ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endpoint Protection for Linux LiveUpdate attempts fail with error code 0x80010830

book

Article ID: 176420

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) for Linux fails to connect to and download content from Symantec's LiveUpdate servers via HTTPS/443. 

debug.log:

[ERROR] [sep::lux::Cseplux]Failed to run session, error code: 0x80010830
[ERROR] [luman.CLuScheduleMgr]runLiveUpdate: Failed to run liveupdate [0x80010830]
[DEBUG] [luman.CLuScheduleMgr]doSchedule:  failed to start live update. ret: 1
[DEBUG] [luman.CLuScheduleMgr]doSchedule: Scheduled LU failed and start to retry.
[DEBUG] [luman.CLuScheduleMgr]doSchedule: start retry time is 1574182356
[DEBUG] [luman.CLuEventScheduler]IsClientScheduled: Client has a LU schedule
[DEBUG] [luman.CLuEventScheduler]CalculateTimeToNextUpdate: dwCurrentMinOfDay:592 dwCurrentTimeInMinutes:26236372 type:4 dwLastStartInMinutes:26236372
[DEBUG] [luman.CLuEventScheduler]CalculateTimeToNextUpdate: Next LU Run time in seconds = 14400
[DEBUG] [luman.CLuScheduler]work: fail to workFunc, err:1!

lux.log

09:52:34.493171 ********************************************************************************
09:52:34.493262 Symantec LiveUpdate Cross-Platform Engine (LUX) 2.10.1.13
09:52:34.493296 Symantec LiveUpdate Customer Logger 2.10.1.13
09:52:34.493340 Session started at Tue 2019/11/19 09:52:34 (UTC -0700)
09:52:34.493368 
09:52:34.493396 OS: Linux
09:52:34.493448 Version: 2.6.32-754.15.3.el6.x86_64 #1 SMP Tue Jun 18 16:25:32 UTC 2019
09:52:34.493479 Architecture: x86_64
09:52:34.493506 
09:52:34.493533 Product ID: {9F634534-BAF4-444B-B823-F14C1C80A8FD}
09:52:34.493559 ********************************************************************************
09:52:34.493608 [Session Parameters - BEGIN]
09:52:34.493638 	Working Path: /opt/Symantec/LiveUpdate/
09:52:34.493691 	Product ID: {9F634534-BAF4-444B-B823-F14C1C80A8FD}
09:52:34.493723 	Monikers: 
09:52:34.493750 		Empty
09:52:34.493776 	HST Path: Not Set
09:52:34.493803 	Ignore HST Errors: Not Set
09:52:34.493832 	Custom Download Path: /opt/Symantec/LiveUpdate/
09:52:34.493859 	Session Control Flag: Full Session
09:52:34.493885 	Servers:
09:52:34.493911 		Empty
09:52:34.493936 	Proxies:
09:52:34.493962 		Empty
09:52:34.493988 	Progress Callback: 
09:52:34.494014 		No
09:52:34.494040 [Session Parameters - END]
09:52:34.494093 [Component List - START]
09:52:34.494157 	{9F634534-BAF4-444B-B823-F14C1C80A8FD} : Virus and Spyware Definitions for Linux : SEPC Virus Definitions Linux 14.2_MicroDefsB.CurDefs_SymAllLanguages
09:52:34.494189 [Component List - END]
09:52:34.494216 [Session Initialization - START]
09:52:34.499216 	Result code: 0x00010000
09:52:34.499271 	Component Status Changes:
09:52:34.499311 		None
09:52:34.499341 [Session Initialization - END]
09:52:34.499392 [Inventory Synchronization - BEGIN]
09:52:35.928659 	Result Code: 0x00010000
09:52:35.928766 	Result Message: OK
09:52:35.928820 	Component Status Changes:
09:52:35.928889 		None
09:52:35.928949 [Inventory Synchronization - END]
09:52:35.929005 [Server Selection - START]
09:52:36.063540 	Result Code: 0x80010830
09:52:36.063615 	Result Message: FAIL - failed to select server
09:52:36.063701 	[Server - START]
09:52:36.063754 		Host ID: {00EBB97F-F368-45C1-835F-BA400A37940B}
09:52:36.063784 		Status Code: 1
09:52:36.063811 		Status Message: Server was not selected
09:52:36.063850 		Transport Return Code: 0x80010731
09:52:36.063882 		Transport Return Message: FAIL - download failed
09:52:36.063909 		Protocol: HTTPS
09:52:36.063937 		Hostname: liveupdate.symantecliveupdate.com
09:52:36.063963 		Port: 443
09:52:36.063989 		Path: 
09:52:36.064016 		Proxy ID: {00000000-0000-0000-0000-000000000000}
09:52:36.064140 		Proxy Bypass: false
09:52:36.064176 	[Server - END]
09:52:36.064204 	[Server - START]
09:52:36.064601 		Host ID: {00B0A3F5-8895-4F72-B59D-5E9D1D738379}
09:52:36.064654 		Status Code: 1
09:52:36.064704 		Status Message: Server was not selected
09:52:36.064741 		Transport Return Code: 0x80010731
09:52:36.064769 		Transport Return Message: FAIL - download failed
09:52:36.064797 		Protocol: HTTPS
09:52:36.064861 		Hostname: liveupdate.symantec.com
09:52:36.064889 		Port: 443
09:52:36.064916 		Path: 
09:52:36.064957 		Proxy ID: {00000000-0000-0000-0000-000000000000}
09:52:36.064991 		Proxy Bypass: false
09:52:36.065019 	[Server - END]
09:52:36.065051 	Used proxy list was empty
09:52:36.065079 [Server Selection - END]
09:52:36.065128 [Finalize Session - START]
09:52:36.065200 	Result Code: 0x00010000
09:52:36.065237 	Result Message: OK
09:52:36.065267 	Component Status Changes:
09:52:36.065303 		None
09:52:36.065332 [Finalize Session - END]
09:52:36.069578 [Session Results - START]
09:52:36.069636 	Session Result Code: 0x80010830
09:52:36.069669 	Session Result Message: FAIL - failed to select server
09:52:36.070234 	[Component Result - START]
09:52:36.070291 		Component ID: {9F634534-BAF4-444B-B823-F14C1C80A8FD}
09:52:36.070328 		Display Name: Virus and Spyware Definitions for Linux
09:52:36.070360 		PVL: SEPC Virus Definitions Linux 14.2_MicroDefsB.CurDefs_SymAllLanguages
09:52:36.070398 		Result Code: 0x00010000
09:52:36.070441 		Result Message: OK
09:52:36.070473 	[Component Result - END]
09:52:36.070506 [Session Results - END]
09:52:36.070535 [Session Summary - START]
09:52:36.070564 	Components: 1
09:52:36.070593 	Packages:   0
09:52:36.070621 	Success:    0
09:52:36.070650 	Fail:       0
09:52:36.070678 [Session Summary - END]
09:52:36.070707 ********************************************************************************
09:52:36.070751 Session ended at Tue 2019/11/19 09:52:36 (UTC -0700)
09:52:36.070780 ********************************************************************************

A packet capture shows TLS handshake failures:

366 2019-11-20 02:42:09.432254 [redacted] TLSv1.2 73 Alert (Level: Fatal, Description: Unknown CA)
367 2019-11-20 02:42:09.433328 [redacted] TCP 66 44586 → 443 [RST, ACK] Seq=525 Ack=2989 Win=23168 Len=0 TSval=692560266 TSecr=1183270133

Cause

This will occur if SEP does not have the LiveUpdate site's issuer certificate in its store or if that store is missing (/etc/symantec/sep/sepfl.pem). SEP should trust the default update HTTPS URL (https://liveupdate.symantecliveupdate.com). If you are using SSL interception or an internal https LUA server then SEP will be seeing a different site certificate.

Environment

Supported Linux operating systems.
No proxy server configured or involved in the network connection out to Symantec LiveUpdate servers.

Resolution

One of the following:

  • Check for the presence of /etc/symantec/sepfl.pem and replace it with attached file if it is missing.

  • See LiveUpdate fails on Endpoint Protection Linux clients for instructions on how to add a different issuer certificate to SEP's certificate store.

  • Use an HTTP URL to connect to LiveUpdate (http://liveupdate.symantecliveupdate.com).

  • If updating from an internal LiveUpdate Administrator server, ensure a trusted certificate is installed when using HTTPS.  
    See: Replace LiveUpdate Administrator certificate for instructions.

Attachments

1597940293599__sepfl.pem get_app