Endpoint Protection for Linux LiveUpdate attempts fail with error code 0x80010830
search cancel

Endpoint Protection for Linux LiveUpdate attempts fail with error code 0x80010830

book

Article ID: 176420

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) for Linux fails to connect to and download content from Symantec's LiveUpdate servers via HTTPS/443. 

debug.log:

[ERROR] [sep::lux::Cseplux]Failed to run session, error code: 0x80010830
[ERROR] [luman.CLuScheduleMgr]runLiveUpdate: Failed to run liveupdate [0x80010830]
[DEBUG] [luman.CLuScheduleMgr]doSchedule:  failed to start live update. ret: 1
[DEBUG] [luman.CLuScheduleMgr]doSchedule: Scheduled LU failed and start to retry.
[DEBUG] [luman.CLuScheduleMgr]doSchedule: start retry time is 1574182356
[DEBUG] [luman.CLuEventScheduler]IsClientScheduled: Client has a LU schedule
[DEBUG] [luman.CLuEventScheduler]CalculateTimeToNextUpdate: dwCurrentMinOfDay:592 dwCurrentTimeInMinutes:26236372 type:4 dwLastStartInMinutes:26236372
[DEBUG] [luman.CLuEventScheduler]CalculateTimeToNextUpdate: Next LU Run time in seconds = 14400
[DEBUG] [luman.CLuScheduler]work: fail to workFunc, err:1!

lux.log

09:52:34.493171 ********************************************************************************
09:52:34.493262 Symantec LiveUpdate Cross-Platform Engine (LUX) 2.10.1.13
09:52:34.493296 Symantec LiveUpdate Customer Logger 2.10.1.13
09:52:34.493340 Session started at Tue 2019/11/19 09:52:34 (UTC -0700)
09:52:34.493368 
09:52:34.493396 OS: Linux
09:52:34.493448 Version: 2.6.32-754.15.3.el6.x86_64 #1 SMP Tue Jun 18 16:25:32 UTC 2019
09:52:34.493479 Architecture: x86_64
09:52:34.493506 
09:52:34.493533 Product ID: {9F634534-BAF4-444B-B823-F14C1C80A8FD}
09:52:34.493559 ********************************************************************************
09:52:34.493608 [Session Parameters - BEGIN]
09:52:34.493638 	Working Path: /opt/Symantec/LiveUpdate/
09:52:34.493691 	Product ID: {9F634534-BAF4-444B-B823-F14C1C80A8FD}
09:52:34.493723 	Monikers: 
09:52:34.493750 		Empty
09:52:34.493776 	HST Path: Not Set
09:52:34.493803 	Ignore HST Errors: Not Set
09:52:34.493832 	Custom Download Path: /opt/Symantec/LiveUpdate/
09:52:34.493859 	Session Control Flag: Full Session
09:52:34.493885 	Servers:
09:52:34.493911 		Empty
09:52:34.493936 	Proxies:
09:52:34.493962 		Empty
09:52:34.493988 	Progress Callback: 
09:52:34.494014 		No
09:52:34.494040 [Session Parameters - END]
09:52:34.494093 [Component List - START]
09:52:34.494157 	{9F634534-BAF4-444B-B823-F14C1C80A8FD} : Virus and Spyware Definitions for Linux : SEPC Virus Definitions Linux 14.2_MicroDefsB.CurDefs_SymAllLanguages
09:52:34.494189 [Component List - END]
09:52:34.494216 [Session Initialization - START]
09:52:34.499216 	Result code: 0x00010000
09:52:34.499271 	Component Status Changes:
09:52:34.499311 		None
09:52:34.499341 [Session Initialization - END]
09:52:34.499392 [Inventory Synchronization - BEGIN]
09:52:35.928659 	Result Code: 0x00010000
09:52:35.928766 	Result Message: OK
09:52:35.928820 	Component Status Changes:
09:52:35.928889 		None
09:52:35.928949 [Inventory Synchronization - END]
09:52:35.929005 [Server Selection - START]
09:52:36.063540 	Result Code: 0x80010830
09:52:36.063615 	Result Message: FAIL - failed to select server
09:52:36.063701 	[Server - START]
09:52:36.063754 		Host ID: {00EBB97F-F368-45C1-835F-BA400A37940B}
09:52:36.063784 		Status Code: 1
09:52:36.063811 		Status Message: Server was not selected
09:52:36.063850 		Transport Return Code: 0x80010731
09:52:36.063882 		Transport Return Message: FAIL - download failed
09:52:36.063909 		Protocol: HTTPS
09:52:36.063937 		Hostname: liveupdate.symantecliveupdate.com
09:52:36.063963 		Port: 443
09:52:36.063989 		Path: 
09:52:36.064016 		Proxy ID: {00000000-0000-0000-0000-000000000000}
09:52:36.064140 		Proxy Bypass: false
09:52:36.064176 	[Server - END]
09:52:36.064204 	[Server - START]
09:52:36.064601 		Host ID: {00B0A3F5-8895-4F72-B59D-5E9D1D738379}
09:52:36.064654 		Status Code: 1
09:52:36.064704 		Status Message: Server was not selected
09:52:36.064741 		Transport Return Code: 0x80010731
09:52:36.064769 		Transport Return Message: FAIL - download failed
09:52:36.064797 		Protocol: HTTPS
09:52:36.064861 		Hostname: liveupdate.symantec.com
09:52:36.064889 		Port: 443
09:52:36.064916 		Path: 
09:52:36.064957 		Proxy ID: {00000000-0000-0000-0000-000000000000}
09:52:36.064991 		Proxy Bypass: false
09:52:36.065019 	[Server - END]
09:52:36.065051 	Used proxy list was empty
09:52:36.065079 [Server Selection - END]
09:52:36.065128 [Finalize Session - START]
09:52:36.065200 	Result Code: 0x00010000
09:52:36.065237 	Result Message: OK
09:52:36.065267 	Component Status Changes:
09:52:36.065303 		None
09:52:36.065332 [Finalize Session - END]
09:52:36.069578 [Session Results - START]
09:52:36.069636 	Session Result Code: 0x80010830
09:52:36.069669 	Session Result Message: FAIL - failed to select server
09:52:36.070234 	[Component Result - START]
09:52:36.070291 		Component ID: {9F634534-BAF4-444B-B823-F14C1C80A8FD}
09:52:36.070328 		Display Name: Virus and Spyware Definitions for Linux
09:52:36.070360 		PVL: SEPC Virus Definitions Linux 14.2_MicroDefsB.CurDefs_SymAllLanguages
09:52:36.070398 		Result Code: 0x00010000
09:52:36.070441 		Result Message: OK
09:52:36.070473 	[Component Result - END]
09:52:36.070506 [Session Results - END]
09:52:36.070535 [Session Summary - START]
09:52:36.070564 	Components: 1
09:52:36.070593 	Packages:   0
09:52:36.070621 	Success:    0
09:52:36.070650 	Fail:       0
09:52:36.070678 [Session Summary - END]
09:52:36.070707 ********************************************************************************
09:52:36.070751 Session ended at Tue 2019/11/19 09:52:36 (UTC -0700)
09:52:36.070780 ********************************************************************************

A packet capture shows TLS handshake failures:

366 2019-11-20 02:42:09.432254 [redacted] TLSv1.2 73 Alert (Level: Fatal, Description: Unknown CA)
367 2019-11-20 02:42:09.433328 [redacted] TCP 66 44586 → 443 [RST, ACK] Seq=525 Ack=2989 Win=23168 Len=0 TSval=692560266 TSecr=1183270133

Environment

Supported Linux operating systems.

No proxy server configured or involved in the network connection out to Symantec LiveUpdate servers.

Cause

This will occur if SEP does not have the LiveUpdate site's issuer certificate in its store or if that store is missing (/etc/symantec/sep/sepfl.pem). SEP should trust the default update HTTPS URL (https://liveupdate.symantecliveupdate.com). If you are using SSL interception or an internal https LUA server then SEP will be seeing a different site certificate.

Resolution

One of the following:

  • Check for the presence of /etc/symantec/sep/sepfl.pem and replace it with attached file if it is missing.

  • Use an HTTP URL to connect to LiveUpdate (http://liveupdate.symantecliveupdate.com).

  • If updating from an internal LiveUpdate Administrator server, ensure a trusted certificate is installed when using HTTPS.  
    See: Replace LiveUpdate Administrator certificate for instructions.

Attachments

1597940293599__sepfl.pem get_app
Powered by Wolken Software