Your Control Compliance
Suite deployment is a complex web of interlocking pieces. From time
to time, it is possible that some part of the system may fail. If a
failure occurs, the troubleshooting guide can help you to correct
it.
In addition to the
troubleshooting guide, you should consult the Technical Support
Knowledge Base. The Knowledge Base includes references to
additional issues and includes additional symptoms and corrective
actions.
The Knowledge Base is
available at the following URL:
http://www.symantec.com/business/support/overview.jsp?pid=53741&view=kb
Table: Deployment troubleshooting
lists possible deployment problems and their associated causes and
resolutions.
Table: Configuration troubleshooting
lists possible configuration problems and their associated causes
and resolutions.
Table: Asset import troubleshooting
lists possible asset import problems and their associated causes
and resolutions.
Table: Data collection troubleshooting lists
possible data collection problems and their associated causes and
resolutions.
Table: Console and Web Portal
troubleshooting lists possible problems with the console and
the Web Portal and their associated causes and resolutions.
Table: Symantec ESM troubleshooting
lists possible problems with Symantec ESM and their associated
causes and resolutions.
Table: Deployment troubleshooting
Problem
|
Cause
|
Resolution
|
Failed Directory Server Installation
|
The domain account credentials used for the component are not
valid.
|
Supply valid credentials.
|
|
The c:\Windows directory does not
allow software to be installed.
|
Change the permissions on the c:\Windows directory to allow software
installation.
|
|
Active Directory is not available.
|
Install and configure Active Directory before installing the
Control Compliance Suite.
|
|
The C:\Program Files directory on
the Directory server host is compressed.
|
Uncompress the C:\Program Files
directory on the Directory server host. Reinstall the ADAM
instance.
|
Certificate does not match specified computer
|
The ping utility has different results for the target computer
when run from the Directory Server and from the target computer
itself.
|
Correct network errors to ensure that the same information
appears when pinging from all computers.
|
|
Incorrect certificate type specified during certificate
creation.
|
Create a new certificate of the correct type.
|
Application Server install wizard rejects Directory Server
credentials
|
The domain account credentials used for the component are not
valid.
|
Supply valid credentials.
|
|
The credentials that should be specified are those used to log
on when the Directory Server was installed, not the ones supplied
during the installation.
|
Supply the user credentials used to log on when the Directory
Server was installed.
|
Application Server, Directory Server, or Data Processing Service
fail to start
|
Host computer does not have internet connectivity or connections
to the VeriSign web server is blocked.
|
Provide access to the VeriSign Web server the first time the
service starts. You can also disable certificate checking for all
components on the host. Finally, you can manually download the
Certificate Revocation List from VeriSign and install it on the
host.
|
When installing with Remote Desktop Connection, installation
logs are deleted when the user logs off.
|
Logs are stored in the %temp%\csmsetup . The folder used for the
&temp% folder varies depending on the type of user logon. Files
in the %temp% folder are deleted automatically when a Remote
Desktop Connection user logs out.
|
Manually copy the log file to another folder after the
installation is complete but before logging out.
|
During the installation, an error message appears. The error
message indicates that the state of the secure channel cannot be
verified.
|
The computer has lost its secure channel with the domain.
|
Rejoin the computer to the domain.
|
Table: Configuration troubleshooting
Problem
|
Cause
|
Resolution
|
The user is unable to start the Certificate Management
Console
|
A password error appears when the Certificate Management Console
is started.
|
Verify that the user is supplying the same password supplied
during installation of the Directory Server.
|
|
The Certificate Management Console fails to start.
|
Verify that the user is an administrator of the ADAM or AD LDS
installation on the Directory Server.
Verify that the user is a Control Compliance Suite
Administrator.
|
The user is unable to create certificates using the Certificate
Manager console.
|
On Windows Server 2008 computers, the Certificate Manager
console is unable to create certificates if it is not run as an
administrator.
|
Run the Certificate Manager as an administrator.
|
Table: Asset import troubleshooting
Problem
|
Cause
|
Resolution
|
Asset imports fail to complete
|
Asset imports fail to complete.
|
Verify that the asset system is properly configured.
See About
assets.
Verify that the reconciliation rules are correctly
configured.
See Creating
reconciliation rules without manual review.
|
|
Not all expected assets are imported.
|
Verify that the scope of the Asset Import job is valid for the
given asset type.
See About scopes in asset
import.
|
|
Not all assets of a given type are collected.
|
Verify that the data collector for the given asset type is
properly configured.
|
|
The error message "An Error occurred in Data Query activity:
Unable to retrieve list of Assets from ADAM: No Assets were
resolved from the directory , either due to insufficient
permissions or an invalid job definition" appears during asset
import job processing.
|
Verify that the Application Server service account is trusted
for delegation.
Verify that the Service Principal Names are properly
registered.
|
Asset import jobs from a single site run slowly.
|
One of the Data Processing Service Collectors that retrieve data
from the site has failed.
|
Correct the fault that prevents the DPS from operating
properly.
Temporarily unregister the DPS, then register it again when
repair is complete.
Temporarily move the DPS to a site with no assets.
|
Table: Data collection troubleshooting
Problem
|
Cause
|
Resolution
|
Jobs fail to run
|
Scheduled data collection jobs fail to run at the scheduled
time.
|
Verify that the scheduling user password is properly updated in
user management.
|
|
Data collection jobs fail to run.
|
Verify that the Application Server credentials are correct.
|
|
Data collection jobs fail to run.
|
Verify that the Application Server and Directory Server
credentials are both Local Administrators.
|
|
All jobs fail to run.
|
Verify that the Production database host is working
properly.
|
|
Jobs fail to run, and the error "Dispatcher.SimpleDispatch"
appears.
|
Verify that the Symantec.CSM.DSS SPN is associated with only one
account.
|
|
Jobs fail to run.
|
Verify that the SPNs have been created properly and that the
Service Name portion of the SPN for the Directory Service matches
what is specified in the AppServerService.exe.config file.
|
Data collection jobs from a single site run slowly.
|
One of the Data Processing Service Collectors that retrieve data
from the site has failed.
|
Correct the fault that prevents the DPS from operating
properly.
Temporarily unregister the DPS, then register it again when
repair is complete.
Temporarily move the DPS to a site with no assets.
|
System.OutOfMemory Exception during data collection for Oracle
assets
|
Data collection for Oracle assets uses chained data queries. The
queries are memory intensive.
|
Limit the Oracle queries to 1000 assets per job.
|
Jobs fail with the error "Login failed for user."
|
The ping utility has different results for the target computer
when run from the Directory Server and from the target computer
itself.
|
Correct network errors to ensure that the same information
appears when pinging from all computers.
|
|
The Account used for the Data Processing Service is not a domain
account.
|
Use a domain account for the data processing service.
|
Table: Console and Web Portal troubleshooting
Problem
|
Cause
|
Resolution
|
The user cannot start the Control Compliance Suite Console
|
Cannot locate the Control Compliance Suite Console
installer.
|
The installer is hosted on the Application Server in the
\\Application Server Name\CCS
directory.
|
|
The console is unable to contact the Application Server computer
by name.
|
Ensure that the Domain Name Service is properly configured, or
use the IP address of the Application Server.
|
|
The console is unable to successfully start.
|
Verify that the Application Server service account is trusted
for delegation.
Verify that the Service Principal Names are properly
registered.
See Configuring
service accounts with unconstrained delegation .
See Configuring the
S4U and constrained delegation.
|
The Web Portal is unable to connect to the Response Assessment
module
|
Web Portal is not configured to connect to the Response
Assessment module.
|
Configure the Web Portal to connect to the Response Assessment
module.
See About configuring
the Web Portal to contact RAM.
|
|
All jobs fail to run.
|
Verify that the Production database host is working
properly.
|
The Web Portal does not correctly display Response Assessment
module pages
|
Internet Explorer Enhanced Security Components are installed and
cookies are blocked from the Web Portal Internet Information
Services (IIS) server.
|
Allow the Web Portal IIS server to set cookies.
|
Configuration changes do not appear.
|
If two users simultaneously make changes to the same settings,
only the changes made by the first user take effect.
|
The second user should navigate to a different view, then return
to the settings page and repeat any required settings changes.
|
Correct time does not appear on reports.
|
The time or locale setting was changed on the Application Server
host, but the changed time or locale does not appear on
reports.
|
Restart the Application Server service then restart the Control
Compliance Suite Console and run Scheduled
Reporting Database Synchronization job. Then run the report
again. The updated time will appear correctly.
|
Table: Symantec ESM troubleshooting
Problem
|
Cause
|
Resolution
|
Cannot classify ESM 6.0 agents as different UNIX computers.
|
ESM 6.0 uses the OS details field in a different way than ESM
9.0 does.
|
Update the ESM agents with SU 34 or later, then execute the
Agent Information module on each ESM 6.0 agent.
In Control Compliance Suite 9.0, import all ESM 6.0 Assets and
create an Update reconciliation rule with the "If an asset being
imported exists in the asset system" condition and the "Update the
specifying fields of an existing asset with the fields of as asset
being imported" action. Use the Only
Selected fields option when you add the update type and
select OS details in the Available Fieldslist.
Update the ESM.Agent.RegisteredName, ESM.Agent.ESMManager, ESM.Agent.OSVersion, ESM.Agent.Platform, and ESM.Agent.OSDetails fields in the file
<Install
directory>\Symantec\CCS\Reporting and
analytics\Applications\Data
Collectors\ESM\ESMAgentAsset.csv .
Configure the CSV data collector and import the ESMAgentAsset.csv file.
|