Endpoint Protection clients failing to register with Manager

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) clients are repeatedly attempting to register with Manager (SEPM), but are failing. The SEPM is repeatedly requesting clients to register again. The SEPM displays duplicate hardware IDs. The client online/offline status changes frequently, and client entries are overwritten by multiple clients with different host names, IP addresses, MAC addresses, and other identifying information.

Repeated in SEP sylink client-side logging:

%TIMESTAMP% %THREAD% SMS return=468 %TIMESTAMP% %THREAD% 468=>468 Request not allowed

In SEPM exsecars.log (ficticious IP addresses used here for illustration purposes):

###.###.###.### GetIndex 468.Reset CSN ... SendIndexFileToClient: ###.###.###.### GetIndex 412 Register again

In SEPM ersecreg.log, repeat registration requests for different IP addresses and ComputerName but the same HardwareKey (AKA Hardware ID or HWID):

###.###.###.###<AgentInfo DomainID="####" AgentType="105" UserDomain="####" LoginUser="####" ComputerDomain="####" ComputerName="####" PreferredGroup="####" PreferredMode="1" HardwareKey="####" SiteDomainName="####"/> AgentID=#### AgentType=105 ComputerID=#### Hash Key=####

###.###.###.###<AgentInfo DomainID="####" AgentType="105" UserDomain="####" LoginUser="####" ComputerDomain="####" ComputerName="####" PreferredGroup="####" PreferredMode="1" HardwareKey="####" SiteDomainName="####"/> AgentID=#### AgentType=105 ComputerID=#### Hash Key=####

NOTE: ###.###.###.### references an IP address in the logs

Environment

SEP 12.1, 14

Cause

This is caused by duplicate SEP Hardware IDs at clients.

Resolution

To resolve these symptoms, follow instructions in Symantec KB article "Repair duplicate hardware IDs at clients".