Troubleshooting communication problems between an Enforcer appliance and the Symantec Endpoint Protection Manager
If the Enforcers and the management server do not communicate, look at the following possible reasons and solutions.
Table: Troubleshooting communication problems between Enforcers and the management server
Enforcer cannot register with the Symantec Endpoint Protection Manager
Check the management server configuration on Enforcer using the command configure show spm. Make sure that you have configured the management server IP address, port number, and pre-shared secret correctly. The default port number is 8014.
If the Enforcer type was re-configured or changed, delete the Enforcer group on the management server or move the Enforcer to a different group. For example, the Enforcer type might have changed from a Gateway Enforcer to a LAN Enforcer.
The management server list for the Enforcer might have a management server that the Enforcer cannot reach or has multiple interfaces of a management server. You might need to add a management server list with only one management server that can connect to the Enforcer. The management server must have one IP address.
Delay in connecting to the network through an Enforcer or the Gateway Enforcer appliance blocks clients
If you use a fail-open Enforcer, check the switch configuration. Make sure that PortFast is enabled on both ports to which the Enforcer connects.
Client disconnected events in the LAN Enforcer appliance's Client Log
If the clients frequently suspend and do not respond to re-authentication requests (802.1x EAP) from the switch, you may need to decrease the switch-re-authentication timeout.
LAN Enforcer appliance does not switch clients to the correct VLAN
Check that the selected switch model in the configuration matches the switch in use.
Check that the VLAN names exactly match what has been configured on the switch.
Check that the action table's VLAN assignments are correct for the switch in the management server console.