search cancel

Endpoint Protection clients for Linux disappear from Endpoint Protection Manager after couple of heartbeat interval

book

Article ID: 254489

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Client [SEP] reporting to the Symantec Endpoint Protection Manager [SEPM] gets deleted from the console after a couple of heartbeat intervals.

Environment

SEPM and SEP client version 14.X

 

Cause

Virtual Machine[VM] deployed from the same snapshot with the Linux Operating system along with the SEP client. That is the reason SEP clients reports with the duplicate "Hardware Key and Agent ID and MAC address " 

<SSARegData NameSpace="rpc"><AgentInfo DomainID="08968B7D0A6C2D6C00F9CCBE62D49C7F" AgentType="105" AgentID="7367736D0A620B4635C6BD47DEC5D17D" HardwareKey="559A2345C1C0DEEF2B22CD47C4880026" UserDomain="root" LoginUser="root" ComputerDomain="xxxxxxxx" ComputerName="xxxx" PreferredGroup="My Company\Default Group" SiteDomainName="" AgentPlatform=""/><SSAHostInfo><NetworkIdentity UserDomain="root" LogonUser="root" HostDomain="xxxxxxxxxx" HostName="<xyzxyz>" HostDesc="Symantec SVA"/><SSAProduct Version="14.0.3876.1100"/><SSAOS Type="553648128" Version="" Desc="Linux" Kernel="4.18.0-372.9.1.el8.x86_64" ServicePack="" OsBitType="x64"/><Processor ProcessorClock="2593" ProcessorNum="2" ProcessorType="Intel(R) Xeon(R) Gold 6240 CPU @ 2.60GHz"/><Memory Size="3913031680" Free="285929472"/><BIOS Version="6.00" SerialNumber="VMware-42 11 0f 09 9a 79 92 79-0a 7e c4 d1 db 07 f6 93" Manufacturer="Phoenix Technologies LTD" UUID="57 06 05 00 FF FB 8B 0F"/><Motherboard Manufacturer="Intel Corporation"/><DNSs><DNS Address="xxxxxx"/><DNS Address="xxxxxxxx1"/></DNSs><SSAUTC Bias="-330"/><SSANICs><SSANIC Ip="xxxxxxx" Mac="00:50:56:91:92:83" Gateway="xxxxxx" SubnetMask="255.255.255.0"/></SSANICs></SSAHostInfo></SSARegData>

**

09/07 15:55:20 [32644:28104] CHttpReg::ParseData.. Parsed values => s_origin_length (m_iRegDataLen)=1383 sygate-ssn (m_dwCSN)=59015 s_session_id (m_sSessionID)=E0391FC11A454F8C301D9D6275C1D65C sDataForwared = <?xml version="1.0" encoding="UTF-8"?>
<SSARegData NameSpace="rpc"><AgentInfo DomainID="08968B7D0A6C2D6C00F9CCBE62D49C7F" AgentType="105" AgentID="7367736D0A620B4635C6BD47DEC5D17D" HardwareKey="559A2345C1C0DEEF2B22CD47C4880026" UserDomain="root" LoginUser="root" ComputerDomain="xxxxxxx" ComputerName="xxxxxxxx" PreferredGroup="My Company\Default Group" SiteDomainName="" AgentPlatform=""/><SSAHostInfo><NetworkIdentity UserDomain="root" LogonUser="root" HostDomain="xxxxxxxxx" HostName="<abcabc>" HostDesc="Symantec SVA"/><SSAProduct Version="14.0.3876.1100"/><SSAOS Type="553648128" Version="" Desc="Linux" Kernel="4.18.0-372.9.1.el8.x86_64" ServicePack="" OsBitType="x64"/><Processor ProcessorClock="2593" ProcessorNum="2" ProcessorType="Intel(R) Xeon(R) Gold 6240 CPU @ 2.60GHz"/><Memory Size="8140886016" Free="1052176384"/><BIOS Version="6.00" SerialNumber="VMware-42 11 ca d1 1d d4 a7 a4-7b 10 cf 30 ff 67 f1 c6" Manufacturer="Phoenix Technologies LTD" UUID="57 06 05 00 FF FB 8B 0F"/><Motherboard Manufacturer="Intel Corporation"/><DNSs><DNS Address="xxxxxxxx"/><DNS Address="xxxxxxxx"/></DNSs><SSAUTC Bias="-330"/><SSANICs><SSANIC Ip="xxxxxxxxxx" Mac="00:50:56:91:92:83" Gateway="xxxxxxxxx" SubnetMask="255.255.255.0"/></SSANICs></SSAHostInfo></SSARegData>

As per product design, the Hardware key is calculated as MD5 Hash of the first Nic's mac address. so the VMs with the same MAC address would generate duplicate hardware key for the SEP client.

Resolution

Steps:

  • Update the MAC address to the unique value of the VMs deployed from the same VM snapshot
  • Reinstall the SEP client.