Tuesday, June 30, 2015

Tuning the Performance of the Symantec Endpoint Protection Manager console

Problem

The default configuration of the Symantec Endpoint Protection Manager (SEPM) is designed to minimize the memory and disk-space footprint. However, in larger organizations which may be leveraging multiple groups and/or replicated sites, the default settings may cause the system to under-perform or may generate error messages.

Error Message

When the current maximum amount of Java heap space is insufficient, the following errors or problems may be noticed:
  1. When trying to launch the SEPM, the error "Could not create the Java virtual machine" and the Symantec Endpoint Protection Manager service (semsrv) may not start successfully.
  2. The following error(s) may be logged repeatedly in the scm-server-0.log and scm-server-1.log log files:
    1. ATTENTION: Server side cache reached high water mark.
      INFO: Server side cache reached high water mark.
      java.lang.OutOfMemoryError: Java heap space
  3. Importing an extremely large MAC address list for the LAN Enforcer MAB Authentication may result in a Profile.xml of 0KB in size.

Cause

The Symantec Endpoint Protection Manager is a Java-based application, and consequently much of its performance will be related to the size of the Java Heap. Modifying the settings that control the size of the Java Heap will improve the performance of a wide variety of the functions performed by the Symantec Endpoint Protection Manager.

Solution

Increase the the Java heap space assigned to the SEPM service and consoles.
Symantec Endpoint Protection Manager Service
Note: Please backup the Registry before making the changes mentioned below.
  1. Stop the Symantec Endpoint Protection Manager service
  2. Open the Registry Editor and navigate to: HKLM\System\CurrentControlSet\Services\semsrv\Parameters\
  3. Set the following four registry values:
    1. JVM Option Number 0=-Xms512m
    2. JVM Option Number 1=-Xmx1024m
    3. JVM Option Number 2=-XX:MinHeapFreeRatio=40
    4. JVM Option Number 3=-XX:MaxHeapFreeRatio=70
  4. Start the Symantec Endpoint Protection Manager service
     
Symantec Endpoint Protection Manager Local Java Console
Note: Before modifying the file below, please make a backup copy of the file.
  1. If open, close the Symantec Endpoint Protection Manager Local Java Console
  2. Open sesm.bat in Notepad (default location: C:\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat)
  3. Change the following values (See Technical Information below for information regarding these values.):
    1. JVM Option Number 0=-Xms512m
    2. JVM Option Number 1=-Xmx1024m
    3. JVM Option Number 2=-XX:MinHeapFreeRatio=40
    4. JVM Option Number 3=-XX:MaxHeapFreeRatio=70
  4. Click File > Save
  5. Open the Symantec Endpoint Protection Manager Local Java Console

Symantec Endpoint Protection Manager Java Remote Console
How to modify the max-heap-size value for the downloaded JNLP file:
  1. Open a web browser and navigate to: http://:9090
  2. Download the Symantec Endpoint Protection Manager Java Remote Console by clicking the link underneath Symantec Endpoint Protection Manager Console
  3. After the JNLP file has been downloaded, open it in Notepad
  4. Find the variable max-heap-size (example: max-heap-size="512m")
  5. Decrease the specified amount of memory in max-heap-size (example: max-heap-size="256")
  6. Click File > Save
  7. Close Notepad
  8. Double-click the JNLP file to run the Symantec Endpoint Protection Manager Java Remote Console. If the problem is not solved, repeate steps 3 through 7 and decrease the specified amount of memory in max-heap-size again.

Note: The additional RAM will be allocated immediately following the service restart. You may see an immediate (but temporary) rise in disk and cpu activity as the page file size is increased. The max size varies from about 1200MB to 1400MB depending on OS and the state of the machine.

Technical Information
The Heap Size for Symantec Endpoint Protection Manager is specified with two values, stored in the registry.
  • JVM Option 0 (-Xms) specifies the minimum size of the Java Heap
  • JVM Option 1 (-Xmx) specifies the maximum size of the Java Heap.

The application will automatically increase the size of the Java Heap as required until it encounters the configured maximum size.These values can be increased to better suit the available resources on the computer. Performance can be optimized by following the guidelines below:

The Java Heap minimum size must not be larger that the Java Heap maximum size.
If the working size of the Java Heap exceeds the available physical RAM, the computer will begin paging the Java Heap. This will dramatically increase Disk I/O and reduce the overall performance.

Note: Always allow for at least 256 MB to be allocated to the Operating System. For Example: On a computer with 1 GB of RAM, the maximum value for the Java Heap should not exceed 768 MB.
The value of MinHeapFreeRatio and MaxHeapFreeRatio modify garbage collection characteristics (the ratio of free space to live objects within the heap). The values specified in this document are the defaults for JVM and they provide a good mixture of performance and reliability.

No comments:

Post a Comment