Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 15 subscribers
  • Views 10229 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoints not installing updates

James Kimble

I have about 20 endpoints that are down and can't reach the sus.sophosupd.com. 

I've ran a trace and it looks like it doesn't even leave the server. Windows firewall maybe?

Getting errors in the log

2022-06-01T23:01:49.7614145Z WARNING : Error from sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy>: WinHttpSendRequest failed: The operation timed out (12002)
2022-06-01T23:02:19.7774847Z INFO : Trying update service url sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy> (try 5 of 5)
2022-06-01T23:03:22.8858468Z WARNING : Error from sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy>: WinHttpSendRequest failed: The operation timed out (12002)
2022-06-01T23:03:22.8858468Z ERROR : Error: No reachable update service locations
2022-06-01T23:03:22.8858468Z ERROR : DownloadCommand::onRun() failed with std::exception: SDDS3 sync failed
2022-06-01T23:03:22.8858468Z INFO : Command 'Download' completed with failure with reboot code '0' and error message 'Could not download software'.
2022-06-01T23:03:22.8858468Z ERROR : Installation failed.

I have a feeling its network related as this is only a small group but any insight?



This thread was automatically locked due to age.
  • 0

    Hi James,

    Thanks for reaching out to the Sophos Community Forum. 

    The easiest way to determine if something on your network is blocking communication would be to use a mobile hot-spot to connect one of the affected devices. If the updates succeed using the mobile hotspot, the white list on your firewall may need to be appended. 

    It looks like the devices in your environment have been updated recently and are now using the latest updating mechanism (SDDS3). Some additions were made to the list, the list can be found below. 
    - Domains and ports to allow

    I was able to locate the specific changes mentioned in the article Sophos Intercept X for Windows: Product architecture changes.

    • sus.sophosupd.com
    • sdds3.sophosupd.com
    • sdds3.sophosupd.net
    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • +1

    The error code 12002 is returned from the WinHTTP library when making a connection to the server and means the connection timed out:

    WinHttp: 12002 ERROR_WINHTTP_TIMEOUT

    This would suggest the client can resolve sus.sophosupd.com but can't connect to it.

    If the WinHTTP library can't resolve the address being queried for you get 

    WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED

    In this case, I suspect if you open Process Explorer, call update now, check the details of SophosUpdate.exe and look at the TCP/IP tab you will see it stuck in a SYN_SENT state.

    This is most likely due to a firewall. From the client, and from a PowerShell prompt, the output of 

    Test-NetConnection -Port 443 -ComputerName sus.sophosupd.com

    would be interesting. Specifically the TcpTestSucceeded value.

  • 0 in reply to Sophos User930

    I was able to use a hotspot on one of the machines with the issue. After doing extensive digging I found that due to a recent firewall change that Ireland was blocked and apparently that is where it was trying to connect or so I've been told. We poked a hole in the firewall to allow that connection. It's just has me scratching my head as to why it was only 20 and why they didn't attempt to connect to another update server. Your answer was spot on as it was stuck. Is there a way to set prefer update location, I'm sure this is an easy question but I just inherited the responsibilities of this system without any proper training.

  • 0 in reply to James Kimble

    The sus address is used to obtain a token to be able to update I believe but that doesn't really matter.

    If I nslookup the address I get as follows:

    nslookup sus.sophosupd.com

    Name: dualstack.sus-i-susse-193boo3sin3bm-113647544.eu-west-1.elb.amazonaws.com
    Addresses: 52.31.79.43
    54.194.250.58
    54.246.144.84
    Aliases: sus.sophosupd.com

    I assume it round robins the IPs but they would still be ec2 instances in the region in my case eu-west

    You can use an update cache / message relays to control the connections for management and updating if needed - Sophos Central Server: Update Cache and Message Relay FAQs

    Not sure why some clients worked and others did not though without making a few connections when the rule was in place.

Unfiltered HTML