search cancel

Network connectivity is lost upon upgrading Endpoint Protection

book

Article ID: 174500

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You upgrade an existing Symantec Endpoint Protection (SEP) client and find there is no network connectivity after a reboot. Ipconfig shows there are no installed network adapters.The issue mainly occurs on systems where Cisco AnyConnect is or was installed.

teeferInstall.log:

ERROR: Call to installNetComponent() failed: 0x8007007e

 

SIS_INST.LOG:

CreateProcess Return Value: 8007007E = The specified module could not be found.

 

Process Monitor boot logging, similar to:

7:37:07.9571150 PM    NetCfgNotifyObjectHost.exe    1804    2040    IRP_MJ_CREATE    C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\drv\acnamfdbctl.dll    PATH NOT FOUND 
7:37:47.8109596 PM    installTeefer.exe    5888    6116    IRP_MJ_CREATE    C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\drv\acnamfdbctl.dll    PATH NOT FOUND
7:37:47.9417175 PM    installTeefer.exe    5888    5844    Process Exit        SUCCESS    Exit Status: -2147024770

or

7:37:07.9571150 PM    NetCfgNotifyObjectHost.exe    1804    2040    IRP_MJ_CREATE    C:\Windows\System32\acnamfdbctl.dll    FILE NOT FOUND 
7:37:47.8109596 PM    installTeefer.exe    5888    6116    IRP_MJ_CREATE    C:\Windows\System32\acnamfdbctl.dll    FILE NOT FOUND
7:37:47.9417175 PM    installTeefer.exe    5888    5844    Process Exit        SUCCESS    Exit Status: -2147024770

Note: A different third-party driver may be indicated by the Process Monitor logging, with a similar series of events.

setupapi.dev.log: (The following error may be present if there is an issue with Cisco AnyConnect. In some cases the error will not appear until the NIC drivers are updated or reinstalled.)

!!!  ndv:      Error 1460: This operation returned because the timeout period expired.

Cause

The installation and removal of the SEP Firewall driver is a complex process that is dependent on the proper functioning of Windows' network configuration interface (INetCfg). INetCfg  provides methods to initialize, uninitialize, apply changes to, cancel changes to and retrieve information regarding network configuration.

When one or more libraries INetCfg depends on are either missing or corrupted, or a third-party library –e.g. acnamfdbctl.dll ("Cisco AnyConnect Network Access Manager Bind Controller")– is tied to it but missing and/or no longer properly registered, calling its methods may result in unexpected behavior and network configuration damage. Due to an issue in affected versions of Windows 10, corruption may occur when Cisco AnyConnect is upgraded.

Other than the above mentioned INetCfg-related issues, teeferInstall.exe may also fail due to registry settings, GPOs or other software hampering its execution.

Environment

  • Windows 10 1607, 1703, and 1709
  • SEP
  • Cisco AnyConnect 4.6 MR1 or prior upgraded to a higher version

Resolution

  • Capture Process Monitor Boot Logging during the reboot immediately after SEP is installed. Events related to a missing third-party library (such as the one shown in the Error section above) may occur around the time of failure. If that should be the case, and installTeefer.exe specifically references that library, then please contact the third-party vendor for further assistance.
  • Verify the following files are present in both C:\Windows\System32 and C:\Windows\SysWOW64 and not corrupted (e.g. by comparing their file hashes with known good versions on a system where you do not experience the issue):

    devrtl.dll
    NetSetupApi.dll
    NetSetupEngine.dll
    NetSetupShim.dll
    nsi.dll
    tcpipcfg.dll
    winnsi.dll
    ws2_32.dll

    Note that, due to the ever-changing nature of Windows, this may not be an exhaustive list of libraries required to perform INetCfg functions. If in doubt, contact Microsoft.

  • Check SEP Firewall network bindings and service state:
  1. Open a CMD.exe prompt as admin.
  2. Enter the following command (a blank result will be returned if teefer2 has no binding):

    netcfg -b symc_teefer2 
    
  3. Enter the following command, which will show if the teefer2 service exists or is started:

    sc query teefer2

The issue may sometimes be worked around in the following manner:

  1. Modify the SEP client's installed features to remove the Firewall, and reboot.
  2. Modify the SEP client's installed features to re-add the Firewall, and reboot again.
  3. Confirm whether or not networking is now functional.

If the issue continues to persist, run CleanWipe and reinstall SEP.

Note: If the issue is related to a prior or existing install of Cisco AnyConnect, please contact Cisco technical support for assistance in confirming the issue and to obtain a tool which will fix the corruption and allow proper registration of the SEP Firewall driver. Refer to Cisco bug CSCvb59209 for details and assistance.

Let customer connect with Cisco to get the tool and run the below steps:
 

1. Download the SignedPurgeObjects.zip 
2. Extract the contents to c:\temp
3. Launch the Admin Command prompt and execute the command:
4. C:\windows\system32> cd\temp
5. c:\temp> purgenotifyobejects.exe > output.txt

In the list output , look for anything Cisco or acnamfd   and if we have it, then execute:

1. c:\temp> PurgeNotifyObjects.exe -confirmdelete
2. Reboot the device

   After login, check the Network Adapter.