Warnings in the Symantec Managment Platform's (SMP) logs reporting a failed validation of a certificate from the IP address of the Symantec Management Gateway server for Cloud Enabled Managment (CEM) agents.
Agents that should be connecting by CEM are failing.
Note: Details in "<"...">" are individual to the environemnt and computer that is failing to connect.
Failed validation of certificate from <CEM Gateway IP Address> : Thumbprint ' <Certificate thumbprint> ' Serial ' <Certificate Serial number> ' Issuer 'CN=<FQDN of SMP server> Agent CA' Subject 'CN=<FQDN of Agent computer failing>'
CEM agent communications require a client side certificate to authenticate their identity with the SMP server when communicating through the CEM Gateway.
This certificate on the particular agents is failing to validate with IIS when the agent is trying to connect.
This usually only effects a few endpoints although in one instance as many as 20% of the CEM machines were affected after an NS upgrade. Each endpoint can generate several of these warning in a matter of seconds as it tries to communicate with the SMP, so the NS logs quickly become flooded with these messages.
This is an internally created certificate not associated with the certificate created for the agents to verify the SMP or CEM servers when they connect. This latter certificate is the one used when CEM was setup and may be Self-Signed or from a Third Party.
In one case, this error was caused by the client machine having it's hostname changed while the Symantec Management Agent was installed. Since the SMP had no record of a client certificate with the new hostname, it could not be validated. The same solution applies.
The point fix for version 8.1 RU2 is attached to this article (please read the release notes carefully for installation instructions). The fix will also be included in 8.1 RU3 and newer versions.
WORKAROUND - for older versions:
Determine which computers are effected
1 Using the SMP log viewer, open Options > Log Options
2 Remove the check next to the number of log files to view, and check the box next to the number of days and set the number of days to 3
3 Click OK
4 Select Options > Filters to open the filters interface
5 In the include section add 'Failed validation of certificate from' without the quotes and click apply
6 Select the first warning and take note of the FQDN of one of the computers with the issue in the details panel
7 In the logs filter interface add the FQDN to the Exclusions section and click apply
8 Repeat step 4 until the logs are empty
9 The list of computers in the filter exclusions is the list of computers that are effected.
To correct the issue on these computers.
1 Open the CEM setup page in the SMP console. (Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Setup
2 Open the Symantec Management Agent Configuration tab.
3 Click on 'Generate and download Symantec Management Agent installation package'
4 Run this package executable on each of the identified agent computers