This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Servers: Live discover and MTR not working. MCS Client: W (async) connection timeout, W [push]: error creating async stream: 0

MTR team wrote us that some of our servers cannot be managed by them.

This maybe in relation with this thread

But here is no 503 error in MCSClient.log and the client is green for MCS communication

There has been an other thread here also with UTM / SG Firewall. Bit I do not need to add IP addresses to the firewall because the traffic is already allowed:

https://community.sophos.com/intercept-x-endpoint/f/discussions/126574/server-offline-in-live-discover

SDU of one machine:

https://sdu-feedback.sophos.com/prod/57a7459e-5056-4952-a72b-04ae84719661_2022-01-14-08-19-47.zip

Note the warnings and errors in the logfile, this is happening continously.

W (async) connection timeout, W [push]: error creating async stream:0

2022-01-14T03:27:39.645Z [ 2300: 3236] W [push]: error creating async stream: 0
2022-01-14T03:27:39.647Z [ 2300: 3236] I [push]: Dropping connection after error
2022-01-14T03:27:39.656Z [ 2300: 3236] I Establishing push connection
2022-01-14T03:27:39.658Z [ 2300: 3236] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps
2022-01-14T03:27:39.658Z [ 2300: 3236] I [push]: [connect] trying direct connection without a proxy
2022-01-14T03:27:39.658Z [ 2300: 3236] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps
2022-01-14T03:27:39.696Z [ 2300: 3236] I 200 OK: sent=0 rcvd=0 elapsed=37ms
2022-01-14T03:27:39.696Z [ 2300: 3236] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 18.195.226.46)
2022-01-14T03:27:39.697Z [ 2300: 3236] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx
2022-01-14T03:28:00.771Z [ 2300: 3236] W (async) connection timeout
2022-01-14T03:28:00.773Z [ 2300: 3236] W [push]: error creating async stream: 0
2022-01-14T03:28:00.774Z [ 2300: 3236] I [push]: Dropping connection after error
2022-01-14T03:28:00.790Z [ 2300: 3236] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/57a7459e-xxxx-4952-a72b-xxxxxxxxxxxxx/feed_id/scheduled_query
2022-01-14T03:28:00.810Z [ 2300: 3236] I 200 : sent=5997 rcvd=0 elapsed=19ms
2022-01-14T03:28:00.810Z [ 2300: 3236] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220114032748677.json result 0 purge false
2022-01-14T03:28:00.810Z [ 2300: 3236] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220114032748677.json
2022-01-14T03:28:00.812Z [ 2300: 3236] I Establishing push connection
2022-01-14T03:28:00.815Z [ 2300: 3236] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps
2022-01-14T03:28:00.815Z [ 2300: 3236] I [push]: [connect] trying direct connection without a proxy
2022-01-14T03:28:00.815Z [ 2300: 3236] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps
2022-01-14T03:28:00.847Z [ 2300: 3236] I 200 OK: sent=0 rcvd=0 elapsed=32ms
2022-01-14T03:28:00.848Z [ 2300: 3236] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 54.93.214.175)
2022-01-14T03:28:00.848Z [ 2300: 3236] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx
2022-01-14T03:28:21.899Z [ 2300: 3236] W (async) connection timeout
2022-01-14T03:28:21.901Z [ 2300: 3236] W [push]: error creating async stream: 0
2022-01-14T03:28:21.902Z [ 2300: 3236] I [push]: Dropping connection after error
2022-01-14T03:28:21.913Z [ 2300: 3236] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;CORC;CORE;EFW;FIM;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SHS;SWC;UI;APPSPROXY/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx
2022-01-14T03:28:21.928Z [ 2300: 3236] I 200 : sent=0 rcvd=140 elapsed=14ms
2022-01-14T03:28:21.928Z [ 2300: 3236] I Establishing push connection
2022-01-14T03:28:21.931Z [ 2300: 3236] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps
2022-01-14T03:28:21.931Z [ 2300: 3236] I [push]: [connect] trying direct connection without a proxy
2022-01-14T03:28:21.931Z [ 2300: 3236] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps
2022-01-14T03:28:21.965Z [ 2300: 3236] I 200 OK: sent=0 rcvd=0 elapsed=33ms
2022-01-14T03:28:21.965Z [ 2300: 3236] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 52.57.196.83)
2022-01-14T03:28:21.966Z [ 2300: 3236] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx
2022-01-14T03:28:43.027Z [ 2300: 3236] W (async) connection timeout
2022-01-14T03:28:43.028Z [ 2300: 3236] W [push]: error creating async stream: 0
2022-01-14T03:28:43.029Z [ 2300: 3236] I [push]: Dropping connection after error
2022-01-14T03:28:43.040Z [ 2300: 3236] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/57a7459e-xxxx-4952-a72b-xxxxxxxxxxxxx/feed_id/scheduled_query
2022-01-14T03:28:43.058Z [ 2300: 3236] I 200 : sent=781 rcvd=0 elapsed=17ms
2022-01-14T03:28:43.058Z [ 2300: 3236] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220114032821815.json result 0 purge false
2022-01-14T03:28:43.058Z [ 2300: 3236] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220114032821815.json
2022-01-14T03:28:43.059Z [ 2300: 3236] I Establishing push connection
2022-01-14T03:28:43.061Z [ 2300: 3236] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps
2022-01-14T03:28:43.061Z [ 2300: 3236] I [push]: [connect] trying direct connection without a proxy
2022-01-14T03:28:43.061Z [ 2300: 3236] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps
2022-01-14T03:28:43.095Z [ 2300: 3236] I 200 OK: sent=0 rcvd=0 elapsed=34ms
2022-01-14T03:28:43.096Z [ 2300: 3236] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 52.57.196.83)
2022-01-14T03:28:43.096Z [ 2300: 3236] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/757a54e9-xxxx-9425-7ab2-xxxxxxxxxxxx
2022-01-14T03:29:04.156Z [ 2300: 3236] W (async) connection timeout
2022-01-14T03:29:04.157Z [ 2300: 3236] W [push]: error creating async stream: 0
2022-01-14T03:29:04.158Z [ 2300: 3236] I [push]: Dropping connection after error

mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 54.93.214.175

There is no Web Proxy between the Server and Central, only normal firewall rules (Sophos SG).

The IP Address from the Firewall log: 54.93.214.175

This is the list of Central Servers we're allowing traffic to on the SF Firewall:

mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
t1.sophosupd.com
sus.sophosupd.com
sophosxl.net
sophos.com
sdu-feedback.sophos.com
sdds3.sophosupd.net
sdds3.sophosupd.com
samples.sophosxl.net
prod.endpointintel.darkbytes.io
ocsp2.globalsign.com
ocsp.globalsign.com
mcs-push-server-us-west-2.prod.hydra.sophos.com
mcs-push-server-us-east-2.prod.hydra.sophos.com
mcs-push-server-eu-west-1.prod.hydra.sophos.com
mcs-push-server-eu-central-1.prod.hydra.sophos.com
live-terminal-us-west-2.prod.hydra.sophos.com
live-terminal-us-east-2.prod.hydra.sophos.com
live-terminal-eu-west-1.prod.hydra.sophos.com
live-terminal-eu-central-1.prod.hydra.sophos.com
kinesis.us-west-2.amazonaws.com
id.sophos.com
hydra.sophos.com
downloads.sophos.com
dci.sophosupd.net
dci.sophosupd.com
d3.sophosupd.net
d3.sophosupd.com
d2.sophosupd.net
d2.sophosupd.com
d1.sophosupd.net
d1.sophosupd.com
crl4.digicert.com
crl3.digicert.com
crl.globalsign.net
crl.globalsign.com
cloud.sophos.com
cloud-assets.sophos.com
central.sophos.com
az416426.vo.msecnd.net
api-cloudstation-eu-central-1.prod.hydra.sophos.com
4.sophosxl.net

You can see the host from the logfile is listed there already.

We're having so much trouble with Central communication and paying so much for all our Sophos services... no good combination

Asking for some help.



This thread was automatically locked due to age.
Parents Reply Children
  • seems to be caused  the lack of feature of the UTM to handle Wildcard *FQDN

    The machines are trying to talk to

    su-8061a3085361.mcs-push-server-eu-central-1.prod.hydra.sophos.com

    and you can only see that in tcpdump / DNS resolution requests because it's not even logged in MCSClient.log when in debug mode.

    The Servername in bold letters changes, of course.

    And it's written there in the KB about Central Domains clearly and so our Sophos UTM firewall does not support Sophos Advanced XDR

    On our XG there are 165 hostservers listed as resolved for *.mcs-push-server-eu-central-1.prod.hydra.sophos.com