- Services that should be running automatically:
- Remote Registry service
- RPC service
- RPC locator service
- From the NS, ping the IS and vice versa.
- Can the update be deployed using the deploy tool located under the \\Sprotect directory?
- Does the STOP sign reflect in the console when the NS service has been stopped? This means that the NS can report to the IS.
- Open the following ports if there is a firewall in between the NS and IS: 139, 3000-3009, 5005-5014. Make sure that these additional ports are open:
For the NSsTCP: 135, 139, 443, 3628, 4899, 5168
UDP: 137, 138 , 139Important: TCP port 443 is being used by NS to communicate to IS. This is not a web server port in NS, it is by default used by NS.For the ISTCP: 135, 139, 443, 3628, 4899, 5168, 5005-5014
UDP: 137, 138 , 139, 3000-3009The management console uses port 3000 (UDP) to broadcast and search for the IS. Port 5005 (TCP) is used for communication between the management console as well as the IS. Ports 137 (UDP), 138 (UDP), and 139 (TCP) are used for the IS and NS communication.The following are additional TCP ports:- Management console listens at ports 1000-1009.
- IS listens at port 5005-5014 and at ports 3000-3009 for broadcasts.
- IS listens at 1921 and communicates at port 9921 for NetWare servers.
- RPC listens to ports 3628 and 5168.
If these ports are open, would you be able to TELNET these ports from IS to remote NS? - Check if the TCP/IP filtering is enabled on the remote NSs.
- Go to TCP/IP properties.
- Check Options to verify if this is enabled or disabled. If it is enabled, check if the ports are open.
- Edit the tmrpc.ini file to a value of 2.
Each time an RPC binding wants to be created from an RPC client to an RPC server, the client will read the [DefaultProtocol] section of the TmRPC.ini file (located in the ServerProtect home directory) and then get the RPC server's value.- If the value is 1, named pipe is used to connect.
- If the value is 2, TCP/IP is used to connect.
The TmRpc.ini file is used to record the communication protocol used in RPC
For example:[DefaultProtocol]
ServerA=1 // 1 means named pipe
ServerB=2 // 2 means TCP/IP - Check the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous=2 key. This issue occurs if the registry key has a value of 2.
- Do you have log files in your firewall that reflects the failed communication from the IS to the remote NS?
- Download the RPCTalk.zip file to verify the communication between IS and remote NS.
- Extract rpcread.exe in the root directory of the problematic NS.
- Extract rpcsend.exe in the root directory of the IS.
- From the NS, go to the command prompt and execute rpcread.exe.
- From the IS, go to the command prompt and execute rpcsend.exe.
- Type the IP address of the NS.
- Type test or any string that you want and press Enter.
- From the NS, verify that test or the string that you have typed was received.
- If the StUpdate.exe process exists in NS, kill it.
- Delete the AC_Up-Rb.tmp and AUSrc.tmp folders under the ServerProtect home directory of NS, then deploy again. These are temporary folders and if deploy fails, NS will keep these two.
- If the issue persists, send the following to Trend Micro Technical Support:
- The result of RPCtalk.
- The AUBin\Patchdmp.txt from the remote NS.
- The deploy log for the NS under the \Sprotect\AC_Up-Rb.tmp\temp\tmudump.txt.
- The firewall settings with screenshots of open ports in the firewall console.
- Run the ActiveSupport tool on the problem server to get the ActiveSupport log. This is just to get the Basic Product Information and there is no need to replicate the problem yet.
- The spnt.log on the registry.
- Open the regedit file and go to
HKEY_LOCAL_MACHINE\Software\TrendMicro\DebugLog\SPNT.
Note: Create this file if it does not exist. - Create or modify the String value HomeDirectory to the preferred complete path and filename for the log (ex. C:\spnt.log).
- Create or modify the DWORD value MethodMask to 0x00000002 (2).
- Create or modify the DWORD value ModuleMask to 0xFFFFFFFF (4294967295).
- Create or modify the DWORD value TypeMask to 0x00000003 (3).
- Close the registry editor.
Note: Make sure there is enough disk space on the target drive to hold the log. - Gather the SPNT.log file and turn off the debug.
- Turn off the spnt.log file by following the same procedure as enabling it but this time set MethodMask and ModuleMask to 0x00000000 (0).