SEP clients do not communicate with SEPM: 400 - Bad Request in Sylink log
search cancel

SEP clients do not communicate with SEPM: 400 - Bad Request in Sylink log

book

Article ID: 151408

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) clients do not maintain communication with the Symantec Endpoint Protection Manager (SEPM) and do not get content updates.

Symptoms
SEP clients register with the SEPM and list in the console correctly. They do not maintain communication with the manager and do not get content updates. Sylink log output from an affected client will indicate a "400 - Bad Request" when it tries to access Secars.  The client would communicate with the manager and display a green dot briefly and then would no longer communicate with subsequent heartbeats.

 

07/12 17:39:07 [2352] http://{customer's SEPM FQDN}:8014/secars/secars.dll?h=1B2F74
07/12 17:39:07 [2352] 17:39:7=>Send HTTP REQUEST
07/12 17:39:07 [2352] 17:39:7=>HTTP REQUEST sent
07/12 17:39:07 [2352] Send Request failed.. Error Code = 12007
07/12 17:39:07 [2352] 12007=>The Server name could not be resolved.
07/12 17:39:07 [2352] Send Request failed.. Error Code = 12007
07/12 17:39:07 [2352] 12007=>

07/12 17:39:07 [2352] http://{customer's SEPM ip address}:8014/secars/secars.dll?h=1B
07/12 17:39:07 [2352] 17:39:7=>Send HTTP REQUEST
07/12 17:39:07 [2352] 17:39:7=>HTTP REQUEST sent
07/12 17:39:07 [2352] SMS return=400
07/12 17:39:07 [2352] 400=>400 Bad Request
07/12 17:39:07 [2352] HTTP returns status code=400
07/12 17:39:07 [2352] RECEIVE STAGE COMPLETED
07/12 17:39:07 [2352] COMPLETED

Cause

The customer disabled Microsoft's UrlScan Filter v3.1 and the clients began to communicate without error with the manager.  UrlScan version 3.1 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan security tool helps prevent potentially harmful requests from reaching the server.  This IIs plugin was filtering the clients communication and causing the problem.

Resolution

 Solution 1:  This problem is fixed in a previous Symantec Endpoint Protection release (pre SEP 14.x). For information on how to obtain the latest build of Symantec Endpoint Protection, read Download Broadcom products and software.  Please ensure that you are using a current version of Symantec Endpoint Protection.

Solution 2:  Microsoft's UrlScan Filter may be restricting or blocking HTTP communication.  You will need to configure UrlScan Filter to not interfere with the client and manager communication or disable it to allow communication.

 

 

Applies To

The customer's Symantec Endpoint Protection Manager had "Microsoft UrlScan Filter v3.1" installed. Please see the following link for a description of Microsoft UrlScan Filter

https://learn.microsoft.com/en-us/iis/extensions/working-with-urlscan/urlscan-overview