This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PC's migrated to Win10 not reporting with Sophos server

Hey Sophos Community.  We have a mix of Windows 7 and Windows 10 clients that report into a Windows 2016 server that has the SEC running on it.  The Windows 7 clients are reporting into the SEC server but the Windows 10 clients are not.  Both batches of clients are getting their updates and all are up to date but the Win 10 clients won't report in.

I've done the normal trouble-shooting process and verified that the ports (8192 and 8194) are not being blocked by the Win firewall by checking the netstat -a on the clients and server.  Reviewing the ReportData from a couple Win 10 pc's:

01.12.2019 13:21:15 1564 I SAUAdapter - SAU ReportStatus::FinishedUpdate: Failed to read UpdateSource value in the UpdateStatus registry key.

That error is the one common item in the log files.  The SEC shows:

12/5/2019 1:46:26 PM fffffffd This computer is not yet managed. It is protected but has not yet reported back its status.

From the log file in the RMS\3\Agent\Logs dir of a Win 10 PC that isn't reporting in:

01.12.2019 13:11:15 1564 I SAUAdapter - SAU StartingUpdate has been set
01.12.2019 13:11:15 1564 I SAUAdapter - SAU IPCListener::Wait Waiting for more messages
01.12.2019 13:11:15 1564 I SAUAdapter - SAU IPCListener::Wait received message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate" />
01.12.2019 13:11:15 1564 I SAUAdapter - SAU FinishedUpdate has been set
01.12.2019 13:11:15 1564 I SAUAdapter - SAU ReportStatus::FinishedUpdate: Failed to read UpdateSource value in the UpdateStatus registry key.
01.12.2019 13:11:15 1564 I SAUAdapter - SAU Update status information saved to C:\ProgramData\Sophos\AutoUpdate\data\status\AUAdapter.xml
01.12.2019 13:11:15 1564 I SAUAdapter - SAU IPCListener::Wait Waiting for more messages

I'm at a loss as to what is the problem(s) and how to trouble-shoot it going further.  Any assistance would be appreciated.

*Edit*

This is the entry I have in the Win FW group policy as an exception for port 8192 and 8194->

8192:TCP:localsubnet:enabled:sophos  



This thread was automatically locked due to age.
  • Hi  

    Would you please confirm the Endpoint version on the machine which is not reporting?

    If Sophos Endpoint Security and Control has v10.8.4.4 and Sophos Anti-Virus has v10.8.4.227, I'd request you to open a case here

    Once the case has been created, please PM me the case number.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • My apologies for not including the version info.  The SEC server has 10.8.4.227 as does the Win 10 clients.  I'll submit a case now and report back accordingly.

  • Can you restart the Sophos Message Router service on problematic client, wait 2 minutes and then attach the newly created router log here?

    \programdata\sophos\remote management system\3\router\logs\

    Regards,

    Jak

  • Hi  

    This error is usually have seen due to the Remote management system component not installed correctly or Firewall conflict. Kindly check this article and see if it helps. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Thanks for that info.  I can tell you that I spent a couple hours using Google and reading Sophos KB articles before I posted the question and the article you suggested was one that I went through.  I always like to do my homework before submitting a question.  With that stated, I've checked the FW settings to match what Sophos recommends and I guess what I'm saying is that, at this point, I'm not sure how to trouble-shoot beyond the KB article.

    If it's a FW issue, should the ports be in listening mode and the ports show as established on the server?  Should the clients be able to access the in-house Sophos server for updates?

    I'm going to check into wireshark next and see what comes from that.

    Again, thank you for your time and suggestion.  Hopefully I did a better job of providing/expanding on the details in this scenario.

  • jak said:

    Can you restart the Sophos Message Router service on problematic client, wait 2 minutes and then attach the newly created router log here?

    \programdata\sophos\remote management system\3\router\logs\

    Regards,

    Jak

     

    Here is an odd situation.  Logged in as the local admin, I am unable to stop/start the Sophos services manually (through the Windows GUI or cmd line).  I used the "Authenticate User" option under the tamper protection and still was unable to stop/start Sophos services.  Is this another symptom of the underlying problem (agents not updating the server) or is this something different (even expected behavior)?
  • Running Wireshark on a test PC and our SEC server.  On the SEC server, I see a lot of port 8194 traffic but port 8192 doesn't seem to be flowing (port 8192 has a lot of re-transmission requests).  Nothing on either port on the test PC.  

    I see that source ports 50630-50634 (on the test PC) not making it through.  Checking into that and will update accordingly.

    *updated*

    I forced an update and the packets are making it to the server and getting them back.  Digging deeper.

  • **UPDATE**

    After monitoring wireshark and tweaking group policies with firewall settings, I went at it a different direction.

    The issue comes down to the RMS client.  Once I uninstalled the RMS client, restarted and then "protected the computer" from the SEC server, the test PC checks-in.

    Here's my question.

    How can I uninstall the RMS client if there is a tamper protection setting on the clients?  I have the msi script done and ready to roll but I don't know how to disable the tamper protection.  Need your help with this portion.  

  • Hi PC_Junkie,

     

    You can disable tamper protection by following the link here.

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.