About troubleshooting

Your Control Compliance Suite deployment is a complex web of interlocking pieces. From time to time, it is possible that some part of the system may fail. If a failure occurs, the troubleshooting guide can help you to correct it.

In addition to the troubleshooting guide, you should consult the Technical Support Knowledge Base. The Knowledge Base includes references to additional issues and includes additional symptoms and corrective actions.

The Knowledge Base is available at the following URL:

http://www.symantec.com/business/support/overview.jsp?pid=53741&view=kb

Table: Deployment troubleshooting lists possible deployment problems and their associated causes and resolutions.

Table: Configuration troubleshooting lists possible configuration problems and their associated causes and resolutions.

Table: Asset import troubleshooting lists possible asset import problems and their associated causes and resolutions.

Table: Data collection troubleshooting lists possible data collection problems and their associated causes and resolutions.

Table: Console and Web Portal troubleshooting lists possible problems with the console and the Web Portal and their associated causes and resolutions.

Table: Symantec ESM troubleshooting lists possible problems with Symantec ESM and their associated causes and resolutions.

Table: Deployment troubleshooting

Problem

Cause

Resolution

Failed Directory Server Installation

The domain account credentials used for the component are not valid.

Supply valid credentials.

The c:\Windows directory does not allow software to be installed.

Change the permissions on the c:\Windows directory to allow software installation.

Active Directory is not available.

Install and configure Active Directory before installing the Control Compliance Suite.

The C:\Program Filesdirectory on the Directory server host is compressed.

Uncompress the C:\Program Files directory on the Directory server host. Reinstall the ADAM instance.

Certificate does not match specified computer

The ping utility has different results for the target computer when run from the Directory Server and from the target computer itself.

Correct network errors to ensure that the same information appears when pinging from all computers.

Incorrect certificate type specified during certificate creation.

Create a new certificate of the correct type.

Application Server install wizard rejects Directory Server credentials

The domain account credentials used for the component are not valid.

Supply valid credentials.

The credentials that should be specified are those used to log on when the Directory Server was installed, not the ones supplied during the installation.

Supply the user credentials used to log on when the Directory Server was installed.

Application Server, Directory Server, or Data Processing Service fail to start

Host computer does not have internet connectivity or connections to the VeriSign web server is blocked.

Provide access to the VeriSign Web server the first time the service starts. You can also disable certificate checking for all components on the host. Finally, you can manually download the Certificate Revocation List from VeriSign and install it on the host.

When installing with Remote Desktop Connection, installation logs are deleted when the user logs off.

Logs are stored in the %temp%\csmsetup. The folder used for the &temp% folder varies depending on the type of user logon. Files in the %temp% folder are deleted automatically when a Remote Desktop Connection user logs out.

Manually copy the log file to another folder after the installation is complete but before logging out.

During the installation, an error message appears. The error message indicates that the state of the secure channel cannot be verified.

The computer has lost its secure channel with the domain.

Rejoin the computer to the domain.

Table: Configuration troubleshooting

Problem

Cause

Resolution

The user is unable to start the Certificate Management Console

A password error appears when the Certificate Management Console is started.

Verify that the user is supplying the same password supplied during installation of the Directory Server.

The Certificate Management Console fails to start.

Verify that the user is an administrator of the ADAM or AD LDS installation on the Directory Server.

Verify that the user is a Control Compliance Suite Administrator.

The user is unable to create certificates using the Certificate Manager console.

On Windows Server 2008 computers, the Certificate Manager console is unable to create certificates if it is not run as an administrator.

Run the Certificate Manager as an administrator.

Table: Asset import troubleshooting

Problem

Cause

Resolution

Asset imports fail to complete

Asset imports fail to complete.

Verify that the asset system is properly configured.

See About assets.

Verify that the reconciliation rules are correctly configured.

See Creating reconciliation rules without manual review.

Not all expected assets are imported.

Verify that the scope of the Asset Import job is valid for the given asset type.

See About scopes in asset import.

Not all assets of a given type are collected.

Verify that the data collector for the given asset type is properly configured.

The error message "An Error occurred in Data Query activity: Unable to retrieve list of Assets from ADAM: No Assets were resolved from the directory , either due to insufficient permissions or an invalid job definition" appears during asset import job processing.

Verify that the Application Server service account is trusted for delegation.

Verify that the Service Principal Names are properly registered.

Asset import jobs from a single site run slowly.

One of the Data Processing Service Collectors that retrieve data from the site has failed.

Correct the fault that prevents the DPS from operating properly.

Temporarily unregister the DPS, then register it again when repair is complete.

Temporarily move the DPS to a site with no assets.

Table: Data collection troubleshooting

Problem

Cause

Resolution

Jobs fail to run

Scheduled data collection jobs fail to run at the scheduled time.

Verify that the scheduling user password is properly updated in user management.

Data collection jobs fail to run.

Verify that the Application Server credentials are correct.

Data collection jobs fail to run.

Verify that the Application Server and Directory Server credentials are both Local Administrators.

All jobs fail to run.

Verify that the Production database host is working properly.

Jobs fail to run, and the error "Dispatcher.SimpleDispatch" appears.

Verify that the Symantec.CSM.DSS SPN is associated with only one account.

Jobs fail to run.

Verify that the SPNs have been created properly and that the Service Name portion of the SPN for the Directory Service matches what is specified in the AppServerService.exe.config file.

Data collection jobs from a single site run slowly.

One of the Data Processing Service Collectors that retrieve data from the site has failed.

Correct the fault that prevents the DPS from operating properly.

Temporarily unregister the DPS, then register it again when repair is complete.

Temporarily move the DPS to a site with no assets.

System.OutOfMemory Exception during data collection for Oracle assets

Data collection for Oracle assets uses chained data queries. The queries are memory intensive.

Limit the Oracle queries to 1000 assets per job.

Jobs fail with the error "Login failed for user."

The ping utility has different results for the target computer when run from the Directory Server and from the target computer itself.

Correct network errors to ensure that the same information appears when pinging from all computers.

 

The Account used for the Data Processing Service is not a domain account.

Use a domain account for the data processing service.

Table: Console and Web Portal troubleshooting

Problem

Cause

Resolution

The user cannot start the Control Compliance Suite Console

Cannot locate the Control Compliance Suite Console installer.

The installer is hosted on the Application Server in the \\Application Server Name\CCS directory.

The console is unable to contact the Application Server computer by name.

Ensure that the Domain Name Service is properly configured, or use the IP address of the Application Server.

The console is unable to successfully start.

Verify that the Application Server service account is trusted for delegation.

Verify that the Service Principal Names are properly registered.

See Configuring service accounts with unconstrained delegation .

See Configuring the S4U and constrained delegation.

The Web Portal is unable to connect to the Response Assessment module

Web Portal is not configured to connect to the Response Assessment module.

Configure the Web Portal to connect to the Response Assessment module.

See About configuring the Web Portal to contact RAM.

All jobs fail to run.

Verify that the Production database host is working properly.

The Web Portal does not correctly display Response Assessment module pages

Internet Explorer Enhanced Security Components are installed and cookies are blocked from the Web Portal Internet Information Services (IIS) server.

Allow the Web Portal IIS server to set cookies.

Configuration changes do not appear.

If two users simultaneously make changes to the same settings, only the changes made by the first user take effect.

The second user should navigate to a different view, then return to the settings page and repeat any required settings changes.

Correct time does not appear on reports.

The time or locale setting was changed on the Application Server host, but the changed time or locale does not appear on reports.

Restart the Application Server service then restart the Control Compliance Suite Console and run Scheduled Reporting Database Synchronization job. Then run the report again. The updated time will appear correctly.

Table: Symantec ESM troubleshooting

Problem

Cause

Resolution

Cannot classify ESM 6.0 agents as different UNIX computers.

ESM 6.0 uses the OS details field in a different way than ESM 9.0 does.

Update the ESM agents with SU 34 or later, then execute the Agent Information module on each ESM 6.0 agent.

In Control Compliance Suite 9.0, import all ESM 6.0 Assets and create an Update reconciliation rule with the "If an asset being imported exists in the asset system" condition and the "Update the specifying fields of an existing asset with the fields of as asset being imported" action. Use the Only Selected fields option when you add the update type and select OS details in the Available Fieldslist.

Update the ESM.Agent.RegisteredName, ESM.Agent.ESMManager, ESM.Agent.OSVersion, ESM.Agent.Platform, and ESM.Agent.OSDetails fields in the file <Install directory>\Symantec\CCS\Reporting and analytics\Applications\Data Collectors\ESM\ESMAgentAsset.csv.

Configure the CSV data collector and import the ESMAgentAsset.csv file.

More Information

Installing Active Directory Application Mode manually