposed to be good.. setting m_bBackupNewSylinkConfig to TRUE.
05/03 09:54:02.830 [10868] <PostEvent> going to post event=EVENT_SERVER_ONLINE
05/03 09:54:02.830 [10868] <PostEvent> done post event=EVENT_SERVER_ONLINE, return=0
05/03 09:54:02.830 [10868] <mfn_DoGetSylinkFile200>completed
05/03 09:54:02.831 [10868] <GetSylinkFileRequest:>RECEIVE STAGE COMPLETED
05/03 09:54:02.831 [10868] <GetSylinkFileRequest:>COMPLETED
...
05/03 09:54:12.179 [10868] Use new configuration
...

-Connected to new server.-
05/03 09:54:12.725 [10868] <mfn_DoGetIndexFile200>Index File: ... <SylinkFile Checksum="1E66D208EB7569CA9E0F84EB602EF586" LastModifiedTime="02/05/2018  16:57:10"/>
...
05/03 09:54:12.727 [10868] <mfn_ParseIndexFile2>set to download new Sylink..
...
05/03 09:54:14.054 [10868] <mfn_MakeGetSylinkFileUrl:>Request is: ...
...
05/03 09:54:14.054 [10868] <mfn_SendRequestToServer:>https://ServerB:443/secars/secars.dll?h=...
...
05/03 09:54:14.075 [10868] <mfn_DoGetSylinkFile200>Parsing Sylink.xml file..
05/03 09:54:14.076 [10868] SyLinkCreateConfig => Created instance: 0AA87558
05/03 09:54:14.076 [10868] <mfn_ParseSylinkFile>Created m_hNewGroupConfig: 0AA87558
05/03 09:54:14.077 [10868] RemeberCurrentGroup=1,RememberCurrentPolicyMode=1
05/03 09:54:14.078 [10868] <mfn_SaveConfigFile>Write data to a temp file as C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3872.1100.105\Data\Config\Sylink.tmp
05/03 09:54:14.078 [10868] <mfn_SaveConfigFile>Writing Sylink file data of length (in bytes) 6868
05/03 09:54:14.080 [10868] <mfn_SaveConfigFile>Deleted Temp Sylink file..
05/03 09:54:14.080 [10868] <mfn_ParseSylinkFile>Now Sylink.xml is supposed to be good.. setting m_bBackupNewSylinkConfig to TRUE.
05/03 09:54:14.080 [10868] <PostEvent> going to post event=EVENT_SERVER_ONLINE
05/03 09:54:14.081 [10868] <PostEvent> done post event=EVENT_SERVER_ONLINE, return=0
05/03 09:54:14.081 [10868] <mfn_DoGetSylinkFile200>completed
05/03 09:54:14.081 [10868] <GetSylinkFileRequest:>RECEIVE STAGE COMPLETED
05/03 09:54:14.081 [10868] <GetSylinkFileRequest:>COMPLETED
...
05/03 09:54:20.521 [10868] Use new configuration
...

-Events continue as above, going back to ServerA, then ServerB repeatedly.-

Cause

The databases between sites have not synchronized, and the client is in two groups with disparate MSLs simultaneously.

Environment

Multiple SEPM sites in replication.

Resolution

This condition will be resolved when replication completes between the two sites.

Workaround:
Move the client to the new group on the new (receiving) site, then replicate. The client will not move until both sites' databases are in sync. This prevents the client from moving to the new site until synchronization has occurred.