The Symantec Endpoint Detection and Response (SEDR) User Interface (UI) reports "SEPM Connection token refresh failed; verify SEPM login credentials". The issue may resolve itself, however will return within a couple of hours.
Another symptom was "Connection Error" in the recorder settings, under "Global Settings"
Central_Manager.log from the EDR device diagnostics contained an entry similar to the following:
2023-07-13 19:27:30,458 INFO RMI TCP Connection(190024)-127.0.0.1 (TokenRefreshManager.java:startRefreshTokenWithRetry:74) Starting refresh token with retry for server: 1
2023-07-13 19:27:30,460 INFO RMI TCP Connection(190024)-127.0.0.1 (SepmCommunicationMgrImpl.java:startRefreshToken:1178) Refreshing token for SEPM. Ip : 192.0.2.10 Domain : Default
2023-07-13 19:27:30,518 INFO RMI TCP Connection(190024)-127.0.0.1 (SepmRestApi.java:updateConnectionStatus:501) Update Status for Server : 192.0.2.10 Domain : Default with status code: 400
2023-07-13 19:27:30,525 INFO RMI TCP Connection(190024)-127.0.0.1 (SepmAuthenticator.java:refreshToken:240) Got SEPM authentication token refresh response
2023-07-13 19:27:30,525 ERROR RMI TCP Connection(190024)-127.0.0.1 (SepmAuthenticator.java:refreshToken:243) Failed to refresh token, response: InboundJaxrsResponse{ClientResponse{method=GET, uri=https://192.0.2.10:8446/sepm/oauth/token?refresh_token=<TOKEN_VALUE>&grant_type=refresh_token&client_id=<CLIENT_ID_VALUE>, status=400, reason=}}
Release :
Component :
The token used to by SEDR to access the SEPM is not being refreshed properly.
Option 1 - Remove and refresh the the SEPM token:
Option 2 - Remove the SEPM connection and configure a new connection:
If this symptom happens once every 60 days because the password for the SEPM account expired, changing the password reset interval within SEPM may be needed. See: