Cannot add Endpoint Protection Manager (SEPM) to Endpoint Detection and Response (SEDR) with error message: "Failed to configure SEPM controller connection"

In the atpapp.error.log you see

2021-09-20 06:28:30,293 ERROR http-nio-<hostname>.1-8010-exec-2 (CentralManagerServiceImpl.java:validateSepm:5071) Error when trying to connect to SEPM. Exception : name=ERROR_SERVICE_UNAVAILABLE, description=Can't get response from SEPM Server
com.symantec.atp.central_manager.rmi.exception.SepmCommunicationException: name=ERROR_SERVICE_UNAVAILABLE, description=Can't get response from SEPM Server

central_manager.log:

2021-09-20 06:28:30,286 INFO RMI TCP Connection(16714)-<hostname> (SepmRestApi.java:simpleRequest:441) Updating Sepm connection health for request [https://<hostname>:8446/sepm/api/v1/identity/authenticate]
2021-09-20 06:28:30,287 INFO RMI TCP Connection(16714)-<hostname> (SepmRestApi.java:updateConnectionStatus:500) Update Status for Server : <SEPMURL> Domain : <SEPMDOMAIN> with status code: 503
2021-09-20 06:28:30,287 ERROR RMI TCP Connection(16714)-<hostname> (SepmCommunicationMgrImpl.java:validateSepm:2514) Failed to connect to SEPM. Most probably because of bad/invalid certificate
2021-09-20 06:28:30,291 ERROR RMI TCP Connection(16714)-<hostname> (SepmCommunicatorRemoteImpl.java:validateSepm:895) Error when trying to connect to SEPM. Exception : name=ERROR_SERVICE_UNAVAILABLE, description=Can't get response from SEPM Server
2021-09-20 06:28:36,818 INFO RMI TCP Connection(16714)-<hostname> (SepmRestApi.java:updateRequestUrl:331) failed to get resolved address for SEPM controller [0], requestUrl: [https://<SEPMURL>:8446/sepm/api/v1/version]
2021-09-20 06:28:36,847 INFO RMI TCP Connection(16714)-<hostname> (SepmRestApi.java:updateConnectionStatus:500) Update Status for Server : <SEPMURL> Domain : <SEPMDOMAIN> with status code: 200
2021-09-20 06:28:36,850 INFO RMI TCP Connection(16714)-<hostname> (SepmRestApi.java:updateRequestUrl:331) failed to get resolved address for SEPM controller [0], requestUrl: [SEPMURL:8446/sepm/api/v1/identity/authenticate]

....

2025-11-10 10:04:26,875 ERROR RMI TCP Connection(209137)-127.0.0.1 (SepmRestApi.java:simpleRequest:440) Failed to get a response from the requested SEPM. Exception details : javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=xxxx.com, OU=ESG, O=Broadcom Inc, L=San Jose, ST=CA, C=US
javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: XXX.COM, OU=ESG, O=Broadcom Inc, L=San Jose, ST=CA, C=US

• The SEPM can fail to respond to the SEDR when it is too busy or the service has failed or SEPM certificate has 1024 bit key.
• http 503 Service unavailable refers to the SEPM response, "Most probably because of bad/invalid certificate" is spurious in this case.

The SEPM was unable to accept incoming web requests on the API port, preventing the communication with EDR. 

To confirm whether SEPM is up

1. On the cmd prompt of the machine where SEPM is installed, type: netstat -n | find ":8446"
2. If "LISTENING" does not appear in the output, start looking at the health of the SEPM service
3. If "LISTENING" appears, on the admin CLI of EDR appliance, type: tcp_connect -t IP_OF_SEPM -p 8446 or tcp_check -t <SEPM ip> -p 8446
4. If the output from tcp_check -t does not include the keyword "CONNECT", start focusing on network troubleshooting between EDR and SEPM.
5. If output from tcp_check -t does not appear to connect, to check cryptography for the connection, type: tcp_connect -s <SEPM ip> -p 8446 -vvv 
   
   The resolution depends on the environmental cause, however restarting the services or entire SEPM has resolved this issue in the short term. 

Note: Also verify if SEPM certificate is 2048 bit key.