MTR team wrote us that some of our servers cannot be managed by them.
This maybe in relation with this thread
But here is no 503 error in MCSClient.log and the client is green for MCS communication
There has been an other thread here also with UTM / SG Firewall. Bit I do not need to add IP addresses to the firewall because the traffic is already allowed:
SDU of one machine:
https://sdu-feedback.sophos.com/prod/57a7459e-5056-4952-a72b-04ae84719661_2022-01-14-08-19-47.zip
Note the warnings and errors in the logfile, this is happening continously.
W (async) connection timeout, W [push]: error creating async stream:0
2022-01-14T03:27:39.645Z [ 2300: 3236] W [push]: error creating async stream: 0 2022-01-14T03:27:39.647Z [ 2300: 3236] I [push]: Dropping connection after error 2022-01-14T03:27:39.656Z [ 2300: 3236] I Establishing push connection 2022-01-14T03:27:39.658Z [ 2300: 3236] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps 2022-01-14T03:27:39.658Z [ 2300: 3236] I [push]: [connect] trying direct connection without a proxy 2022-01-14T03:27:39.658Z [ 2300: 3236] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps 2022-01-14T03:27:39.696Z [ 2300: 3236] I 200 OK: sent=0 rcvd=0 elapsed=37ms 2022-01-14T03:27:39.696Z [ 2300: 3236] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 18.195.226.46) 2022-01-14T03:27:39.697Z [ 2300: 3236] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx 2022-01-14T03:28:00.771Z [ 2300: 3236] W (async) connection timeout 2022-01-14T03:28:00.773Z [ 2300: 3236] W [push]: error creating async stream: 0 2022-01-14T03:28:00.774Z [ 2300: 3236] I [push]: Dropping connection after error 2022-01-14T03:28:00.790Z [ 2300: 3236] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/57a7459e-xxxx-4952-a72b-xxxxxxxxxxxxx/feed_id/scheduled_query 2022-01-14T03:28:00.810Z [ 2300: 3236] I 200 : sent=5997 rcvd=0 elapsed=19ms 2022-01-14T03:28:00.810Z [ 2300: 3236] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220114032748677.json result 0 purge false 2022-01-14T03:28:00.810Z [ 2300: 3236] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220114032748677.json 2022-01-14T03:28:00.812Z [ 2300: 3236] I Establishing push connection 2022-01-14T03:28:00.815Z [ 2300: 3236] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps 2022-01-14T03:28:00.815Z [ 2300: 3236] I [push]: [connect] trying direct connection without a proxy 2022-01-14T03:28:00.815Z [ 2300: 3236] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps 2022-01-14T03:28:00.847Z [ 2300: 3236] I 200 OK: sent=0 rcvd=0 elapsed=32ms 2022-01-14T03:28:00.848Z [ 2300: 3236] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 54.93.214.175) 2022-01-14T03:28:00.848Z [ 2300: 3236] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx 2022-01-14T03:28:21.899Z [ 2300: 3236] W (async) connection timeout 2022-01-14T03:28:21.901Z [ 2300: 3236] W [push]: error creating async stream: 0 2022-01-14T03:28:21.902Z [ 2300: 3236] I [push]: Dropping connection after error 2022-01-14T03:28:21.913Z [ 2300: 3236] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;CORC;CORE;EFW;FIM;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SHS;SWC;UI;APPSPROXY/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx 2022-01-14T03:28:21.928Z [ 2300: 3236] I 200 : sent=0 rcvd=140 elapsed=14ms 2022-01-14T03:28:21.928Z [ 2300: 3236] I Establishing push connection 2022-01-14T03:28:21.931Z [ 2300: 3236] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps 2022-01-14T03:28:21.931Z [ 2300: 3236] I [push]: [connect] trying direct connection without a proxy 2022-01-14T03:28:21.931Z [ 2300: 3236] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps 2022-01-14T03:28:21.965Z [ 2300: 3236] I 200 OK: sent=0 rcvd=0 elapsed=33ms 2022-01-14T03:28:21.965Z [ 2300: 3236] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 52.57.196.83) 2022-01-14T03:28:21.966Z [ 2300: 3236] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx 2022-01-14T03:28:43.027Z [ 2300: 3236] W (async) connection timeout 2022-01-14T03:28:43.028Z [ 2300: 3236] W [push]: error creating async stream: 0 2022-01-14T03:28:43.029Z [ 2300: 3236] I [push]: Dropping connection after error 2022-01-14T03:28:43.040Z [ 2300: 3236] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/57a7459e-xxxx-4952-a72b-xxxxxxxxxxxxx/feed_id/scheduled_query 2022-01-14T03:28:43.058Z [ 2300: 3236] I 200 : sent=781 rcvd=0 elapsed=17ms 2022-01-14T03:28:43.058Z [ 2300: 3236] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220114032821815.json result 0 purge false 2022-01-14T03:28:43.058Z [ 2300: 3236] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220114032821815.json 2022-01-14T03:28:43.059Z [ 2300: 3236] I Establishing push connection 2022-01-14T03:28:43.061Z [ 2300: 3236] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps 2022-01-14T03:28:43.061Z [ 2300: 3236] I [push]: [connect] trying direct connection without a proxy 2022-01-14T03:28:43.061Z [ 2300: 3236] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps 2022-01-14T03:28:43.095Z [ 2300: 3236] I 200 OK: sent=0 rcvd=0 elapsed=34ms 2022-01-14T03:28:43.096Z [ 2300: 3236] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 52.57.196.83) 2022-01-14T03:28:43.096Z [ 2300: 3236] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx 2022-01-14T03:29:04.156Z [ 2300: 3236] W (async) connection timeout 2022-01-14T03:29:04.157Z [ 2300: 3236] W [push]: error creating async stream: 0 2022-01-14T03:29:04.158Z [ 2300: 3236] I [push]: Dropping connection after error
mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 54.93.214.175
There is no Web Proxy between the Server and Central, only normal firewall rules (Sophos SG).
The IP Address from the Firewall log: 54.93.214.175
This is the list of Central Servers we're allowing traffic to on the SF Firewall:
mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
t1.sophosupd.com
sus.sophosupd.com
sophosxl.net
sophos.com
sdu-feedback.sophos.com
sdds3.sophosupd.net
sdds3.sophosupd.com
samples.sophosxl.net
prod.endpointintel.darkbytes.io
ocsp2.globalsign.com
ocsp.globalsign.com
mcs-push-server-us-west-2.prod.hydra.sophos.com
mcs-push-server-us-east-2.prod.hydra.sophos.com
mcs-push-server-eu-west-1.prod.hydra.sophos.com
mcs-push-server-eu-central-1.prod.hydra.sophos.com
live-terminal-us-west-2.prod.hydra.sophos.com
live-terminal-us-east-2.prod.hydra.sophos.com
live-terminal-eu-west-1.prod.hydra.sophos.com
live-terminal-eu-central-1.prod.hydra.sophos.com
kinesis.us-west-2.amazonaws.com
id.sophos.com
hydra.sophos.com
downloads.sophos.com
dci.sophosupd.net
dci.sophosupd.com
d3.sophosupd.net
d3.sophosupd.com
d2.sophosupd.net
d2.sophosupd.com
d1.sophosupd.net
d1.sophosupd.com
crl4.digicert.com
crl3.digicert.com
crl.globalsign.net
crl.globalsign.com
cloud.sophos.com
cloud-assets.sophos.com
central.sophos.com
az416426.vo.msecnd.net
api-cloudstation-eu-central-1.prod.hydra.sophos.com
4.sophosxl.net
You can see the host from the logfile is listed there already.
We're having so much trouble with Central communication and paying so much for all our Sophos services... no good combination
Asking for some help.
This thread was automatically locked due to age.