Endpoints not installing updates

I have about 20 endpoints that are down and can't reach the sus.sophosupd.com. 

I've ran a trace and it looks like it doesn't even leave the server. Windows firewall maybe?

Getting errors in the log

2022-06-01T23:01:49.7614145Z WARNING : Error from sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy>: WinHttpSendRequest failed: The operation timed out (12002)
2022-06-01T23:02:19.7774847Z INFO : Trying update service url sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy> (try 5 of 5)
2022-06-01T23:03:22.8858468Z WARNING : Error from sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy>: WinHttpSendRequest failed: The operation timed out (12002)
2022-06-01T23:03:22.8858468Z ERROR : Error: No reachable update service locations
2022-06-01T23:03:22.8858468Z ERROR : DownloadCommand::onRun() failed with std::exception: SDDS3 sync failed
2022-06-01T23:03:22.8858468Z INFO : Command 'Download' completed with failure with reboot code '0' and error message 'Could not download software'.
2022-06-01T23:03:22.8858468Z ERROR : Installation failed.

I have a feeling its network related as this is only a small group but any insight?



Edited tags
[edited by: Gladys at 2:05 AM (GMT -7) on 17 Jun 2022]
  • Hi James,

    Thanks for reaching out to the Sophos Community Forum. 

    The easiest way to determine if something on your network is blocking communication would be to use a mobile hot-spot to connect one of the affected devices. If the updates succeed using the mobile hotspot, the white list on your firewall may need to be appended. 

    It looks like the devices in your environment have been updated recently and are now using the latest updating mechanism (SDDS3). Some additions were made to the list, the list can be found below. 
    - Domains and ports to allow

    I was able to locate the specific changes mentioned in the article Sophos Intercept X for Windows: Product architecture changes.

    • sus.sophosupd.com
    • sdds3.sophosupd.com
    • sdds3.sophosupd.net
    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • The error code 12002 is returned from the WinHTTP library when making a connection to the server and means the connection timed out:

    WinHttp: 12002 ERROR_WINHTTP_TIMEOUT

    This would suggest the client can resolve sus.sophosupd.com but can't connect to it.

    If the WinHTTP library can't resolve the address being queried for you get 

    WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED

    In this case, I suspect if you open Process Explorer, call update now, check the details of SophosUpdate.exe and look at the TCP/IP tab you will see it stuck in a SYN_SENT state.

    This is most likely due to a firewall. From the client, and from a PowerShell prompt, the output of 

    Test-NetConnection -Port 443 -ComputerName sus.sophosupd.com

    would be interesting. Specifically the TcpTestSucceeded value.

  • I was able to use a hotspot on one of the machines with the issue. After doing extensive digging I found that due to a recent firewall change that Ireland was blocked and apparently that is where it was trying to connect or so I've been told. We poked a hole in the firewall to allow that connection. It's just has me scratching my head as to why it was only 20 and why they didn't attempt to connect to another update server. Your answer was spot on as it was stuck. Is there a way to set prefer update location, I'm sure this is an easy question but I just inherited the responsibilities of this system without any proper training.

  • The sus address is used to obtain a token to be able to update I believe but that doesn't really matter.

    If I nslookup the address I get as follows:

    nslookup sus.sophosupd.com

    Name: dualstack.sus-i-susse-193boo3sin3bm-113647544.eu-west-1.elb.amazonaws.com
    Addresses: 52.31.79.43
    54.194.250.58
    54.246.144.84
    Aliases: sus.sophosupd.com

    I assume it round robins the IPs but they would still be ec2 instances in the region in my case eu-west

    You can use an update cache / message relays to control the connections for management and updating if needed - Sophos Central Server: Update Cache and Message Relay FAQs

    Not sure why some clients worked and others did not though without making a few connections when the rule was in place.