Symantec Endpoint Protection (SEP) clients are repeatedly attempting to register with Manager (SEPM), but are failing. The SEPM is repeatedly requesting clients to register again. The SEPM displays duplicate hardware IDs. The client online/offline status changes frequently, and client entries are overwritten by multiple clients with different host names, IP addresses, MAC addresses, and other identifying information.
Repeated in SEP sylink client-side logging:
%TIMESTAMP% %THREAD% SMS return=468
%TIMESTAMP% %THREAD% 468=>468 Request not allowed
In SEPM exsecars.log (ficticious IP addresses used here for illustration purposes):
###.###.###.###
GetIndex 468.Reset CSN
...
SendIndexFileToClient: ###.###.###.###GetIndex 412 Register again
In SEPM ersecreg.log, repeat registration requests for different IP addresses and ComputerName but the same HardwareKey (AKA Hardware ID or HWID):
###.###.###.###
<AgentInfo DomainID="####
" AgentType="105" UserDomain="####
" LoginUser="####
" ComputerDomain="####
" ComputerName="####
" PreferredGroup="####
" PreferredMode="1" HardwareKey="####
" SiteDomainName="####
"/> AgentID=####
AgentType=105 ComputerID=####
Hash Key=####
###.###.###.###
<AgentInfo DomainID="####
" AgentType="105" UserDomain="####
" LoginUser="
####
" ComputerDomain="####
" ComputerName="####
" PreferredGroup="####
" PreferredMode="1" HardwareKey="####
" SiteDomainName="####
"/> AgentID=####
AgentType=105 ComputerID=####
Hash Key=####
###.###.###.###
<AgentInfo DomainID="####
" AgentType="105" UserDomain="####
" LoginUser="
####
" ComputerDomain="####
" ComputerName="####
" PreferredGroup="####
" PreferredMode="1" HardwareKey="####
" SiteDomainName="####
"/> AgentID=####
AgentType=105 ComputerID=####
Hash Key=####
###.###.###.###
<AgentInfo DomainID="####" AgentType="105" UserDomain="####
" LoginUser="
####
" ComputerDomain="####
" ComputerName="####
" PreferredGroup="####
" PreferredMode="1" HardwareKey="####
" SiteDomainName="####
"/> AgentID=####
AgentType=105 ComputerID=####
Hash Key=####
NOTE: ###.
###.
###.
### references an IP address in the logs
SEP 12.1, 14
This is caused by duplicate SEP Hardware IDs at clients.
To resolve these symptoms, follow instructions in Symantec KB article "Repair duplicate hardware IDs at clients".