symantec™ control compliance suite : troubleshooting guide

Symantec™ ControlCompliance Suite

Troubleshooting Guide

Version: 12.5

Symantec™ Control Compliance SuiteTroubleshooting Guide

Documentation version: 1.0

Legal NoticeCopyright © 2019 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks ofSymantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attributionto the third party (“Third Party Programs”). Some of the Third Party Programs are available under opensource or free software licenses. The License Agreement accompanying the Software does not alter anyrights or obligations you may have under those open source or free software licenses. Please see theThird Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantecproduct for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,and decompilation/reverse engineering. No part of this document may be reproduced in any form by anymeans without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AREDISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLYINVALID. SYMANTECCORPORATIONSHALLNOTBELIABLEFOR INCIDENTALORCONSEQUENTIALDAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THISDOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TOCHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as definedin FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial ComputerSoftware - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software andCommercial Computer Software Documentation," as applicable, and any successor regulations, whetherdelivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S. Governmentshall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

https://www.symantec.com

https://www.symantec.com

Symantec SupportAll support services will be delivered in accordance with your support agreement and thethen-current Enterprise Technical Support policy.

Knowledge Base Articles and Symantec ConnectBefore you contact Technical Support, you can find free content in our online Knowledge Base,which includes troubleshooting articles, how-to articles, alerts, and product manuals. In thesearch box of the following URL, type the name of your product:

https://support.symantec.com

Access our blogs and online forums to engage with other customers, partners, and Symantecemployees on a wide range of topics at the following URL:

https://www.symantec.com/connect

Technical Support and Enterprise Customer SupportSymantec Support maintains support centers globally 24 hours a day, 7 days a week. TechnicalSupport’s primary role is to respond to specific queries about product features and functionality.Enterprise Customer Support assists with non-technical questions, such as license activation,software version upgrades, product access, and renewals.

For Symantec Support terms, conditions, policies, and other support information, see:

https://entced.symantec.com/default/ent/supportref

To contact Symantec Support, see:

https://support.symantec.com/en_US/contact-support.html

https://support.symantec.com

https://www.symantec.com/connect/

https://entced.symantec.com/default/ent/supportref

https://support.symantec.com/en_US/contact-support.html

Symantec Support .............................................................................................. 4

Chapter 1 Troubleshooting techniques for Control ComplianceSuite .................................................................................. 9

About troubleshooting ..................................................................... 9

Chapter 2 Deployment Troubleshooting ........................................... 10

Deployment troubleshooting ........................................................... 10Troubleshooting your Control Compliance Suite Deployment ................ 13Message appears about reboot required during CCS installation ............ 16Package extraction timeout error on Windows machine while running

Automatic Updates Installation job ............................................. 17

Chapter 3 CCS Console and Web ConsoleTroubleshooting ............................................................ 19

Console and Web Console troubleshooting ........................................ 20User cannot start the Console ......................................................... 21Web Console is unable to connect to AM .......................................... 21Web Console does not correctly display AM pages .............................. 22Configuration changes do not appear ............................................... 22Correct time does not appear on reports ........................................... 22Reports may cause a system slowdown or reports fail .......................... 23HTTP error appears when you open the Web Console ......................... 23Blank reports may appear .............................................................. 23Error appears while viewing a dashboard on the Web Console .............. 24Cannot create a custom asset type .................................................. 24Message “The server is not operational” appears in the console ............. 24Message “Login failed for user <user name>” appears in Web

Console ............................................................................... 25Unable to launch or view SymHelp ................................................... 26Unable to contact Web server when installing Console ......................... 26Web Console does not start after upgrading to a later version ................ 26-1 value is displayed in a chart for an asset risk score .......................... 27

Contents

Error message appears while navigating to the Policies WebConsole ............................................................................... 27

Dashboard panel data is incorrect .................................................... 28Expected data is not displayed in policy panels ................................... 28Launching CCS Console is slow ...................................................... 29Delay in permission changes in the Web Console ............................... 29CCS 12.0 console does not get launched if User Account Control (UAC)

is enabled ............................................................................. 30Web Console does not export a panel or panel details on Internet

Explorer 9 ............................................................................. 30CCS Console fails to export query results to .doc or .xls formats ............ 30Unable to launch the CCS AM Web portal links from the CCS Web

Console ............................................................................... 31After installing fonts and launching the CCS console, fonts may not

render properly ...................................................................... 31

Chapter 4 Asset Import Troubleshooting .......................................... 32

Asset import fails to complete ......................................................... 32Asset import jobs from a single site run slowly .................................... 33Asset import jobs fail and report an exception ..................................... 34Deleted ODBC data locations appear in CCS manager settings ............. 34

Chapter 5 Agent Troubleshooting ...................................................... 35

Error on CCS agent during execution of query .................................... 35

Chapter 6 Jobs Troubleshooting ......................................................... 36

Purge job timeout errors ................................................................ 36Data evaluation error ..................................................................... 36An error for Agent Content Update job when CCS Manager in Load

balancer role has disk space issue ............................................. 37CER job for MySQL assets completes successfully but data collection

details show an error ............................................................... 37

Chapter 7 Data Collection Troubleshooting ..................................... 38

Data collection troubleshooting ........................................................ 38Data collection jobs fail to run ......................................................... 39Data collection jobs from a site take longer time to complete ................. 40System.OutofMemory exception appears during data collection against

Oracle assets ........................................................................ 41Data collection jobs fail with a login error ........................................... 41Data collection jobs fail with an error in evaluation ............................... 42

6Contents

“Computer Unreachable” errors appear for Windows computers thatdo not have IIS ...................................................................... 42

Error message appears while using theGetStaleAssetsbyCollectionDays API or cmdlet ............................ 43

CCS Manager on Windows 2008 R2 becomes non-responsive orrestarts ................................................................................. 43

Data loss observed after executing the evaluation job for SCAP ............. 43The application server service fails to start during migration .................. 44Cannot resolve collation conflict between Latin1_General_CI_AS and

SQL_Latin1_General_CP1_CI_AS in the equal to operator ............. 44

Chapter 8 Policy Module Troubleshooting ........................................ 46

Cannot assign a reviewer or approver for a policy ............................... 46Cannot access the Policy Central portal ............................................ 46Error while attaching a Word document to a custom policy .................... 47

Chapter 9 Reports Troubleshooting ................................................... 48

Performance slowdown in execution of report generation jobs ............... 48Prerequisites to run the CleanStagingTables utility ........................ 48Running the CleanStagingTables utility ....................................... 49

Server memory error in a reporting database synchronization job ........... 49Failed report generation job when crystal report is not installed on CCS

Manager with a reporting role .................................................... 49

Chapter 10 SCAP Content Troubleshooting ........................................ 50

Improper display of SCAP Content view during first time launch of CCSconsole ................................................................................ 50

Compliance score for SCAP profile (benchmark) ................................. 51Incorrect calculation of aggregate risk score for profiles in custom

dashboard panels ................................................................... 51Unable to launch or view SymHelp ................................................... 52On a remote computer, CCS console does not launch from the desktop

shortcut ................................................................................ 52The error, Unable to load configuration file is displayed during CCS

console launch from a remote computer ...................................... 53Time-out error occurs during SCAP content import .............................. 53An error is displayed during import of SCAP benchmark ....................... 54Error in SCAP evaluation job .......................................................... 55

Chapter 11 External Data Integration Troubleshooting ................... 56

Could not create SSL/TLS secure channel ......................................... 56

7Contents

Chapter 12 Dashboards Troubleshooting ........................................... 57

Editing dashboard cache time span in custom panels .......................... 57

Chapter 13 Evidence Troublsehooting ................................................. 58

Evidence collection job fails to run ................................................... 58Score contribution from an evidence source is not displayed in Asset

Details pane ......................................................................... 58Evaluation results viewer times out .................................................. 59

Chapter 14 Queries Troubleshooting ................................................... 60

Platform and Entity fields are blank in the Create or Edit Querywizard .................................................................................. 60

Chapter 15 CyberArk EPV Integration Troubleshooting ................... 61

CyberArk Policy dropdown list does not display any policy .................... 61Intermittent error while fetching password from CyberArk EPV ............... 61Asset Attribute Mappings tooltip displays an error ............................... 62Asset attributes are not used for fetching password from CyberArk

EPV ..................................................................................... 62CyberArk EPV integration does not work as expected .......................... 62

8Contents

Troubleshooting techniquesfor Control ComplianceSuite

This chapter includes the following topics:

■ About troubleshooting

About troubleshootingYour deployment is a complex of interlocking pieces. From time to time, it is possible that somepart of the systemmay fail. If a failure occurs, the troubleshooting guide can help you to correctit.

In addition to the troubleshooting guide, you should consult the technical support knowledgebase. The knowledge base includes references to additional issues and includes additionalsymptoms and corrective actions.

The knowledge base is available at the following URL:

http://www.symantec.com/business/support/overview.jsp?pid=53741&view=kb

1Chapter


DeploymentTroubleshooting


■ Deployment troubleshooting

■ Troubleshooting your Control Compliance Suite Deployment

■ Message appears about reboot required during CCS installation

■ Package extraction timeout error on Windows machine while running Automatic UpdatesInstallation job

Deployment troubleshootingCCS deployment is a complex of interlocking pieces. From time to time, it is possible that somepart of the systemmay fail. If a failure occurs, the troubleshooting guide can help you to correctit.

In addition to the troubleshooting guide, you should consult the Technical Support knowledgebase. The knowledge base includes references to additional issues and includes additionalsymptoms and corrective actions.



The following table lists possible deployment problems and their associated causes andresolutions.

2Chapter


Table 2-1 Deployment troubleshooting

ResolutionCauseProblem

To install the hot fix manually onWindows Server x64, extract thesecSSOwin64_x64 file located in theRedist folder of the product media,to the location C:\Program Files(x86)\SAP BusinessObjects\CrystalReports for .NET Framework4.0\Common\SAP BusinessObjectsEnterprise XI 4.0\win64_x64\. Extractthe secSSOwin32_x86 file located inthe Redist folder of the productmedia, to the location C:\Program Files(x86)\SAP BusinessObjects\CrystalReports for .NET Framework4.0\Common\SAP BusinessObjectsEnterprise XI 4.0\win32_x86\.

To install the hot fix manually onWindows Server x86, extract thesecSSOwin32_x86 file located in theRedist folder of the product media,to the location C:\Program Files(x86)\SAP BusinessObjects\CrystalReports for .NET Framework4.0\Common\SAP BusinessObjectsEnterprise XI 4.0\win32_x86\.

The Crystal Reports 2010 hot fix isinstalled automatically during the CCSinstallation. If the hot fix fails to installautomatically, the following warningmessage is displayed in theWarningpanel of the CCS installer.

Copying CR 2010 LA fix file.

Installer displays the Copying CR2010 LA fix file warning

Ignore the warning message.If you are upgrading to CCS 11.1 froma previous version of CCS and theinstaller displays critical errors. Whenyou rectify the errors and you relaunchthe installer to upgrade again, theWarning panel of the CCS installerdisplays the following warningmessages

Create Connector tables inthe production database

Installer displays the CreateConnector tables in theproduction database warningduring upgrade

11Deployment TroubleshootingDeployment troubleshooting

Table 2-1 Deployment troubleshooting (continued)


Migrate the CCS databases using theMigrationUtility.exe located inthe <installationdirectory>/Symantec/CCS/Reportingand Analytics folder of the installedproduct.

If you are upgrading from CCS 10.0 toCCS 11.1 and the installer displayscritical errors. When you rectify theerrors and you relaunch the installerto upgrade again, the installer doesnot launch the Migration utility afterupgrade.

Installer does not launch the Migrationutility after upgrade

Uninstall the product, rectify the errorsand then reinstall the product byperforming the following steps:

■ Launch the CCS setup.■ The installation wizard detects a

previous installation of CCSinstalled on the computer, anddisplays the Maintenance panel.Use the Uninstall option touninstall the product.

■ Rectify the errors.■ Relaunch the setup to install the

product again.

Installer displays critical errors whileinstalling CCS for the first time.

Installer displays critical errors duringfresh installation

Supply valid credentials.The domain account credentials thatare used for the component are notvalid.

Failed Application Server Installation

Specify a different location to installthe product.

The c:\Windows folder does notallow software to be installed.

Uncompress the C:\Program Filesfolder on the Application Server host.Reinstall the Application Serverinstance.

The C:\Program Files folder onthe Application Server host iscompressed.

Correct network errors to ensure thatthe same information appears whenyou use the ping utility from allcomputers.

The ping utility has different results forthe target computer when run from theApplication Server and from the targetcomputer itself.

Certificate does not match specifiedcomputer

Create a new certificate of the correcttype.

An incorrect certificate type wasspecified during certificate creation.

12Deployment TroubleshootingDeployment troubleshooting



Provide access to the VeriSign Webserver the first time the service starts.You can also disable certificatechecking for all components on thehost. Finally, you can manuallydownload the Certificate RevocationList from VeriSign and install it on thehost.

Host computer does not have Internetconnectivity or connection to theVeriSign Web server is blocked.

Application Server or CCS managerfail to start

Verify that the user supplies the samepassword that was supplied duringinstallation of the Application Server.

A password error appears when theCertificate Management Console isstarted.

Unable to start CertificateManagement Console

Verify that the user is an administratorof the Application Server.

Verify that the user is a CCSAdministrator.

The Certificate Management Consolefails to start.

You should use the SQL Manager toassign the EXECUTE permission onthe sp_upgradestats object to thedatabase owner (dbo) of theCSM_Reports reporting database.

This error occurs because thesynchronization job requires additionalSQL Server permissions.

Synchronization jobs fail to completeafter migration

Troubleshooting your Control Compliance SuiteDeployment

CCS deployment is a complex of interlocking pieces. From time to time, it is possible that somepart of the systemmay fail. If a failure occurs, the troubleshooting guide can help you to correctit.

In addition to the troubleshooting guide, you should consult the Technical Support knowledgebase. The knowledge base includes references to additional issues and includes additionalsymptoms and corrective actions.



The following table lists possible deployment problems and their associated causes andresolutions.

13Deployment TroubleshootingTroubleshooting your Control Compliance Suite Deployment


Table 2-2 Deployment troubleshooting


To install the hot fix manually onWindows Server x64, extract thesecSSOwin64_x64 file located in theRedist folder of the product media,to the location C:\Program Files(x86)\SAP BusinessObjects\CrystalReports for .NET Framework4.0\Common\SAP BusinessObjectsEnterprise XI 4.0\win64_x64\. Extractthe secSSOwin32_x86 file located inthe Redist folder of the productmedia, to the location C:\Program Files(x86)\SAP BusinessObjects\CrystalReports for .NET Framework4.0\Common\SAP BusinessObjectsEnterprise XI 4.0\win32_x86\.

To install the hot fix manually onWindows Server x86, extract thesecSSOwin32_x86 file located in theRedist folder of the product media,to the location C:\Program Files(x86)\SAP BusinessObjects\CrystalReports for .NET Framework4.0\Common\SAP BusinessObjectsEnterprise XI 4.0\win32_x86\.

The Crystal Reports 2010 hot fix isinstalled automatically during the CCSinstallation. If the hot fix fails to installautomatically, the following warningmessage is displayed in theWarningpanel of the CCS installer.

Copying CR 2010 LA fix file.

Installer displays the Copying CR2010 LA fix file warning

Ignore the warning message.While upgrading to CCS 12.0 from aprevious version of CCS the installerdisplays critical errors. When yourectify the errors and you relaunch theinstaller to upgrade again, theWarning panel of the CCS installerdisplays the following warningmessages

Create Connector tables inthe production database

Installer displays the CreateConnector tables in theproduction database warningduring upgrade




Migrate the CCS databases using theMigrationUtility.exe located inthe <installationdirectory>/Symantec/CCS/Reportingand Analytics folder of the installedproduct.

While upgrading to CCS 12.0 theinstaller displays critical errors. Whenyou rectify the errors and you relaunchthe installer to upgrade again, theinstaller does not launch the Migrationutility after upgrade.

Installer does not launch the Migrationutility after upgrade

Uninstall the product, rectify the errorsand then reinstall the product byperforming the following steps:

■ Launch the CCS setup.■ The installation wizard detects a

previous installation of CCSinstalled on the computer, anddisplays the Maintenance panel.Use the Uninstall option touninstall the product.

■ Rectify the errors.■ Relaunch the setup to install the

product again.

Installer displays critical errors whileinstalling CCS for the first time.

Installer displays critical errors duringfresh installation

Supply valid credentials.The domain account credentials thatare used for the component are notvalid.

Failed Application Server Installation

Specify a different location to installthe product.

The c:\Windows folder does notallow software to be installed.

Uncompress the C:\Program Filesfolder on the Application Server host.Reinstall the Application Serverinstance.

The C:\Program Files folder onthe Application Server host iscompressed.

Correct network errors to ensure thatthe same information appears whenyou use the ping utility from allcomputers.

The ping utility has different results forthe target computer when run from theApplication Server and from the targetcomputer itself.

Certificate does not match specifiedcomputer

Create a new certificate of the correcttype.

An incorrect certificate type wasspecified during certificate creation.




Provide access to the VeriSign Webserver the first time the service starts.You can also disable certificatechecking for all components on thehost. Finally, you can manuallydownload the Certificate RevocationList from VeriSign and install it on thehost.

Host computer does not have Internetconnectivity or connection to theVeriSign Web server is blocked.

Application Server or CCS managerfail to start

Verify that the user supplies the samepassword that was supplied duringinstallation of the Application Server.

A password error appears when theCertificate Management Console isstarted.

Unable to start CertificateManagement Console

Verify that the user is an administratorof the Application Server.

Verify that the user is a CCSAdministrator.

The Certificate Management Consolefails to start.

You should use the SQL Manager toassign the EXECUTE permission onthe sp_upgradestats object to thedatabase owner (dbo) of theCSM_Reports reporting database.

This error occurs because thesynchronization job requires additionalSQL Server permissions.

Synchronization jobs fail to completeafter migration

See “Deployment troubleshooting” on page 10.

See “About troubleshooting” on page 9.

Message appears about reboot required during CCSinstallation

When the CCS installation is in progress, you may see the following message:

Unable to continue the setup.

A previous installation required a reboot of the computer for changes to take effect. Toproceed, restart the computer and then run the setup again. The setup will now exit.

The message may appear due to one of the following reasons:

■ Windows updates may be installed on the computer and reboot is required.

■ A scheduled or automatic Windows Maintenance activity may have completed on thecomputer and reboot is required.

16Deployment TroubleshootingMessage appears about reboot required during CCS installation

The following registry keys are checked to confirm that reboot is required:

■ Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\AutoUpdate\\RebootRequired

■ SYSTEM\\CurrentControlSet\\Control\\Session Manager Value:PendingFileRenameOperationsLooking for version key in the list : v4.0.30319

■ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component BasedServicing\\RebootPending

Workaround

■ You must reboot your computer and proceed with the CCS installation.

■ Stop the Automatic maintenance activity if it is in progress or start the CCS installationonce the maintenance activity is complete.

Note: Symantec recommends that you ensure that no Windows updates are being installedor Windows Maintenance activity is running on the computer when you install CCS.



Package extraction timeout error on Windowsmachinewhile runningAutomaticUpdates Installationjob

You may see the following error message, when you run the Automatic Updates Installationjob on a computer running a Windows operating system with a standalone CCS Managerinstalled on it:

Package extraction timed out for Product Update on CCS Manager Service.....

This error can appear due to the following reasons:

■ The package extraction activity has timed out.

■ Windows updates may be installed on the computer and reboot is required after that.

■ A scheduled or automatic Windows Maintenance activity may have completed on thecomputer and reboot is required.

Workaround

You must reboot the computer and execute the Automatic Updates Installation job again.

17Deployment TroubleshootingPackage extraction timeout error on Windows machine while running Automatic Updates Installation job

About Automatic Updates Installation job



18Deployment TroubleshootingPackage extraction timeout error on Windows machine while running Automatic Updates Installation job

https://help.symantec.com/cs/ccs12.0/CCS12_0/v123102722_v120691527/title/?locale=EN_US

CCS Console and WebConsole Troubleshooting


■ Console and Web Console troubleshooting

■ User cannot start the Console

■ Web Console is unable to connect to AM

■ Web Console does not correctly display AM pages

■ Configuration changes do not appear

■ Correct time does not appear on reports

■ Reports may cause a system slowdown or reports fail

■ HTTP error appears when you open the Web Console

■ Blank reports may appear

■ Error appears while viewing a dashboard on the Web Console

■ Cannot create a custom asset type

■ Message “The server is not operational” appears in the console

■ Message “Login failed for user <user name>” appears in Web Console

■ Unable to launch or view SymHelp

■ Unable to contact Web server when installing Console

■ Web Console does not start after upgrading to a later version

3Chapter

■ -1 value is displayed in a chart for an asset risk score

■ Error message appears while navigating to the Policies Web Console

■ Dashboard panel data is incorrect

■ Expected data is not displayed in policy panels

■ Launching CCS Console is slow

■ Delay in permission changes in the Web Console

■ CCS 12.0 console does not get launched if User Account Control (UAC) is enabled

■ Web Console does not export a panel or panel details on Internet Explorer 9

■ CCS Console fails to export query results to .doc or .xls formats

■ Unable to launch the CCS AM Web portal links from the CCS Web Console

■ After installing fonts and launching the CCS console, fonts may not render properly

Console and Web Console troubleshootingThis section explains the troubleshooting steps for errors that can occur when using the CCSConsole and Web Console.

See “Unable to launch or view SymHelp” on page 26.

See “Unable to contact Web server when installing Console” on page 26.

See “User cannot start the Console” on page 21.

See “ Web Console is unable to connect to AM” on page 21.

See “ Web Console does not correctly display AM pages” on page 22.

See “Configuration changes do not appear” on page 22.

See “Correct time does not appear on reports” on page 22.

See “Reports may cause a system slowdown or reports fail” on page 23.

See “HTTP error appears when you open the Web Console” on page 23.

See “Blank reports may appear” on page 23.

See “Error appears while viewing a dashboard on the Web Console” on page 24.

See “Cannot create a custom asset type” on page 24.

See “Message “The server is not operational” appears in the console” on page 24.

See “Message “Login failed for user <user name>” appears in Web Console” on page 25.

20CCS Console and Web Console TroubleshootingConsole and Web Console troubleshooting

See “-1 value is displayed in a chart for an asset risk score” on page 27.

See “Error message appears while navigating to the Policies Web Console” on page 27.

See “Dashboard panel data is incorrect” on page 28.

See “Expected data is not displayed in policy panels” on page 28.

See “Launching CCS Console is slow” on page 29.

See “Message “Login failed for user <user name>” appears in Web Console” on page 25.

See “Delay in permission changes in the Web Console” on page 29.

See “Web Console does not export a panel or panel details on Internet Explorer 9” on page 30.

See “CCS Console fails to export query results to .doc or .xls formats” on page 30.

See “Unable to launch the CCS AMWeb portal links from the CCSWeb Console” on page 31.

User cannot start the ConsoleIf a user is unable to start the (CCS) Console, one of the following may be the cause:

The installer is hosted on the Application Server inthe \\Application Server Name\CCS directory.

The user cannot locate the CCS Console installer.

Ensure that the Domain Name Service is properlyconfigured, or use the IP address of the ApplicationServer.

The console is unable to contact the ApplicationServer computer by name.

Verify that the Application Server service accountis trusted for delegation.

Verify that the Service Principal Names are properlyregistered.

The console is unable to successfully start.


See “Console and Web Console troubleshooting” on page 20.

Web Console is unable to connect to AMThe Web Console may be able to connect to the . If this occurs, one of the following may bethe cause:

Configure the Web Console to connect to the .Web Console is not configured to connect to the .


21CCS Console and Web Console TroubleshootingUser cannot start the Console


Web Console does not correctly display AM pagesThe Web Console may not correctly display pages.

One possible cause for this is that the Internet Explorer Enhanced Security Components areinstalled and cookies are blocked on the Web Console Internet Information Services (IIS)Manager.

For the to function correctly, you must allow the Web Console IIS Manager to set cookies.



Configuration changes do not appearThe (CCS) supports multiple simultaneous users. In certain circumstances, a user can makechanges that adversely affect another user. If multiple users simultaneously make changesto the same configuration settings, only the changes made by the first user take effect.

If this happens, the second user should navigate to a different view, then return to the settingspage and repeat any required settings changes.



Correct time does not appear on reportsWhen you run a report job, the correct time may not appear on generated reports if the timeor locale setting was changed on the Application Server host.

To correct this error, you should do the following:

■ Restart the Application Server service

■ Restart the (CCS) Console

■ Run the Reporting Database Synchronization job



22CCS Console and Web Console TroubleshootingWeb Console does not correctly display AM pages

Reportsmay cause a systemslowdownor reports failWhen a user runs a report job, the reports may cause a system slowdown or reports may failcompletely.

This error may be caused when the complexity of the report exceeds the limits of the reportengine the (CCS) uses.

If it occurs, the only solution is to reduce the complexity of the report.



HTTP error appears when you open the Web ConsoleThe error HTTP Error 401.1 - Unauthorized: Access is denied may appear when youconnect to the Web Console.

If this error occurs, the Service Principal Names (SPNs) used by the Web Console may bemisconfigured.

To correct the error, you should properly configure the Service Principal Names (SPNs).

See http://support.microsoft.com/kb/871179



Blank reports may appearWhen you run a report, the report contents may not appear. The report appears to be blank.

This error occurs because the Reporting Database Synchronization job must run beforeyou can run a report.

You should run theReporting Database Synchronization job before you schedule the report.The synchronization job populates the database with the data in the production database. Thesynchronization job is an existing job and is in the Monitor > Jobs view.



23CCS Console and Web Console TroubleshootingReports may cause a system slowdown or reports fail

http://support.microsoft.com/kb/871179

Error appears while viewing a dashboard on theWebConsole

The error System.DirectoryServices.DirectoryServicesCOMException may appear whenyou open a dashboard panel in the Web Console.

This error can occur because you have the Service Principal Names (SPNs) set incorrectlyon the (CCS) Application Server.

You should use the <install directory>\Application server\CCSSPNUtil.exe utility toverify that the SPNs are set correctly for the Application Server, and that there are no duplicateSPNs set.



Cannot create a custom asset typeIf you use the Add new asset type wizard to create a custom asset type, the custom entityschema may not appear in the wizard. The failure occurs because (CCS) Console is unableto successfully transfer the custom entity schema XML files from the Application Server.

This error can occur if the Application Server has not completed loading the custom entityschema. This error only occurs immediately after the Application Server starts and the servicehas not completed loading. The error does not appear if you use the Console on the samecomputer that hosts the Application Server. It does appear if you use the Console on anothercomputer.

You should close the CCS Console and wait until the Application Server completes its startupsequence. The startup sequence takes less than 5 minutes to complete. When the ApplicationServer startup is complete, restart the CCS Console, and the custom entity schema informationappears. You can use the Add new asset type wizard to create a custom asset type with thecustom schema.



Message “The server is not operational” appears inthe console

When the user performs an action in the (CCS) Console, the error message “The server is notoperational” can appear.

24CCS Console and Web Console TroubleshootingError appears while viewing a dashboard on the Web Console

This message appears because the CCS components are unable to contact the CCS DirectoryServer or the CCS Directory Server is busy.

Note: This message appears only in cases where the data load is high.

The CCS Administrator can correct the issue. The CCS Administrator should do the following:

■ Check the socket connection state on the CCS Directory Server host.

■ Change the timeouts for the CCS Directory Server.

■ Change the maximum number of socket connections for the CCS Directory Server.

To check the socket connection state on the CCS Directory Server host, you use the NETSTATcommand from the command line. If one of the sockets is in a waiting state, the commandoutput should be similar to the following:

TCP <CCS_Directory_Server_Name>:<Port> TIME_WAIT

You should use the Registry Editor to change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\TCPTimedWaitDelay to 35 seconds. Ifthe key is not present, please add it to the registry as REG_DWORD type keys.

You should also use the Registry Editor to change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\MaxUserPort to 65530. This changeincreases the number of available socket connections on the CCS Directory Server. If the keyis not present, please add it to the registry as REG_DWORD type keys.

Once you have completed these changes, you should restart the CCS Directory Server andretry the action in the CCS Console.



Message “Login failed for user<user name>” appearsin Web Console

When you log on to the (CCS) Web Console, the error message “Login failed for user <username>” may appear. This error appears if the SQL credentials used for the production databaseor the reporting database change.

If this error occurs, the CCS Administrator should use the Internet Information Services (IIS)Manager to recycle the CCS_WebAppPool service on the CCS Web Console server.



25CCS Console and Web Console TroubleshootingMessage “Login failed for user <user name>” appears in Web Console

Unable to launch or view SymHelpWhen you try to launch an online help topic by clicking Help or pressing F1, you might get anerror or nothing might get displayed. You may also notice that the page is in the process ofgetting launched however, nothing happens even after waiting for a long time.

This may occur if the Active Scripting is not enabled in your browser.

Enable Active Scripting in the browser. Refer to the following link to enable Active Scripting.

http://support.microsoft.com/gp/howtoscript

Also, ensure that the SymHelp URL is added as a Trusted Site.

To add SymHelp as a trusted site

1 Open Internet Explorer.

2 Go to Tools > Internet Options.

3 Under the Security tab, click Sites.

4 Enter the SymHelp URL and click Add.

5 Click Close.



Unable to contactWeb serverwhen installingConsoleWhen you install the (CCS) Console an error message may indicate that the installer is unableto contact the Web server . If this message appears, you should use the IP address of theWeb server instead of the server name.



WebConsole does not start after upgrading to a laterversion

If the Web console does not start after you upgrade to version 10.0 and if the error messageSystem.Runtime.InteropServices.COMException (0x8007203A): The server is not

operational appears in the Web console logs on the CCSWeb server computer, then do thefollowing:

The (CCS) Administrator should use the Internet Information Services (IIS) Manager to recyclethe CCS_WebAppPool service on the CCS Web Console server.

26CCS Console and Web Console TroubleshootingUnable to launch or view SymHelp




-1 value is displayed in a chart for an asset risk scoreIf you select asset risk score as the Measure for a panel, you may see a -1 score in the chartfor certain assets.

The -1 score is generated in the following conditions:

■ An evaluated asset that does not have any data collected on the checks

■ An asset with 100% compliance

You can correct the score by adding the following filter:

Asset risk scoreAttribute

is not equal toOperator

-1Values



Error message appears while navigating to thePolicies Web Console

When you navigate to the Policies page in the Web console, the error message "Error inreading policy data" may appear for any of the following reasons:

■ SPNs are not configured correctly

■ IIS 7 (Web Console server) computer is not set for delegation

■ HTTP SPN is set on IIS 7 computer that is already configured to be trusted for delegation.HTTP SPN is not required on IIS 7 computers as the IIS 7 computers are configured forKerberos authentication. However, you must set HTTP SPN on IIS 7 in the following cases:

■ IIS 7 is used with Kernel Mode Authentication disabled

■ IIS 7 is used with Kernel Mode Authentication enabled and the useAppPoolCredentialsattribute set to TRUE.

If you have installed the CCS Directory Server and the CCS Application Server on separatecomputers, you must configure the IIS Server (CCS Application Server) and the Directory

27CCS Console and Web Console Troubleshooting-1 value is displayed in a chart for an asset risk score

Support Service for constrained delegation. For more information on configuring constraineddelegation, see the Symantec™ Control Compliance Suite Planning and Deployment Guide.

You must set HTTP SPN on Windows Server 2008 computers where the IIS Host Header andthe CCS Application Server name are not same.



Dashboard panel data is incorrectYou have created a standard, asset, or policy or you have imported a standard, asset, or policy.You have run the evaluation job. You create a dashboard panel, but the data is not displayedor the data is incorrect.

You must run the Reporting Database Synchronization job and the Global Metrics andTrend Computation job in the Control Compliance Suite CCS Console. The jobs are in theMonitor > Jobs view. The data may not display correctly if the jobs have not been run.



Expected data is not displayed in policy panelsYou have created a policy, mapped users, and published the policy. You open a policy panelinWeb Console > Dashboards > Panels and you do not see the expected data.

Verify that the following jobs have run:

■ Policy and Mandates Metrics Computation

■ Reporting Database Synchronization

■ Daily policies

These jobs are scheduled to run once a day. You can manually start the Policy andMandatesMetrics Computation job and the Reporting Database Synchronization job. The jobs arelocated in Monitor > Jobs view of the CCS Console.

The daily policies job updates the following information:

■ "Not read' audience

■ Expiring policies per date

■ Maintaining the review or approve by dates

■ Mappings in synch with check deletions

■ Detecting expired policy asset exceptions

28CCS Console and Web Console TroubleshootingDashboard panel data is incorrect

You can start the policies job by resetting the start time. You can set the time in Settings >General > Policies > Run the daily policies job at. If you change the time, the job starts atthat time until it is changed.



Launching CCS Console is slowLaunching the CCS console can be slow on a Windows 2003 or 2008 server with no Internetconnectivity.

Do the following steps to improve the performance:

■ Open the Internet Explorer browser on the computer that experiences the performanceissue.

■ Go to Internet Options and select the Advanced tab.

■ Uncheck the box check for publisher's revocation list.

Once the changes are made, the performance of the CCS console improves.



Delay in permission changes in the Web ConsoleWhen a user's permissions change in an Active Directory group, the user must do the following:

■ Wait the default time before the change is disseminated through the system.

■ Log off and logon to retrieve the new permissions.

A user sees the permission change in the Web Console dashboards after a default 60-minutedelay .

You can add this setting to the web.config file to change the default delay time:

<add key="DynamicDashboard:GroupMembershipUpdateTimeSpan" value="2"/>

The value is measured in minutes. You must use a whole number.



29CCS Console and Web Console TroubleshootingLaunching CCS Console is slow

CCS 12.0 console does not get launched if UserAccount Control (UAC) is enabled

When you install Control Compliance Suite 12.0 onWindows Server 2016 in locale environment,and enable User Account Control (UAC), the CCS console does not get launched.

To resolve the issue, disable User Account Control (UAC), restart the computer and launchthe CCS console.

WebConsole does not export a panel or panel detailson Internet Explorer 9

If you are viewing the Web Console using the Internet Explorer version 9 browser, the consolefails to export a panel to xml or the panel details to excel.

To resolve the issue, you must do the following

1 On the Internet Explorer 9, go to Tools > Internet Options > Advanced.

2 Uncheck Do not save encrypted pages to disk.



CCS Console fails to export query results to .doc or.xls formats

CCS Console fails to export the query results to .doc or .xls formats.

To resolve the issue, you must do the following:

1 On the CCS Application Server computer, start the Microsoft Management Console.

2 On the Microsoft Management Console, go to Component Services > Computers > MyComputer > DCOM Config.

3 For exporting to .doc format, right-click Microsoft Office Word 97 - 2003 Document, orfor exporting to .xls format, right-click Microsoft Excel Application, and then clickProperties.

4 On the Identity tab, select one of the following:

■ Symantec recommends that you select This user. For This user, you must specifythe login credentials of the CCS Application Server service.

30CCS Console and Web Console TroubleshootingCCS 12.0 console does not get launched if User Account Control (UAC) is enabled

■ If you want to select The interactive user, then ensure that User Account Control(UAC) is disabled on the CCS Application Server computer.

If Microsoft Office (32-bit) is installed on a 64-bit computer, then you must run the 32-bitversion of DCOMCNFG.exe by using the following command:

mmc comexp.msc /32



Unable to launch the CCS AMWeb portal links fromthe CCS Web Console

If you cannot launch the CCS AM Web portal links from the CCS Web Console, for help referto Settings to launch the CCS AM Web portal links from the CCS Web Console topic in theSymantec CCS Assessment Manager User Guide.

After installing fonts and launching the CCS console,fonts may not render properly

When you launch the CCS console for the first time after fresh installation or upgrade, youclick Install Fonts, the fonts may not render properly and may look distorted.

If you experience such an issue, you can do the following:

■ Restart the Windows service "Windows Font Cache Service".

■ Re-launch the CCS console.



31CCS Console and Web Console TroubleshootingUnable to launch the CCS AMWeb portal links from the CCS Web Console

Asset ImportTroubleshooting


■ Asset import fails to complete

■ Asset import jobs from a single site run slowly

■ Asset import jobs fail and report an exception

■ Deleted ODBC data locations appear in CCS manager settings

Asset import fails to completeWhen you perform an Asset import, the import job may fail to complete correctly. If this erroroccurs, one of the following may be the cause:

Verify that the asset system is properly configured.

Verify that the reconciliation rules are correctlyconfigured.

Asset import fails to complete.

Verify that the scope of the Asset Import job is validfor the given asset type.

Not all expected assets are imported.

Verify that the data collector for the given asset typeis properly configured.

Not all assets of a given type are collected.

4Chapter

Verify that the Application Server service accountis trusted for delegation.

Verify that the Service Principal Names are properlyregistered.

The error message “An Error occurred in DataQuery activity: Unable to retrieve list of Assets fromdirectory server: No Assets were resolved from thedirectory, either due to insufficient permissions oran invalid job definition” appears during asset importjob processing.

Install Oracle Instant Client 12.1 on your computer.

■ Download the Oracle Instant Client 12.1■ Copy the contents of the package to directory

at a known location.

Note: Symantec reccomends that the OracleInstant Client files must not be stored in theControl Compliance Suite installation directory.

■ Add the directory path to the PATH environmentvariable at system level.

■ Restart CCS manager service.

After CCS installation, when you initiate Oracleasset import job scoped to Windows or UNIXMachine, the job may fail with the following error:

Oracle Data Collector: An error occurred duringquery execution. The 'Symantec CCS OracleDatabase' data-collection module could not beinitialized.

You must have Information Server v10.5.1 alongwith latest CCSPlatform and Content Update (PCU)installed on your computer. The minimum PCUversion requirement is 2011-3 Update.

When you execute an asset import job for assetsof type VMware or Exchange through InformationServer, the job may fail with the following error:

An error occurred during query execution.


Asset import jobs from a single site run slowlyWhen you perform an Asset import, the import jobs from a single site may run more slowlythan jobs from other sites. If a slow import happens, the following may be the cause:

Correct the fault that prevents the CCS managerfrom operating properly.

Temporarily unregister the CCS manager, thenregister it again when repair is complete.

Temporarily move the CCS manager to a site withno assets.

One of the CCS managers in a Collector role thatretrieves data from the site has failed.


33Asset Import TroubleshootingAsset import jobs from a single site run slowly

Asset import jobs fail and report an exceptionWhen you perform an Asset import, the Asset import job may fail with the following exception:

An error occurred in the data query activity. Unable to retrieve the list of

assets from ADAM. No assets were resolved from the directory, either due to

insufficient permissions or invalid job definition.

This error indicates that the asset types that you selected in the “Limit Asset Import Scope”dialog box do not match. The selected types should match the asset types that are containedin the asset folder or asset group that is used for asset import.

To correct the error, you should limit the asset import scope. You should include only the assettypes that are contained in the asset folder or the asset group that is used for asset import.

For example, consider the following case:

■ You import Windows machines.

■ You use the “All Windows Machines” asset group.

■ The scope does not contain any domains, only Windows machines.

■ The scope that you select in the Limit Asset Import Scope dialog box contains onlydomains.

In this case, the asset import fails to resolve the assets unless you select “Machines” in the“Limit Asset Import Scope” dialog box.


Deleted ODBC data locations appear in CCSmanagersettings

When a user creates an ODBC data location and imports assets from the ODBC data location,then deletes the ODBC data location, the location may still appear in the CCSmanager settings.

If another user uses the data location, Asset Import jobs will fail, since the location no longerexists.

The user who created the ODBC data location or a (CCS) Administrator should use the CCSmanager Settings dialog to manually delete the platform and data location.


34Asset Import TroubleshootingAsset import jobs fail and report an exception

Agent Troubleshooting


■ Error on CCS agent during execution of query

Error on CCS agent during execution of queryWhile performing tasks like asset import, data collection or executing queries on the CCSagent you may encounter the following error:

The Symantec CCS MS SQL Server data-collection module could not be initialized.

The probable cause of this error may be that the SQL Server T4 snap-in that must be installedon the CCS Agent for raw data collection, may not be installed.

You must install the SQL Server T4 snap-in manually to resolve the situation.

For more information refer to the section Installing the SQL Server T4 snap-in on CCS Agentsfor raw-data collection on SQL Server of the Symantec™ Control Compliance Suite Planningand Deployment Guide.


5Chapter

Jobs Troubleshooting


■ Purge job timeout errors

■ Data evaluation error

■ An error for Agent Content Update job when CCS Manager in Load balancer role has diskspace issue

■ CER job for MySQL assets completes successfully but data collection details show an error

Purge job timeout errorsCCS Console displays timeout errors for the purge job.

To resolve the timeout errors, Symantec recommends to reduce the Purge Batch Size. PurgeBatch Size is the number of job runs the purge job purges in a given amount of time. The timeis specified in seconds for the TSQLCommitTimeout parameter in theAppserverService.exe.config file located at CCS\Reporting and Analytics\Application Serveron the CCS Application Server.

To reduce the Purge Batch Size, specify a value which is less than the default value for thefollowing parameter in the AppserverService.exe.config file:

<add key="PurgeBatchSize" value="5" />

The default value for the PurgeBatchSize parameter is 5.

Data evaluation errorCCS displayed the following error message when you had issues with data evaluation:

Evaluation will not be performed on the specified asset. Data collection size is {0} MB. Maximumallowed data collection size is {1} MB. To change the maximum data collection size add <add

6Chapter

key="MaxDataCollectionSizeToEvaluate" value="<size in MB>"/> in appSettings in Bladeworkerprocess configuration file on CCS manager in evaluation role. The data is collected forStandard Name: {2}

To increase the threshold value, add key="MaxDataCollectionSizeToEvaluate" value="60" inthe configuration file from CCS Manager, which is in evaluation role.

Restart the Data Processing Service after making changes to the configuration file.

An error for Agent Content Update job when CCSManager in Load balancer role has disk space issue

The following error appears on console for Agent Content Update job when CCS Manager inload balancer role has disk space issue.

Job Exception occurred - The socket connection was aborted. This could be

caused by an error processing your message or a receive timeout being exceeded

by remote host or an underlying network resource issue. local socket timeout

was <time>

Symantec recommends that you create Agent Content Update job that is scoped to maximum3000 agents. Hence, it is recommended that you keep 200 GB disk space on the drive whereCCS Manager is installed.

If you execute Agent Content Update job that is scoped to 3000 agents, it creates temporaryfile on load balancer computer at the following location for each asset that is scoped:<InstallDir>\Symantec\CCS\Reporting and Analytics\DPS\temp

The file size of the temporary file depends on the content to be deployed on agent. However,all the temporary files get deleted automatically after completion of the job.

CER job forMySQL assets completes successfully butdata collection details show an error

A collection-evaluation-reporting job scoped to MySQL assets completes successfully, but thedata collection details show the following error:

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES).

The error occurs because the credentials provided for MySQL are incorrect.

Workaround: Provide correct credentials for MySQL assets and run thecollection-evaluation-reporting job again.

37Jobs TroubleshootingAn error for Agent Content Update job when CCS Manager in Load balancer role has disk space issue

Data CollectionTroubleshooting


■ Data collection troubleshooting

■ Data collection jobs fail to run

■ Data collection jobs from a site take longer time to complete

■ System.OutofMemory exception appears during data collection against Oracle assets

■ Data collection jobs fail with a login error

■ Data collection jobs fail with an error in evaluation

■ “Computer Unreachable” errors appear for Windows computers that do not have IIS

■ Error message appears while using the GetStaleAssetsbyCollectionDays API or cmdlet

■ CCS Manager on Windows 2008 R2 becomes non-responsive or restarts

■ Data loss observed after executing the evaluation job for SCAP

■ The application server service fails to start during migration

■ Cannot resolve collation conflict between Latin1_General_CI_AS andSQL_Latin1_General_CP1_CI_AS in the equal to operator

Data collection troubleshootingThis section explains the troubleshooting steps for errors that can occur when you run datacollection jobs.

See “Data collection jobs fail to run” on page 39.

7Chapter

See “Data collection jobs from a site take longer time to complete” on page 40.

See “System.OutofMemory exception appears during data collection against Oracle assets”on page 41.

See “Data collection jobs fail with a login error” on page 41.

See “Data collection jobs fail with an error in evaluation” on page 42.

See ““Computer Unreachable” errors appear for Windows computers that do not have IIS”on page 42.

See “Error message appears while using the GetStaleAssetsbyCollectionDays API or cmdlet”on page 43.

See “CCS Manager on Windows 2008 R2 becomes non-responsive or restarts” on page 43.

See “Data loss observed after executing the evaluation job for SCAP” on page 43.

See “The application server service fails to start during migration” on page 44.

See “Cannot resolve collation conflict between Latin1_General_CI_AS andSQL_Latin1_General_CP1_CI_AS in the equal to operator” on page 44.

To ensure that the job sizing is done as per the recommendations for the required scale andcompliance cycle needs of your organization, refer to the "Deployment based on the size"section of the Symantec™ Control Compliance Suite Planning and Deployment Guide.

Or, click on the following link to access SymHelp and then perform a search for the "Deploymentbased on the size" topic:

https://help.symantec.com/home/ccs12.0?locale=EN_US

Data collection jobs fail to runWhen you run a data collection job, the data collection job may fail to run properly at thescheduled time. If this error occurs, one of the following may be the cause:

Verify that the scheduling user password is properlyupdated in user management.

Scheduled data collection jobs fail to run at thescheduled time.

Verify that the Application Server credentials arecorrect.

Data collection jobs fail to run.

Verify that the Application Server and DirectoryServer credentials are both Local Administrators.

Data collection jobs fail to run.

Verify that the Production database host worksproperly.

All jobs fail to run.

39Data Collection TroubleshootingData collection jobs fail to run

https://help.symantec.com/home/ccs12.0?locale=EN_US

Verify that the Symantec.CSM.DSS SPN isassociated with only one account.

Jobs fail to run, and the error“Dispatcher.SimpleDispatch” appears.

Verify that the SPNs have been created properly.Also verify that the Service Name portion of the SPNfor the Directory Service matches what is specifiedin the AppServerService.exe.config file.

Jobs fail to run.

Increase the threshold value to be able to performdata collection on the specified asset.

■ The default value for MaxDataCollectionSize is2 GB. To increase the value forMaxDataCollectionSize, add the following keyin the BladeWorkerprocess.config file, onthe CCS Manager with Collector role:<add key="MaxDataCollectionSize" value="" />Specify a value larger than the default, which is2 GB.

■ The default value for MaxCombinedQRSSize is75 MB. To increase the value forMaxCombinedQRSSize, add the following keyin the Symantec.CSM.DPS.config file, onthe CCS Manager with Load Balancer role:<add key="MaxCombinedQRSSize" value="" />Specify a value larger than the default, which is75 MB.

Restart the Data Processing Service after makingchanges to the configuration files.

CCS does not perform data collection on the givenasset as the collected data size is more than thethreshold value.


See “Data collection troubleshooting” on page 38.

Data collection jobs from a site take longer time tocomplete

When you run data collection jobs, you may find that the data collection jobs from a particularsite take a longer time to complete.

A possible cause of this error can be that one of the CCS manager Collector, that retrievesdata from the site, has failed. You can correct the error that prevents the CCS manager fromoperating correctly.

While you correct the error, you should remove the CCS manager from the site.

40Data Collection TroubleshootingData collection jobs from a site take longer time to complete

Until you remove the failed CCS manager from the associated site, the CCS manager LoadBalancers continue to assign jobs to the CCS manager Collector. The CCS manager LoadBalancer does not reassign the job to another CCS manager Collector, until the Collector isunable to retrieve the data and times out.

To remove the CCS manager Collector, you can do one of the following:

■ Temporarily unregister the CCS manager, then register it again when repair is complete.

■ Temporarily move the CCS manager to a site with no assets.



System.OutofMemory exception appears during datacollection against Oracle assets

A System.OutOfMemory exception may appear when you run a dat collection job against alarge number of Oracle assets.

This error appears because data that the (CCS) collects from Oracle Assets uses chaineddata queries. These queries are very memory-intensive.

To avoid this error, you should limit Oracle queries to 1000 assets per job.



Data collection jobs fail with a login errorWhen a data collection job runs, it may fail, and the error message Login failed for user

may appear. If this error occurs, one of the following may be the cause:

Correct network errors to ensure that the sameinformation appears when you use the ping utilityfrom all computers.

The ping utility has different results for the targetcomputer when run from the Directory Server andfrom the target computer itself.

Use a domain account for the CCS manager .The Account that is used for the CCS manager isnot a domain account.



41Data Collection TroubleshootingSystem.OutofMemory exception appears during data collection against Oracle assets

Data collection jobs fail with an error in evaluationWhen you run data collection jobs, a data collection job may fail with the following errormessage:

An error occured in the evaluation activity.

Unable to retrieve the list of assets from ADAM.

No assets were resolved from the directory, either due to

insufficient permissions or invalid job definition.

This error means that the standard that is associated with the asset group does not contain atarget type that matches the assets in the asset group or the asset folder.

To correct the error, you should use the asset group that contains the assets of the target typethat the standard contains.

Consider the following example:

You run a data collection job with the standard that contains only “IIS Web Sites” target types.You use “All Windows Machines” asset group to run the data collection job. In such a case,the data collection job fails unless you select an asset group that contains IIS Web Sites.



“Computer Unreachable” errors appear for Windowscomputers that do not have IIS

A data collection job can include both computers with theMicrosoft Internet Information Services(IIS) Manager installed and computers without IIS installed. If you run a standard against thatdata collection job that includes IIS checks, the error “Computer Unreachable” appears forcomputers in the scope that do not have IIS installed.

Since the computer does not include IIS, the (CCS) is unable to determine if the computer isreachable and that it does not collect data for non-IIS checks.

You should restructure your data collection job to separate out assets with IIS installed fromthe ones without IIS installed and recollect the data for the respective standards and assets.



42Data Collection TroubleshootingData collection jobs fail with an error in evaluation

Error message appears while using theGetStaleAssetsbyCollectionDays API or cmdlet

The GetStaleAssetsbyCollectionDays API or cmdlet is used to get a list of stale Assets basedon valid inputs. The following error message appears while using the ISMJobService-GetStaleAssetsbyCollectionDays API or cmdlet.

You are not authorized to perform this task. Access is denied.

The error message appears if the ContainerPathtoSearch parameter for theGetStaleAssetsbyCollectionDays API is not specified.

To resolve this issue, ensure that you specify the following two mandatory parameters forGetStaleAssetsbyCollectionDays API:

■ ContainerPathtoSearch

■ Dayssince

For more information about using the GetStaleAssetsbyCollectionDays API, see the SymantecControl Compliance Suite API Reference Guide.


CCS Manager on Windows 2008 R2 becomesnon-responsive or restarts

The CCSManager running onWindows 2008 R2may become non-responsive or the machinemay restart automatically multiple times during agent-less data collection against Windows2012 assets. This issue is also observed during asset discovery job runs.

To resolve this operating system specific problem, apply the hotfix provided by Microsoft.

Download the hotfix from the following location:



Data loss observed after executing the evaluation jobfor SCAP

Sometimes data loss was observed for few assets after executing the evaluation job for SCAP.For those assets the following error was displayed in the messages tab:

Worker Process terminated

43Data Collection TroubleshootingError message appears while using the GetStaleAssetsbyCollectionDays API or cmdlet


To resolve this issue, the ActiveX Data Objects (ADO) version must be equivalent or greaterthan 6.1.7601.17857.

Run the Windows update on CCS Manager to get the latest version of the ADO.


The application server service fails to start duringmigration

During migration, the application server service fails to start and the following error is loggedin the application server log:

"Failed to connect to the database"

To resolve the issue, do the following:

1 Run Symantec.CSM.ConfigureServiceAccount.exe from application server folder.

2 In the Service Account Configurationwizard, in the Specify SQL database connectiondetails panel, provide the current SQL server host details then proceed to the Finishpanel.

If the wizard finishes without any error, start the application server service.

Note: You need the passphrases to perform the mentioned steps.


Cannot resolve collation conflict betweenLatin1_General_CI_AS andSQL_Latin1_General_CP1_CI_AS in the equal tooperator

For fresh installation of CCS 12.0 or upgrade to CCS 12.0, if the collation for Production orReporting databases is set to Latin1_General_CI_AS, then collection-evaluation-reporting jobfails with the following errors:

ErrorType of installation

"Cannot resolve collation conflict between Latin1_General_CI_ASand SQL_Latin1_General_CP1_CI_AS in the equal to operator."

Fresh installation of CCS 12.0

44Data Collection TroubleshootingThe application server service fails to start during migration

ErrorType of installation

"Cannot resolve collation conflict between Latin1_General_CI_ASand Latin1_General_CI_AI in the equal to operator” error."

Upgrade to CCS 12.0

To resolve the issue, you must set the collation for Production and Reporting databases toSQL_Latin1_General_CP1_CI_AS.


45Data Collection TroubleshootingCannot resolve collation conflict between Latin1_General_CI_AS and SQL_Latin1_General_CP1_CI_AS in the equal to

operator

Policy ModuleTroubleshooting


■ Cannot assign a reviewer or approver for a policy

■ Cannot access the Policy Central portal

■ Error while attaching a Word document to a custom policy

Cannot assign a reviewer or approver for a policyWhen you create a new policy, if no user has been explicitly assigned the Policy Reviewer orPolicy Approver role, you cannot assign a reviewer or approver to the policy.

By default no user has been assigned to the Policy Reviewer role or the Policy Approver role.Earlier versions of the (CCS) automatically assigned any users that you assigned to the CCSAdministrator role were also assigned to the Policy Reviewer and Policy Approver rolesautomatically. This automatic assignment no longer occurs.

You must manually assign one or more users to the Policy Reviewer and Policy Approverroles, then assign the users to the policies you create.

Cannot access the Policy Central portalIf CCS Application Server service is down or inaccessible, you get an error on the PolicyCentral portal.

After CCS Application Server service is up and running, you can access the Policy Central byrefreshing the portal twice.

8Chapter

Error while attaching a Word document to a custompolicy

After you upgrade from CCS 11.0 to CCS 12.0 while working in the Policies workspace, youcannot proceed with creating a custom policy if you do not attach an Ms-Word document tothe Document tab under Policies. When you try to attach the Ms-Word document however,you see the following error:

Error Saving Policy

To resolve the issue, apply Microsoft update package and restart your computer. You shouldnow be able to attach an Ms-Word document to your custom policy.

47Policy Module TroubleshootingError while attaching a Word document to a custom policy

https://www.microsoft.com/en-in/download/details.aspx?id=18346

Reports Troubleshooting


■ Performance slowdown in execution of report generation jobs

■ Server memory error in a reporting database synchronization job

■ Failed report generation job when crystal report is not installed on CCS Manager with areporting role

Performance slowdown in execution of reportgeneration jobs

While you run the report generation jobs, it is possible that the performance degrades over aperiod of time . The performance degradation happens when the report generation jobs fail orare cancelled during previous runs. The temporary data that is generated in the reportgeneration job staging tables is not cleaned up when the report generation jobs fail or arecancelled. This results in performance degradation due to accumulation of data in the temporarystaging tables.

Use the CleanStagingTables utility to clean the data in the temporary staging tables. TheCleanStagingTables utility is located in the <install dir>\ CCS\Reporting and Analytics\ApplicationServer.

Prerequisites to run the CleanStagingTables utilityThe prerequisites to run the CleanStagingTables utility are as follows:

■ The Application Server service must be running.

■ No reporting jobs must be running.

9Chapter

Running the CleanStagingTables utilityTo run the CleanStagingTables utility

1 Navigate to <install dir>\ CCS\Reporting and Analytics\Application Server.

2 Double click the CleanStagingTables utility.

3 The following message is displayed on the console: Ensure no report jobs are running.All the staging tables will be cleaned up. Do you want to continue (Y/N?)

If you enter N, the utility stops and exits.

If you enter Y, the console displays the progress of the utility.

The utility exits after the cleanup of staging tables is complete.

Server memory error in a reporting databasesynchronization job

When the error "XML document could not be created because server memory is very low"appears in a reporting database synchronization job, you must change the settings of thetempdb on the production database (CSM_DB) and the reporting database (CSM_Reports).

To change the settings of tempdb:

1 Connect to SQL database.

2 Expand Databases > System Databases > tempdb.

3 Right click tempdb and select Properties.

4 Click Files. Set the initial size of tempdb to 1024 MB. The default value for Autogrowth is10% and it is the recommended value.

If the error still persists, then restart the SQL server on the production database (CSM_DB)and the reporting database (CSM_Reports).

Failed report generation job when crystal report isnot installed on CCS Manager with a reporting role

When you run the report generation job for the CCS Manager with a reporting role, CCSdisplays the following error message when crystal report is not installed on the CCS Manager:

Error loading reporting framework assemblies. Make sure Crystal Reports 2010MSI is installed.

To resolve this issue, install Crystal Report 2010 32-bit and 64-bit versions from CCSManagerMedia along with any hotfixes.

49Reports TroubleshootingServer memory error in a reporting database synchronization job

SCAP ContentTroubleshooting


■ Improper display of SCAP Content view during first time launch of CCS console

■ Compliance score for SCAP profile (benchmark)

■ Incorrect calculation of aggregate risk score for profiles in custom dashboard panels

■ Unable to launch or view SymHelp

■ On a remote computer, CCS console does not launch from the desktop shortcut

■ The error, Unable to load configuration file is displayed during CCS console launch froma remote computer

■ Time-out error occurs during SCAP content import

■ An error is displayed during import of SCAP benchmark

■ Error in SCAP evaluation job

Improper display of SCAP Content view during firsttime launch of CCS console

In certain scenarios, after installation of CCS, when you navigate toManage > SCAP Contentview of the console for the first time, the view is displayed improperly. The SCAP Contentview displays only the details pane while the table pane of the view is hidden. You must dragthe details pane section downwards and reduce it to view the table pane section.

The cause of the issue and the workaround are explained in Table 10-1

10Chapter

Table 10-1 Improper display of SCAP content

WorkaroundCause

You must delete the contents of the Preferences folderafter you uninstall CCS.

The Preferences folder is present at the following locationon your local computer:

%USERPROFILE%\Local Settings\ApplicationData\Symantec\CCS\Preferences

This happens if you uninstall the and reinstall it again onthe same computer.


Compliance score for SCAP profile (benchmark)The predefined dashboard panel, Compliance score for SCAP profile (benchmark) displayssingle bar for profiles and benchmarks of same name but different benchmark versions.

The impacts of this issue and the workaround are as follows:

Do the following to resolve the issue:

■ Copy and edit the predefined dashboard panel,Compliance score for SCAP profile (benchmark).

■ In the Subject-attributes, select, benchmarkversion is equal to and provide the benchmarkversion for which you want to see compliancescores.

Following are the impacts of this issue:

■ For different benchmark versions, if profile nameand benchmark name are same, then thedashboard panel, Compliance score for SCAPprofile(benchmark) displays aggregatecompliance score for benchmarks with samename but different version.

■ You cannot view the compliance score for aprofile of a benchmark against a benchmarkversion.

■ You cannot compare compliance scores fordifferent benchmark versions for the predefineddashboard panel.


Incorrect calculation of aggregate risk score forprofiles in custom dashboard panels

Create a custom panel with asset risk score as, measure, and profile:benchmark as, dimension.Consider assets with risk score, NA to calculate the aggregate risk score for the profile:

51SCAP Content TroubleshootingCompliance score for SCAP profile (benchmark)

benchmark. If you evaluate assets against profiles for which risk score is not applicable, thenCCS still incorrectly considers those assets to calculate the aggregate risk score.

The method to resolve the issue is as follows:

Create a custom panel with SCAP asset risk score as, measure and profile: benchmark as,dimension. In the Subject-attributes select, SCAP Asset Risk Score is greater than 0.


Unable to launch or view SymHelpWhen you try to launch an online help topic by clicking Help or pressing F1, you might get anerror or nothing might get displayed. You may also notice that the page is in the process ofgetting launched however, nothing happens even after waiting for a long time.

This may occur if the Active Scripting is not enabled in your browser.

Enable Active Scripting in the browser. Refer to the following link to enable Active Scripting.


Also, ensure that the SymHelp URL is added as a Trusted Site.

To add SymHelp as a trusted site

1 Open Internet Explorer.

2 Go to Tools > Internet Options.

3 Under the Security tab, click Sites.

4 Enter the SymHelp URL and click Add.

5 Click Close.



On a remote computer, CCS console does not launchfrom the desktop shortcut

The issue and the workaround are as follows:

52SCAP Content TroubleshootingUnable to launch or view SymHelp


The workaround for the issue is as follows:

■ Uninstall the CCS Console■ Uninstall all the versions of .NET framework■ Install .NET Framework 3.5 SP1■ Launch the CCS Console remotely using the

following URL:http://<Machine name or FQDN name ofApplicationServer>/CCS_Web/Downloads/GetConsole.aspx

■ Double-click the shortcut for the CCS Consolethat is created on the desktop.

On the remote computer, the CCS console doesnot launch using the desktop shortcut



The error, Unable to load configuration file isdisplayed during CCS console launch from a remotecomputer

During launch of the CCS console from the remote computer, the following error can occur:

Unable to launch the console

Details:Error occurred while downloading application configuration file

As a workaround for this issue you can do the following:

■ Verify whether the Application Server Service is running

■ Ensure that the SPN settings are correctFor more details about the SPN settings, refer to the topic, Configuring Service PrincipalNames of the Symantec™ Control Compliance Suite Planning and Deployment Guide.



Time-out error occurs during SCAP content importSometimes a time-out error occurs during import of the following SCAP objects:

■ FDCC benchmarks

■ CCE

53SCAP Content TroubleshootingThe error, Unable to load configuration file is displayed during CCS console launch from a remote computer

■ CVE

■ Standalone OVAL

The cause for the error and the method to resolve are as follows:

The time-out setting can be configured through theconfiguration file, Symconsole.exe.config that islocated in, %temp% directory. The %temp%directory of the computer refers to the installationpath of the files that are installed to launch the CCSconsole on a remote computer.

For the following element in theSymconsole.exe.config file, edit the value of thesendTimeout attribute:

<binding name="netTcpWinConfig"closeTimeout="00:01:00" openTimeout="00:01:00"receiveTimeout="00:10:00"sendTimeout="00:10:00"... </binding>

Re-launch the CCS console after you modify thevalue.

By default, CCS sets a time-out period of 10minutesto import the SCAP objects.


An error is displayed during import of SCAPbenchmark

For some SCAP benchmarks an error may be displayed while importing.

Change the WCF readerQuotas settings at the following locations to import the benchmarksuccessfully:

■ Application server config file located in the <install_dir>\Appserver

■ CCS Console config file located in the Console folder

Change the following settings as mentioned for the binding name="netTcpWinConfig":

■ maxBufferPoolSize="1073741824"

■ maxBufferSize ="1073741824"

■ maxConnections="10"

■ maxReceivedMessageSize="1073741824"

■ maxDepth="32"

54SCAP Content TroubleshootingAn error is displayed during import of SCAP benchmark

■ maxStringContentLength="4194394"

■ maxArrayLength="4194394"


Error in SCAP evaluation jobThe issue and the workaround are as follows:

To resolve this issue, on the target computer, setthe value of the registry key NtfsDisable8dot3NameCreation available underHKLM\SYSTEM\CurrentControlSet\Control\FileSystem to 1.

After setting the registry key value, run the jobagain.

SCAP evaluation job for which the data is collectedin an agent-based mode may report an error dueto failure in compression of result file.


55SCAP Content TroubleshootingError in SCAP evaluation job

External Data IntegrationTroubleshooting


■ Could not create SSL/TLS secure channel

Could not create SSL/TLS secure channelIn CCS 12.0, when you try to add a new data connection to CCS-VM Rapid 7 Connector itthrows an error: could not create SSL/TLS secure channel.

CCS-VMRapid 7 uses certificates with SHA512 algorithm during installation. You must enableSH512 on the computer which has CCS-VM Rapid 7 Connector installed.

For SHA512RSA algorithm, it is mandatory to install Microsoft Update on CCS ApplicationServer and CCS Manager, to fix the issue documented in KB2973337. Refer to the followinglink for more information:

KB2973337

Note: You must restart the computer after you install the update.


11Chapter

https://support.microsoft.com/en-in/help/2973337/sha512-is-disabled-in-windows-when-you-use-tls-1-2

DashboardsTroubleshooting


■ Editing dashboard cache time span in custom panels

Editing dashboard cache time span in custom panelsWhen you create a custom panel, by selecting the area of interest asWeighted andCompensated Risk and adding Impact and Likelihood as the filter attributes, the valuesshown for the is equal to operator are shown as - All - and L.

The expected values are - All -, L, M, and H. However, the complete list of values does notget displayed because the dashboards cache has not been refreshed. You can edit thedashboards cache refresh time by performing the following steps:

1 Locate the Web.config file at <Installation_Directory>\ProgramFiles\Symantec\CCS\Reporting and Analytics\WebPortal.

2 Open the Web.config file and edit the value in the string <addkey="DynamicDashboard:ChartCacheTimeSpanInHours" value="24" />

The default refresh span is 24 hours. You can set the desired value, in hours.

3 Save the Web.config file.


12Chapter

Evidence Troublsehooting


■ Evidence collection job fails to run

■ Score contribution from an evidence source is not displayed in Asset Details pane

■ Evaluation results viewer times out

Evidence collection job fails to runWhen you run the evidence collection job, the job may fail with an error, “Composite Activitycannot transition to 'closed' status when there are active child context still exists for childactivity.”

This error occurs if asset addition fails due to some reason during evidence import. To avoidgetting the error in subsequent job runs, you have to restart the application server service afteryou get this error.


Score contribution from an evidence source is notdisplayed in Asset Details pane

When you register an evidence source using the ISS API with the score contribution andcalculation enabled, the scores may not be displayed in the Asset Details pane.

The scores may not be displayed because the asset cache does not get updated with thisinformation. Do the following to update the Asset Details pane:

■ Go to the Manage > Extended Evidence Source view.

■ Select the evidence source.

■ Right click and select Edit Evidence source from the menu.

13Chapter

■ Run through the wizard without making any changes.


Evaluation results viewer times outThe issue and the workaround are as follows:

Open the appserver.exe.config file that is locatedat <Install_Directory>:\ProgramFiles\Symantec\CCS\Reporting andAnalytics\Application Server\ and theSymconsole.exe.config file that is located at<Install_Directory>:\Users\administrator\AppData\Local\Apps\2.0\<Dynamic_Path>\....

Increase the receiveTimeout and sendTimeoutvalues in the parameter netTcpBinding. Forexample,

<netTcpBinding> <bindingname="netTcpWinConfig" closeTimeout="00:01:00"openTimeout="00:01:00" receiveTimeout="00:30:00"sendTimeout="00:30:00"

Sometimes, it is observed that the evaluation resultsviewer times out and throws an out of memoryexception.

This happens only in some cases where theevidence data is large.

59Evidence TroublsehootingEvaluation results viewer times out

Queries Troubleshooting


■ Platform and Entity fields are blank in the Create or Edit Query wizard

Platform and Entity fields are blank in the Create orEdit Query wizard

Sometimes while creating queires, the Entity and Fields panel in the Create or Edit Querywizard, displays blank values in the Platform and Entity fields.

This issue is observed in case the CCS setup is upgraded from CCS 10.5.1 to CCS 11.0.Some schema files fail to copy from the Application Server to the CCS Console folder whilethe click-once package gets extracted after the upgrade.

To fix this issue: Copy theWindows.Schema.dll from

1 Close the CCS Console.

2 Navigate to the following location:

<Install_Directory>:\Program Files\Symantec\CCS\Reporting and Analytics\ApplicationServer\

3 Copy theWindows.Schema.dll from the Application Server folder and paste it to theCCS Console folder.

4 Relaunch the CCS Console.

14Chapter

CyberArk EPV IntegrationTroubleshooting


■ CyberArk Policy dropdown list does not display any policy

■ Intermittent error while fetching password from CyberArk EPV

■ Asset Attribute Mappings tooltip displays an error

■ Asset attributes are not used for fetching password from CyberArk EPV

■ CyberArk EPV integration does not work as expected

CyberArk Policy dropdown list does not display anypolicy

In the Add Common Credential or the Add Asset Credential wizard, if the CyberArk Policydropdown list does not display any policy, then you must ensure that the following XML filesare valid in case you have edited them:

■ <Install Dir>\Application Server\CyberArkAttributeMappingMetadata.xml

■ <Install Dir>\Application Server\CyberArkPolicyMappingMetadata.xml

Intermittent error while fetching password fromCyberArk EPV

Credential resolution may fail intermittently while retrieving passwords from CyberArk EPV.The following error is logged in the application server logs:

15Chapter

CyberArk.AIM.NetPasswordSDK.Exceptions.PSDKException: CAUTL001E Failed to load xmldocument from string

In such cases, you must add the retry logic to enable retries for password resolution.

To enable retries, add the following key under appSettings node in the application serverconfiguration file:

<Install Dir>\Application Server\AppserverService.exe.config

<add key="RetryCountForCyberArkCredentialResolutionError" value="1" />

You must set the value parameter to the number of retries when any credential resolutionquery fails. To disable retries, remove the key from the application server configuration file, orset the value to 0.

Note: This error occurs intermittently due to an internal issue with the CyberArk SDK, whichis used for the CCS integration with CyberArk EPV server.

Asset Attribute Mappings tooltip displays an errorIn the Add Asset Credential wizard, if the Asset Attribute Mappings tooltip displays anerror, then youmust ensure that the following XML files are valid in case you have edited them:



Asset attributes are not used for fetching passwordfrom CyberArk EPV

If the Match CCS asset attributes with CyberArk password object attributes option isselected in the Add Asset Credential wizard, but the asset attributes are not included in thequery that is used to fetch the password from CyberArk EPV, then you must ensure that thefollowing XML files are valid in case you have edited them:



CyberArk EPV integration does not work as expectedAt times, you may encounter issues that pertain to password resolution from CyberArk EPVduring data collection. This section includes information on how to troubleshoot such issues.

62CyberArk EPV Integration TroubleshootingAsset Attribute Mappings tooltip displays an error

■ Ensure that the following configurations are done:

■ PIM Provider is installed on the Application Server computer.

■ CCS is registered as an application with the CyberArk EPV server.

■ CyberArk EPV integration settings are configured from CCS Console.You can configure the CyberArk EPV integration settings by using theGeneral Settingstab on the CCS Console.

■ Permissions have been assigned to PIM Provider on the required Safes from whichyou want to fetch passwords.

■ Permissions have been assigned to the CCS application, whose ID is specified in theCyberArk EPV integration settings on the required Safes.

■ Ensure that the following XMLs are valid, if you have edited them:



■ Check the CyberArk PIM Provider logs for more details on the issue.

63CyberArk EPV Integration TroubleshootingCyberArk EPV integration does not work as expected

symantec™ control compliance suite : troubleshooting guide

Documents