How to Troubleshoot High Bandwidth usage issues in Symantec Endpoint Protection 14.2 and newer
Article ID: 235297
Updated On:
Products
Issue/Introduction
You discover that your network bandwidth usage is greater than normal and suspect it is related to content and definition updates between Symantec Endpoint Protection (SEP) clients and the Symantec Endpoint Protection Manager (SEPM).
Resolution
The data to collect is from both the SEPM server and from some clients that are currently generating the network traffic in your environment.
Overview of log collection process:
Configure the SEPM to increase the log level detail
Gather debug logs and Symdiag output from sample affected clients
If using Group Update Providers (GUPs) gather debug logs from the GUP client
Collect the data from the SEPM after allowing the clients to reproduce issue
Disable debug logging on the SEPM and collect the data
Generate and export useful reports from the SEPM that illustrate recent activity and client-server interaction
Set the SEPM to log additional log detail.
On the SEPM perform the following actions to enable Secars and Secreg debugging (NOTE: If the SEP client is installed to the manager, Disable Tamper Protection):
Enabling SECARS and SECREG debugging for Endpoint Protection Manager
Collecting information from client side
These instructions need to be performed on an example set of the clients currently causing network issues.
- Perform these steps to enable CVE debugging on the affected client(s)
Configuring Endpoint Protection Communication Module Logging in 14.2 and later - Wait for several heartbeats to fully finish to capture what the clients are requesting and downloading
- Disable CVE Debug logging
- Run Symdiag to gather a full set of logs
If the client machines are also configured to use a GUP gather the following from the GUP(s) they are configured to use.
- Perform these steps to enable CVE debugging on the affected client(s)
Configuring Endpoint Protection Communication Module Logging in 14.2 and later - Wait for several heartbeats to fully finish to capture what the clients are requesting and downloading
- Disable CVE Debug logging
- Run Symdiag to gather a full set of logs
Collecting Information from the SEPM once the clients have finished reproducing issue:
On the SEPM, run the Symdiag tool to gather the logs.
After that, disable SECARS and SECREG debugging.
It will also be useful to generate the Server Activity, Client-Server Activity and Client Activity reports from the SEPM to provide a high-level overview of recent actions.
At this point you should be able to zip up all of the collected information (logs, diagnostics and reports) together for submission to Symantec Technical Support for review.
Applies To
Sudden decrease in performance in network segments
Slower link segments completely saturated for example WAN
Abnormal network usage increase
Feedback
