Symantec Integrated DHCP Enforcer quarantines machines when they pass Host Integrity check.

book

Article ID: 178060

calendar_today

Updated On:

Products

Network Access Control

Issue/Introduction

Machines have Symantec Endpoint Protection (SEP) client or Symantec Network Access Control (SNAC) client installed. They are configured to obtain IP address from DHCP server. Host Integrity (HI) passed on them. But Symantec Integrated DHCP Enforcer (aka. DHCP plug-in) still puts the machines into quarantine.

 

  • Depending on the version, DHCP Plug-in's client log shows "Symantec Agent is not running or running an incompatible version" or "The Symantec client is not currently connected. We will automatically retry the connection and update the status if successful".
  • SNAC process may randomly crash with error pop-up "Symantec Network Access Control has encountered a problem and needs to close...".
  • An event similar to below is also logged in Windows application event log when SNAC process crashes.

--------------------------------------------------------

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date:  9/29/2010
Time:  12:09:36 PM
User:  N/A
Computer: <machine-name>
Description:
Faulting application SNAC.EXE, version 11.0.5002.267, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 53 4e 41   ure  SNA
0018: 43 2e 45 58 45 20 31 31   C.EXE 11
0020: 2e 30 2e 35 30 30 32 2e   .0.5002.
0028: 32 36 37 20 69 6e 20 6e   267 in n
0030: 74 64 6c 6c 2e 64 6c 6c   tdll.dll
0038: 20 35 2e 31 2e 32 36 30    5.1.260
0040: 30 2e 32 31 38 30 20 61   0.2180 a
0048: 74 20 6f 66 66 73 65 74   t offset
0050: 20 30 30 30 31 38 66 65    00018fe
0058: 61                        a      
 

-----------------------------------------------------------


 

Cause

DHCP plug-in needs to be able to contact SEP or SNAC client on UDP/39999 whether the client is in quarantine or not. This issue can happen if the client is unable to respond to the DHCP plug-in detect packet when it's in quarantine, because a static route to DHCP server is not configured for the DHCP quarantine user class.

 

Resolution

If Automatic Quarantine Configuration is used in Enforcer Console,  add the IP address of the DHCP server to the list of IP addresses that are reachable when a system is in quarantine.

When manually configure Quarantine user class, add a static route to the DHCP server in Static Route Option (033) for the Quarantine user class.