Troubleshooting Web and Cloud Access Protection and Network Integrity Protection

  1. To collect
    Symantec Endpoint Security
    client logs
  2. On the user's device, open the
    Symantec Endpoint Security
    agent.
  3. In the navigation pane, select
    Settings
    .
  4. Set the
    Logging Level
    slider to the maximum.
  5. Under
    Support Information
    , use the
    Copy support information to clipboard
    option to copy all the support information and send them to Symantec Support.
    You also have an option to download the client logs as a .zip file to upload it to a support case, or send the .zip logs through an email to communicate with your support team.
You can also find all the logs at the following location:
Symantec Download Manager
C:\ProgramData\Symantec\FSD\CCDInstaller
Symantec Endpoint Security
agent
%userprofile%\AppData\Local\Packages\SymantecCorporation.SymantecEndpointAgent_v68kp9n051hdp\LocalState\Logs
Troubleshooting common
Symantec Endpoint Security
agent issues
Troubleshooting
Symantec Endpoint Security
agent issues
Issue
Resolution
Symantec Download Manager did not install
Rogue Wi-Fi Protection & Network Integrity
features even if the related option was selected during the installation package creation.
This problem can happen due to:
Symantec Endpoint Security
agent is installed but does not launch.
If the
Symantec Endpoint Security
agent does not launch even if it appears to be installed, the agent activation process may have been interrupted due to the device restart.
Try the following solutions to fix this issue:
  • Reinstall the
    Symantec Endpoint Security
    agent.
  • Run the installation package again on the affected device.
Symantec Endpoint Security
agent is installed but auto-enrollment failed.
You can try these solutions:
  • Check the contents of the
    connect.dat
    file.
    Symantec Endpoint Security
    agent auto-enrolls after the
    Symantec Endpoint Security
    enrolls by using the information available in
    connect.dat
    file that is located at :
    C:\programdata\Symantec
    .
    If the
    connect.dat
    file does not exist or has incorrect token or customer information, then
    Symantec Endpoint Security
    agent enrollment would fail
    Symantec Endpoint Security
    agent regularly checks for changes to
    connect.dat
    and retries auto-enrollment. Enrollment failure reasons will be available in the
    Symantec Endpoint Security
    agent logs.
Problem in establishing Smart VPN connection.
You can try these solutions:
  • Make sure that you have accepted the prompt to install the certificate. If the user denied the certificate installation, they are prompted to install it again in a few minutes.
  • Even if you install the certificate, but still the device does not connect to the Smart VPN then collect the logs and send them to Symantec Support.
The client shows the license status as "Not Entitled."
Check whether the customer or domain with which you have registered the client has a valid license.
The client is not behaving as per the remediation settings that is configured in the Network Integrity policy.
You can try these solutions:
  • On the
    Settings
    page, check the status of your license. If the license has expired, the client does not enforce the Network Integrity policy.
  • If your license is active, check the version of the policy that is entitled on the device. You can use the
    Refresh policy
    option to retrieve the latest policy from the server.
The client does not show a prompt for certificate installation.
You can try these solutions:
  • On the
    Settings
    page of the client, set the
    Logging Level
    slider to the maximum.
  • Close and reopen the
    Symantec Endpoint Security
    agent .
Troubleshooting
Symantec Endpoint Security
agent installation, launch or update related failures
All the dependencies to install, launch or update the
Symantec Endpoint Security
agent are installed automatically. If you still face the agent installation, launch or update related failures then check the following dependencies:
  • The
    Allow all trusted applications to install
    Group Policy setting is enabled. If the device is domain-joined, the Group Policy for sideloading should not restrict this setting.
  • Under
    Use developer features
    , the
    Sideload apps
    option is selected so that the agent update process can work properly. If the option is set to only install apps from Windows Store then you're prompted to change the setting to allow the update.
  • Internet is accessible from all the browsers that are installed on the device.
  • The device is not running on Windows 10 Long Term Servicing Channel (LTSC) editions as they don't have Microsoft Store.
Troubleshooting
Symantec Endpoint Security
agent issues when the agent is integrated with Web Security Service (WSS)
Issue
Resolution
On the
Web Security Service Integration
page, you get an error "The authentication token you provided is invalid."
You can try these solutions:
  • On your WSS console, check that you have generated an Integration token for "Symantec Endpoint Suite".
  • Check that you have a valid "Mobile Security" product license.
The agent shows "The current network is already providing Web Security protection. VPN is not currently required."
This message indicates that you're connected to a network that is specified in the
Service > Network > Locations
page of the WSS console.
In this case
Symantec Endpoint Security
does not try to establish the Smart VPN connection.
The
Symantec Endpoint Security
agent shows the message: “Your current network is preventing connection to the VPN."
Your device is connected to a network that blocks VPN connections or there is a firewall which is blocking the UDP ports 500 and 4500.
The VPN does not disconnect the device from the network even if you uninstall the
Symantec Endpoint Security
agent.
Restart the device so that the VPN connection is removed.
The
Symantec Endpoint Security
agent shows the message:
"VPN connection cannot be established."
You can try the following solutions:
  • Check for network connectivity.
  • Check whether firewall is blocking ports.
  • Check whether corporate network is preventing connections.
VPN messages for the
Symantec Endpoint Security
agent
VPN messages for the
Symantec Endpoint Security
agent
State
Message
VPN is connected
Symantec's Smart VPN and Web Security Service are enabled to secure your network communication and ensure secure internet access.
VPN is unable to connect
The current network is preventing connection to VPN.
VPN is connected in passive mode
The current network is already providing Web Security protection. VPN is not currently required.
VPN certificate is missing
Unable to retrieve VPN client certificate from server. Check Internet Connection.
VPN server list is missing
Unable to retrieve VPN server location. Check Internet Connection.
VPN routing and remote error messages
Possible error messages include:
  • A certificate could not be found that can be used with the Extensible Authentication Protocol (EAP).
    To work around this issue, delete the existing client certificate and recreate it.
  • The network connection between your device and the VPN server could not be established because the remote server is not responding.
    This could be because one of the network devices (for example, firewalls, NAT, routers) between your computer and the remote server is not configured to allow VPN connections.
  • The remote access connection completed, but authentication failed because of an error in the certificate that the client uses to authenticate the server.
    This message is displayed when the
    Symantec Endpoint Security
    server rejects the client certificate.
Troubleshooting Traffic Redirection issues
Troubleshooting Web Traffic Redirection issues in the Traffic Redirection policy
Issue
Resolution
Page redirects to WSS but shows an error that credential are missing.
This problem can occur if you have provided an invalid WSS token on the
Endpoint
>
Settings
>
Web Security Service Integration
page.
To resolve this issue, verify whether you have provided right token for the WSS integration.
PAC file could not be downloaded.
This problem can occur if you have provided a wrong PAC file URL or your browser is preventing the file download.
To resolve this issue, check the PAC file URL that you are using in the Secure Cloud Access policy and verify whether the issue applies to all browsers.
Disabling Network Integrity and Traffic Redirection features
In certain scenarios you might want to disable the Network Integrity and the Traffic Redirection features for troubleshooting purposes. In this case you need to disable the Network Integrity policy and the Traffic Redirection policy.
For more information, see:
Secure Connection
is now a part of
Symantec Endpoint Security
agent and provide Rogue Wi-Fi Protection, Network Integrity, and Smart VPN capabilities.
More information