This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Message router generating 2 million messages

Hi

We are running SEC 5.4.1, only 5000 endpoints, and after the issues with the MS patch problems i have come back in after leave to find over  180,000 message files in the envelopes folder.  I have stopped the router service and renamed the folder hoping to pass then through again to process as all endpoints in the console are showing as disconnected.  Once I restarted the router service the envelopes folder was immediately filled with just under 2 million envelopes  as ht route service cannot handle over 1.5 million it keeps restarted processing a few at a time. at this rate it will take months to catch up.

Any ideas why so many message files could be being generated and how I can get them processed or deleted without them regenerating



This thread was automatically locked due to age.
Parents
  • Hello martin welsh,

    that lot of messages suggests they are coming in from the endpoints.
    A quick test would be: Stop the Message Router, rename this Envelopes folder too, block ports 8192 and 8194 from all IPs except the local ones (including loopback). Start the service and watch the folder. 

    Christian

  • Hi Christian

    Thanks for the reply and apologies for the delay in my reply, I have been trying to resolve this with Sophos support.

    I still have the issue and can confirm the ports are open through the firewall.  I can telnet to 8194, both ways, without issue and can get from the server to the client on 8192.  Unfortunately 8192 is not listening on the server so cannot connect to the server on that port which I am assuming is the cause of the problem.

    As for renaming the envelopes folder, I have done that when I had an initial 180,000 MSG files, the SEC was still seeing connections at this point.  By the time RMS service had calmed down there was over 2 million MSG files and the RMS service was crashing due to the number.  With the number of files it took hours to move around a quarter of them just so the service wouldn't crash. Not something I want to do again till the 8192 is listening again.

    I cannot see where the 8192 port is configured outside of the parent port reg key which is pointing to the correct value.

     

    Totally stumped on this.  As far as I am aware the ports are set at install and we haven't changed anything. It was working OK on the Friday as I pushed out a new policy to a test group of @40 clients, came back into work on the Tuesday and I had no connections on my SEC     

  • Hello Martin,

    still not sorted it out?

    Dunno what Support suggested and it's not clear what the current status is. So you have left some (actually a lot of) messages in the Envelopes folder, the Router is running (and slowly processing the messages, i.e. their number decreases?) but not listening on port 8192? Which ports does it listen on?

    IMO the messages should better be discarded but renaming the Envelopes folder keeps them while permitting the Router to start. If it's running at the moment I'd stop it and do the rename. Afterwards you should be able to start it and it should listen on port 8192. It might get flooded again (but then, after 10 days the endpoints should already have a backlog that's causing troubles for them) in which case you should better stop it again.

    Did you find out what the endpoints try to tell the management server?

    Christian

Reply
  • Hello Martin,

    still not sorted it out?

    Dunno what Support suggested and it's not clear what the current status is. So you have left some (actually a lot of) messages in the Envelopes folder, the Router is running (and slowly processing the messages, i.e. their number decreases?) but not listening on port 8192? Which ports does it listen on?

    IMO the messages should better be discarded but renaming the Envelopes folder keeps them while permitting the Router to start. If it's running at the moment I'd stop it and do the rename. Afterwards you should be able to start it and it should listen on port 8192. It might get flooded again (but then, after 10 days the endpoints should already have a backlog that's causing troubles for them) in which case you should better stop it again.

    Did you find out what the endpoints try to tell the management server?

    Christian

Children
No Data