Performance tuning for Endpoint Protection Manager

book

Article ID: 151550

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The default configuration of the Symantec Endpoint Protection Manager (SEPM) is designed to minimize the memory and disk-space footprint. However, in larger organizations which may be leveraging multiple groups and/or replicated sites, the default settings may cause the system to under-perform or may generate error messages.

 

When the current maximum amount of Java heap space is insufficient, you may experience the following errors or symptoms:

  • When you launch the SEPM you see the error, "Could not create the Java virtual machine," and the SEPM service "semsrv" may not start successfully.
  • The following errors may be logged repeatedly in the scm-server-0.log and scm-server-1.log log files:

    ATTENTION: Server side cache reached high water mark.
    INFO: Server side cache reached high water mark.
    java.lang.OutOfMemoryError: Java heap space

     
  • Importing an extremely large MAC address list for the LAN Enforcer MAB Authentication may result in a Profile.xml of 0 KB in size.

Cause

The SEPM is a Java-based application, and consequently much of its performance will be related to the size of the Java Heap.

Modifying the settings that control the size of the Java Heap will improve the performance of a wide variety of the functions performed by the SEPM.

Resolution

Increase the the Java heap space assigned to the SEPM service and consoles.

Symantec Endpoint Protection Manager Service

Note: Please backup the Registry before making the changes mentioned below.

  1. Stop the Symantec Endpoint Protection Manager service.
  2. Open the Registry Editor and navigate to: HKLM\System\CurrentControlSet\Services\semsrv\Parameters\.
  3. Set the following four registry values:
    1. JVM Option Number 0=-Xms512m
    2. JVM Option Number 1=-Xmx1024m
    3. JVM Option Number 2=-XX:MinHeapFreeRatio=40
    4. JVM Option Number 3=-XX:MaxHeapFreeRatio=70
  4. Start the Symantec Endpoint Protection Manager service.

Symantec Endpoint Protection Manager Local Java Console

Note: Before modifying the file below, please make a backup copy of the file.

  1. If open, close the Symantec Endpoint Protection Manager Local Java Console.
  2. Open sesm.bat in Notepad (default location: C:\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat).
  3. Change the following values (See Technical Information below for information regarding these values.):
    1. JVM Option Number 0=-Xms512m
    2. JVM Option Number 1=-Xmx1024m
    3. JVM Option Number 2=-XX:MinHeapFreeRatio=40
    4. JVM Option Number 3=-XX:MaxHeapFreeRatio=70
  4. Click File > Save.
  5. Open the Symantec Endpoint Protection Manager Local Java Console.

Symantec Endpoint Protection Manager Java Remote Console

How to modify the max-heap-size value for the downloaded JNLP file:

  1. Open a web browser and navigate to: http://<SEPM_IP_or_HOSTNAME>:9090.
  2. Download the Symantec Endpoint Protection Manager Java Remote Console by clicking the link underneath Symantec Endpoint Protection Manager Console.
  3. After the JNLP file has been downloaded, open it in Notepad.
  4. Find the variable max-heap-size (example: max-heap-size="512m").
  5. Decrease the specified amount of memory in max-heap-size (example: max-heap-size="256").
  6. Click File > Save.
  7. Close Notepad.
  8. Double-click the JNLP file to run the Symantec Endpoint Protection Manager Java Remote Console. If the problem is not solved, repeate steps 3 through 7 and decrease the specified amount of memory in max-heap-size again.

Note: The additional RAM will be allocated immediately following the service restart. You may see an immediate (but temporary) rise in disk and cpu activity as the page file size is increased. The max size varies from about 1200MB to 1400MB depending on OS and the state of the machine.

Technical information

The Heap Size for Symantec Endpoint Protection Manager is specified with two values, stored in the registry.

  • JVM Option 0 (-Xms) specifies the minimum size of the Java Heap
  • JVM Option 1 (-Xmx) specifies the maximum size of the Java Heap.

The application will automatically increase the size of the Java Heap as required until it encounters the configured maximum size.These values can be increased to better suit the available resources on the computer. Performance can be optimized by following the guidelines below:

The Java Heap minimum size must not be larger that the Java Heap maximum size.

If the working size of the Java Heap exceeds the available physical RAM, the computer will begin paging the Java Heap. This will dramatically increase Disk I/O and reduce the overall performance.

Note: Always allow for at least 256 MB to be allocated to the Operating System. For Example: On a computer with 1 GB of RAM, the maximum value for the Java Heap should not exceed 768 MB.

The value of MinHeapFreeRatio and MaxHeapFreeRatio modify garbage collection characteristics (the ratio of free space to live objects within the heap). The values specified in this document are the defaults for JVM and they provide a good mixture of performance and reliability.

Note: Example of "sesm.bat" in 12.1 RU5 (default installation on 64-bit server with enterprise size settings):

@start "SESM" "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\bin\javaw.exe" –Xms512m –Xmx1024m -XX:MinHeapFreeRatio=40 -XX:MaxHeapFreeRatio=70 -Dscm.console.conf="C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties" -jar "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\scm\clientpkg\scm-ui.jar" 

For other examples of sesm.bat and parameters, see Replication fails with a Java error "GC overhead limit exceeded "

 

Attachments