ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endpoint Protection scans show incomplete in Manager

book

Article ID: 172846

calendar_today

Updated On:

Products

Endpoint Protection

Cause

Excessive TCP connections to your SEPM in TIME_WAIT status.

Environment

Microsoft Windows

Resolution

Make the following adjustments to your SEPM, one at a time, and restart all SEPM services after each unless otherwise noted:

  • Increase the value for "ConnectionsToQueuePerChild" in httpd.conf to 3000.
  • Reduce the TIME_WAIT socket connection numbers if you see a buildup of TIME_WAIT connections in your Apache logs or netstat by creating or altering the following registry values. (This requires a full server reboot.)
    • Registry Value: TcpTimedWaitDelay
      • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
      • Value Type: REG_DWORD
      • Data: 30 (decimal)
    • Registry Value: MaxUserPort
      • ​Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
      • Value Type: REG_DWORD
      • Data: 65534 (decimal)
  • If possible, increase the heartbeat interval of all the groups. (This does not require a service restart, but will require a heartbeat cycle to take effect.)
  • Throttle the agent registration by adding the following 3 parameters in conf.properties file:
    • scm.agentregistration.throttle.low=5
    • scm.agentregistration.throttle.high=10
    • scm.agentregistration.throttle.leak=100
  • Reduce the objects cache by adding the following to the conf.properties file: scm.cache.thereshold=600
  • If possible, reduce the LiveUpdate frequency on the SEPM. (This does not require a service restart.)
  • Disable Application Learning temporarily.
  • If the SEPM is in a VMware virtual machine, review the article After upgrading a virtual machine to hardware version 11, network dependent workloads experience performance degradation (2129176)
  • Check if there are any legacy clients forwarding the logs to the SEPM. If so, disable this option temporarily.
  • Restart the SEPM server and confirm that it fixes the issue.