This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoints not installing updates

I have about 20 endpoints that are down and can't reach the sus.sophosupd.com. 

I've ran a trace and it looks like it doesn't even leave the server. Windows firewall maybe?

Getting errors in the log

2022-06-01T23:01:49.7614145Z WARNING : Error from sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy>: WinHttpSendRequest failed: The operation timed out (12002)
2022-06-01T23:02:19.7774847Z INFO : Trying update service url sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy> (try 5 of 5)
2022-06-01T23:03:22.8858468Z WARNING : Error from sus.sophosupd.com/.../ed611b06-0330-4643-9099-146e0c4117bd with proxy: <direct; no proxy>: WinHttpSendRequest failed: The operation timed out (12002)
2022-06-01T23:03:22.8858468Z ERROR : Error: No reachable update service locations
2022-06-01T23:03:22.8858468Z ERROR : DownloadCommand::onRun() failed with std::exception: SDDS3 sync failed
2022-06-01T23:03:22.8858468Z INFO : Command 'Download' completed with failure with reboot code '0' and error message 'Could not download software'.
2022-06-01T23:03:22.8858468Z ERROR : Installation failed.

I have a feeling its network related as this is only a small group but any insight?



This thread was automatically locked due to age.
Parents
  • The error code 12002 is returned from the WinHTTP library when making a connection to the server and means the connection timed out:

    WinHttp: 12002 ERROR_WINHTTP_TIMEOUT

    This would suggest the client can resolve sus.sophosupd.com but can't connect to it.

    If the WinHTTP library can't resolve the address being queried for you get 

    WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED

    In this case, I suspect if you open Process Explorer, call update now, check the details of SophosUpdate.exe and look at the TCP/IP tab you will see it stuck in a SYN_SENT state.

    This is most likely due to a firewall. From the client, and from a PowerShell prompt, the output of 

    Test-NetConnection -Port 443 -ComputerName sus.sophosupd.com

    would be interesting. Specifically the TcpTestSucceeded value.

  • I was able to use a hotspot on one of the machines with the issue. After doing extensive digging I found that due to a recent firewall change that Ireland was blocked and apparently that is where it was trying to connect or so I've been told. We poked a hole in the firewall to allow that connection. It's just has me scratching my head as to why it was only 20 and why they didn't attempt to connect to another update server. Your answer was spot on as it was stuck. Is there a way to set prefer update location, I'm sure this is an easy question but I just inherited the responsibilities of this system without any proper training.

Reply
  • I was able to use a hotspot on one of the machines with the issue. After doing extensive digging I found that due to a recent firewall change that Ireland was blocked and apparently that is where it was trying to connect or so I've been told. We poked a hole in the firewall to allow that connection. It's just has me scratching my head as to why it was only 20 and why they didn't attempt to connect to another update server. Your answer was spot on as it was stuck. Is there a way to set prefer update location, I'm sure this is an easy question but I just inherited the responsibilities of this system without any proper training.

Children
  • The sus address is used to obtain a token to be able to update I believe but that doesn't really matter.

    If I nslookup the address I get as follows:

    nslookup sus.sophosupd.com

    Name: dualstack.sus-i-susse-193boo3sin3bm-113647544.eu-west-1.elb.amazonaws.com
    Addresses: 52.31.79.43
    54.194.250.58
    54.246.144.84
    Aliases: sus.sophosupd.com

    I assume it round robins the IPs but they would still be ec2 instances in the region in my case eu-west

    You can use an update cache / message relays to control the connections for management and updating if needed - Sophos Central Server: Update Cache and Message Relay FAQs

    Not sure why some clients worked and others did not though without making a few connections when the rule was in place.