Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 4876 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote machines not reporting back to central AV server after upgrade

PhilBrock

OK, currently we have approx 100 remote serevrs all running a copy of EM library and servicing the clients on each site(v7.6/sec3). We are currently looking at consolidating these all to a central sec4 console and SAV9.5. We can do a push out (& upgrade from 7.6 to 9.5) from the central servers, but they don't appear to report back to the central servers. The console shows the machines with a little egg timer icon, the remote machines are showing as having Sophos installed and some of the settings pulled through, however it appears as if it doesn't pull all the settings/policies through until it can successfully call back (is this correct anyone?)


Any ideas anyone and thanks in advance

Phil

The message routing log on the server

22.07.2010 09:56:15 1BB4 I SOF: C:\Documents and Settings\All Users\Application Data/Sophos/Remote Management System/3/Router/Logs/Router-20100722-085615.log
22.07.2010 09:56:15 1BB4 I Sophos Messaging Router 3.2.0.2013 starting...
22.07.2010 09:56:15 1BB4 I Setting ACE_FD_SETSIZE to 20640
22.07.2010 09:56:15 1BB4 I Initializing CORBA...
22.07.2010 09:56:15 1BB4 I Setting connection cache limit to 20512
22.07.2010 09:56:15 1BB4 I Creating ORB runner with 16 threads
22.07.2010 09:56:15 1BB4 I This computer is part of the domain PRIMARIES
22.07.2010 09:56:15 1BB4 E ACE_DLL::open failed for TAO_ImR_Client: Error: check log for details.
22.07.2010 09:56:15 1BB4 E Unable to find service: ImR_Client_Adapter
22.07.2010 09:56:15 1BB4 I This router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000400000000000000a0000000010102000d00000031302e31302e33332e323030000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001dda200004f4154010000001400000001dda20001000100000000000901010000000000140000000800000001dda6008600022000000000a0000000010102000c00000031302e3131302e33332e3100012001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001dda200004f4154010000001400000001dda20001000100000000000901010000000000140000000800000001dda6008600022000000000a0000000010102000d00000031302e3131302e33332e3135002001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001dda200004f4154010000001400000001dda20001000100000000000901010000000000140000000800000001dda6008600022000000000a0000000010102000d0000003137322e31372e31302e3333000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001dda200004f4154010000001400000001dda20001000100000000000901010000000000140000000800000001dda60086000220
22.07.2010 09:56:15 1BB4 I Successfully validated this router's IOR
22.07.2010 09:56:15 1BB4 I Reading router table file
22.07.2010 09:56:15 1BB4 I Restoring logon for Router$PRI076CA113093:9005
22.07.2010 09:56:15 1BB4 I RouterTableEntry state (router, restoring): Router$PRI076CA113093:9005 is active consumer (will try to notify), active supplier
22.07.2010 09:56:15 1BB4 I Restoring logon for Router$PRI076CA113109:9003
22.07.2010 09:56:15 1BB4 I RouterTableEntry state (router, restoring): Router$PRI076CA113109:9003 is active consumer (will try to notify), active supplier
22.07.2010 09:56:15 1BB4 I Restoring logon for Router$PRI077CWL5:9045
22.07.2010 09:56:15 1BB4 I RouterTableEntry state (router, restoring): Router$PRI077CWL5:9045 is active consumer (will try to notify), active supplier

<several similar items cut>

22.07.2010 09:56:15 1BB4 I Restoring logon for Router$pri077cwl19:180024
22.07.2010 09:56:15 1BB4 I RouterTableEntry state (router, restoring): Router$pri077cwl19:180024 is active consumer (will try to notify), active supplier
22.07.2010 09:56:15 1BB4 I Host name: pri076dcfw
22.07.2010 09:56:15 1BB4 I Local IP addresses: 10.10.33.200 10.110.33.1 10.110.33.15 172.17.10.33
22.07.2010 09:56:15 1BB4 I Resolved name: pri076dcfw.primaries.bolton.sch.int
22.07.2010 09:56:15 1BB4 I Resolved alias/es:
22.07.2010 09:56:15 1BB4 I Resolved IP addresses: 10.10.33.200 10.110.33.1 10.110.33.15 172.17.10.33
22.07.2010 09:56:15 1BB4 I Resolved reverse names/aliases: pri076dcfw.primaries.bolton.sch.int
22.07.2010 09:56:15 1BB4 I Waiting for messages...
22.07.2010 09:56:15 1BB4 W RouterSystemCheck::getMaxUserPort(), value (65535) is too high, assuming 65534
22.07.2010 09:56:15 1BB4 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 89, max number of user ports 64510
22.07.2010 09:56:16 1BBC I Client::LogonPushPush() successfully called back to client
22.07.2010 09:56:16 1BBC I Logged on Agent as a client
22.07.2010 09:56:16 1C1C I Routing to Agent: id=024807B0, origin=Router$pri076dcfw, dest=Router$pri076dcfw.Agent, type=EM-ClientLogon
22.07.2010 09:56:16 1C1C I Routing to EMLib: id=044807B0, origin=Router$pri076dcfw.Agent, dest=:.EMLib, type=EM-NoOp
22.07.2010 09:56:16 1BFC I Sent message (id=024807B0) to Agent
22.07.2010 09:56:17 1BE8 I Client::LogonPushPush() successfully called back to client
22.07.2010 09:56:17 1BE8 I Logged on EM as a client
22.07.2010 09:56:17 1C1C I Routing to Agent: id=004807B1, origin=Router$pri076dcfw, dest=Router$pri076dcfw.Agent, type=EM-ClientLogon
22.07.2010 09:56:17 1C08 I Sent message (id=004807B1) to Agent
22.07.2010 09:56:17 1C1C I Received message for this router
22.07.2010 09:56:17 1C1C I EM-NotifyRouterUpdates originator Router$pri076dcfw.EM
22.07.2010 09:56:17 1C1C I Routing to EM: id=044807B1, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-NotifyRouterUpdates-Reply
22.07.2010 09:56:17 1C0C I Sent message (id=044807B1) to EM
22.07.2010 09:56:19 1BF0 I RouterTableEntry state (router, logging on): Router$pri076cl112855:9022 is active consumer (will try to notify), active supplier
22.07.2010 09:56:19 1BF0 I Logged on Router$pri076cl112855:9022 as a router
22.07.2010 09:56:19 1C1C I Routing to EM: id=004807B3, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:56:19 1C10 I Sent message (id=004807B3) to EM
22.07.2010 09:56:32 1BE8 I Logged on CM as a client
22.07.2010 09:56:32 1C1C I Routing to Agent: id=004807C0, origin=Router$pri076dcfw, dest=Router$pri076dcfw.Agent, type=EM-ClientLogon
22.07.2010 09:56:32 1BF8 I Sent message (id=004807C0) to Agent
22.07.2010 09:56:36 1C1C I Routing to EM: id=004807C4, origin=Router$pri076dcfw.Agent, dest=EM, type=EM-GetStatus-Reply
22.07.2010 09:56:36 1BFC I Sent message (id=004807C4) to EM
22.07.2010 09:56:49 1BF0 I RouterTableEntry state (router, logging on): Router$pri076cl112858:9032 is active consumer (will try to notify), active supplier
22.07.2010 09:56:49 1BF0 I Logged on Router$pri076cl112858:9032 as a router
22.07.2010 09:56:49 1C1C I Routing to EM: id=004807D1, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:56:49 1C04 I Sent message (id=004807D1) to EM
22.07.2010 09:57:07 1BF0 I Client::LogonPushPush() successfully called back to client
22.07.2010 09:57:07 1BF0 I Logged on EMLib as a client
22.07.2010 09:57:07 1C1C I Routing to Agent: id=004807E3, origin=Router$pri076dcfw, dest=Router$pri076dcfw.Agent, type=EM-ClientLogon
22.07.2010 09:57:07 1C0C I Sent message (id=044807B0) to EMLib
22.07.2010 09:57:07 1C10 I Sent message (id=004807E3) to Agent
22.07.2010 09:57:10 1C1C I Routing to EM: id=004807E5, origin=Router$pri076cl112858:9032.Agent, dest=EM, type=EM-GetStatus-Reply
22.07.2010 09:57:10 1C14 I Sent message (id=004807E5) to EM
22.07.2010 09:57:16 1C1C I Routing to EMLib: id=004807EC, origin=Router$pri076dcfw.Agent, dest=:.EMLib, type=EM-NoOp
22.07.2010 09:57:16 1BF8 I Sent message (id=004807EC) to EMLib
22.07.2010 09:57:24 1BE0 I RouterTableEntry state (router, logging on): Router$pri076cl115930:180027 is active consumer (will try to notify), active supplier
22.07.2010 09:57:24 1BE0 I Writing router table file
22.07.2010 09:57:24 1BE0 I Logged on Router$pri076cl115930:180027 as a router
22.07.2010 09:57:24 1C1C I Routing to EM: id=004807F4, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:57:24 1C00 I Sent message (id=004807F4) to EM
22.07.2010 09:57:29 1BE0 I RouterTableEntry state (router, logging on): Router$dell131img:9030 is active consumer (will try to notify), active supplier
22.07.2010 09:57:29 1BE0 I Logged on Router$dell131img:9030 as a router
22.07.2010 09:57:29 1C1C I Routing to EM: id=004807F9, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:57:29 1C04 I Sent message (id=004807F9) to EM
22.07.2010 09:57:37 1BF0 I RouterTableEntry state (router, logging on): Router$pri076cl1112865:207024 is active consumer (will try to notify), active supplier
22.07.2010 09:57:37 1C1C I Routing to EM: id=00480801, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:57:37 1BF0 I Logged on Router$pri076cl1112865:207024 as a router
22.07.2010 09:57:37 1C0C I Sent message (id=00480801) to EM
22.07.2010 09:57:53 1BF0 I RouterTableEntry state (router, logging on): Router$pri076cl112863:9034 is active consumer (will try to notify), active supplier
22.07.2010 09:57:53 1BF0 I Logged on Router$pri076cl112863:9034 as a router
22.07.2010 09:57:53 1C1C I Routing to EM: id=00480811, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:57:53 1C14 I Sent message (id=00480811) to EM
22.07.2010 09:58:13 1BE0 I RouterTableEntry state (router, logging on): Router$dell131img:9027 is active consumer (will try to notify), active supplier
22.07.2010 09:58:13 1BE0 I Logged on Router$dell131img:9027 as a router
22.07.2010 09:58:13 1C1C I Routing to EM: id=00480825, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:58:13 1C00 I Sent message (id=00480825) to EM
22.07.2010 09:58:15 1BF0 I RouterTableEntry state (router, logging on): Router$pri076cl113800:99012 is active consumer (will try to notify), active supplier
22.07.2010 09:58:15 1BF0 I Logged on Router$pri076cl113800:99012 as a router
22.07.2010 09:58:15 1C1C I Routing to EM: id=00480827, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:58:15 1C04 I Sent message (id=00480827) to EM
22.07.2010 09:58:16 1C1C I Routing to EMLib: id=00480828, origin=Router$pri076dcfw.Agent, dest=:.EMLib, type=EM-NoOp
22.07.2010 09:58:16 1C0C I Sent message (id=00480828) to EMLib
22.07.2010 09:58:27 1BE8 I RouterTableEntry state (router, logging on): Router$dell131img:9015 is active consumer (will try to notify), active supplier
22.07.2010 09:58:27 1BE8 I Writing router table file
22.07.2010 09:58:27 1BE8 I Logged on Router$dell131img:9015 as a router
22.07.2010 09:58:27 1C1C I Routing to EM: id=00480833, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:58:27 1C10 I Sent message (id=00480833) to EM
22.07.2010 09:58:45 1BF0 I RouterTableEntry state (router, logging on): Router$pri076cl112869:9013 is active consumer (will try to notify), active supplier
22.07.2010 09:58:45 1BF0 I Logged on Router$pri076cl112869:9013 as a router
22.07.2010 09:58:45 1C1C I Routing to EM: id=00480845, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:58:45 1BF8 I Sent message (id=00480845) to EM
22.07.2010 09:58:46 1BE8 I RouterTableEntry state (router, logging on): Router$pri076cl113823:45025 is active consumer (will try to notify), active supplier
22.07.2010 09:58:46 1C1C I Routing to EM: id=00480846, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:58:46 1BE8 I Logged on Router$pri076cl113823:45025 as a router
22.07.2010 09:58:47 1BFC I Sent message (id=00480846) to EM
22.07.2010 09:58:53 1BE8 I RouterTableEntry state (router, logging on): Router$pri076cl113820:45022 is active consumer (will try to notify), active supplier
22.07.2010 09:58:53 1BE8 I Logged on Router$pri076cl113820:45022 as a router
22.07.2010 09:58:53 1C1C I Routing to EM: id=0048084D, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:58:53 1C08 I Sent message (id=0048084D) to EM
22.07.2010 09:59:16 1C1C I Routing to EMLib: id=00480864, origin=Router$pri076dcfw.Agent, dest=:.EMLib, type=EM-NoOp
22.07.2010 09:59:16 1C10 I Sent message (id=00480864) to EMLib
22.07.2010 09:59:18 1BE8 I RouterTableEntry state (router, logging on): Router$dell131img:9037 is active consumer (will try to notify), active supplier
22.07.2010 09:59:18 1C1C I Routing to EM: id=00480866, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:59:18 1BE8 I Logged on Router$dell131img:9037 as a router
22.07.2010 09:59:18 1C14 I Sent message (id=00480866) to EM
22.07.2010 09:59:27 1BE0 I RouterTableEntry state (router, logging on): Router$pri076cl113799:45029 is active consumer (will try to notify), active supplier
22.07.2010 09:59:27 1BE0 I Writing router table file
22.07.2010 09:59:27 1BE0 I Logged on Router$pri076cl113799:45029 as a router
22.07.2010 09:59:27 1C1C I Routing to EM: id=0048086F, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 09:59:27 1C00 I Sent message (id=0048086F) to EM
22.07.2010 10:00:16 1C1C I Routing to EMLib: id=004808A0, origin=Router$pri076dcfw.Agent, dest=:.EMLib, type=EM-NoOp
22.07.2010 10:00:16 1C04 I Sent message (id=004808A0) to EMLib
22.07.2010 10:00:38 1BE0 I RouterTableEntry state (router, logging on): Router$pri076cl112844:9035 is active consumer (will try to notify), active supplier
22.07.2010 10:00:38 1BE0 I Writing router table file
22.07.2010 10:00:38 1BE0 I Logged on Router$pri076cl112844:9035 as a router
22.07.2010 10:00:38 1C1C I Routing to EM: id=004808B6, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 10:00:38 1C08 I Sent message (id=004808B6) to EM
22.07.2010 10:01:16 1C1C I Routing to EMLib: id=004808DC, origin=Router$pri076dcfw.Agent, dest=:.EMLib, type=EM-NoOp
22.07.2010 10:01:16 1C10 I Sent message (id=004808DC) to EMLib
22.07.2010 10:01:18 1BE0 I RouterTableEntry state (router, logging on): Router$pri076cl112867:9039 is active consumer (will try to notify), active supplier
22.07.2010 10:01:18 1BE0 I Logged on Router$pri076cl112867:9039 as a router
22.07.2010 10:01:18 1C1C I Routing to EM: id=004808DE, origin=Router$pri076dcfw, dest=Router$pri076dcfw.EM, type=EM-RouterLogon
22.07.2010 10:01:18 1C14 I Sent message (id=004808DE) to EM

:4065


This thread was automatically locked due to age.
  • 0

    Hello Phil,

    first I'd like to know if I did understand you correctly. So you have a plethora of servers running SEC3 and they all serve a certain number of clients (how many? BTW). And you want to manage all of them from a "handful" of central servers?

    Do all your servers use the same certificate? If not, the client's RMS will not connect to the new server. You should check the Network Communication Report (from the Sophos program group) for problems. What does it say?

    Christian

    :4066
  • 0

    Yes, a plethora would be a good way of describing it :smileyvery-happy: We have about 11,000 clients across 100 sites all managed at each site using SEC3. This is harking back to the days when bandwidth and reliability were issues - many years ago - it's just never been addressed until now

    We have installed a new server centrally (first of a 'few') and looking to move them over gradually (and add central servers as appropriate) to SEC 4.5. However when we push out the new version it installs fine and is running on the remote servers and will get updates, just not report back.

    The network report someone mentioned doesn't really show any problems (that I can tell)

    State of name resolution (DNS)

    No problems detected.

    State of Sophos security framework

    No problems detected.

    State of incoming communications from server

    No problems detected.

    State of outgoing communications to server

    No problems detected.

    Computer details

    Report generation time ( local time ) Report generation time ( GMT ) Computer name : Windows domain : RMS router name : IOR port number : SSLIOP port number : Parent addresses : Current parent address : RMS router type :
     
     
     
     
    22 July 2010 15:39:06
    22 July 2010 14:39:06
    PRI112DCFW
    PRIMARIES
    Router$pri112dcfw
    8192
    8194
    Not available
    Not available
    server

    in this case "PRI112DCFW" is the server, and previously it would get updates from itself.

    What is the 'RMS router name' referring to and should it be the central server or is it just an identifier for itself?

    Firewalls aren't an issue as we have opened them up completely between hosts to eliminate this as a potential error

    Cheers for any help

    :4089
  • 0

    This may be easier to read ;)

    State of Sophos security framework
     
    No problems detected.  
    State of incoming communications from server
     
    No problems detected.  
    State of outgoing communications to server
     
    No problems detected.  
    Computer details
     
    Report generation time ( local time ) 22 July 2010 15:39:06
    Report generation time ( GMT ) 22 July 2010 14:39:06
    Computer name : PRI112DCFW 
    Windows domain : PRIMARIES 
    RMS router name : Router$pri112dcfw 
    IOR port number : 8192
    SSLIOP port number : 8194
    Parent addresses : Not available 
    Current parent address : Not available 
    RMS router type : server 

    :4090
  • 0

    RMS-Routername refers to the machine itself. By this name it's "known" to the management system. 

    RMS router type : server

    tells you that this machine is (or was) a management server, so it talk only to "itself". The correct type for a client is Endpoint, in which case Parent addresses should contain one or more of these: IP4-address, IPv6-address, FQDN and NetBIOS name (taken from mrinit.conf in the CID). If it successfully connected to the parent the current address contains - guess - an address.

    You should check one of the clients.

    Now the problem might be that all these servers have been installed independently and thus have generated different certificates. If you look into mrinit.conf you will see among others "RouterCertIdentityKey". If it's the same for all the servers the you can "move" the clients around. If not, then it is not possible to get them to talk to a central server without uninstalling (at least RMS) on all clients. 

    What to do next depends ...

    Christian

    :4093
  • 0

    Please check that the ParentAddress found at HKLM \SOFTWARE\Sophos\Messaging System\Router\ in the registry of the client failing to report is pointing to the SEC server location.

    Check the mrinit.conf and cac.pem files match the CID distribution;

    C:\Program Files\Sophos\Remote Management System (local location)

    \\SECserver\SophosUpdate\CID\S000\SAVSCFXP (server location)

    From the description you have given it sounds like the remote sites will have incorrect certificate keys as there would have been lots of different sets being used as there a number of console in use. Therefore it is likely you will need to uninstall the RMS component from effected machines and re-protect the machines from the console.

    If this does not work then I suggest contacting support with two SDU log ready, the first from the SECserver and the second from a failing client.

    :4103
  • 0

    Therefore it is likely you will need to uninstall the RMS component from effected machines and re-protect the machines from the console.

    What's the reason there isn't an option to "reset" RMS during re-protection?

    Christian

    :4105
  • 0

    OK, the parent in HKLM \SOFTWARE\Sophos\Messaging System\Router was blank, I've added in the correct address - no change

    there is no C:\Program Files\Sophos\Remote Management System folder on the remote client to check the cac.pem or mrinit.

    i've removed the RMS component from Add/Remove programs and reinstalled however I suspect that this was only there due to the initial push? Tried to push out again from the console but see exactly the same problems.

    I can see that it is very likely they have different certificates, but with what you are saying, this would mean that we will need to visit every machine? This is something that we were categorically told would not be necessary and in our environment is totally unfeasible, and if it turns out that this is not the case then to be honest, it's not a lot of use to us.

    :4107
  • 0

    Hi Phil,

    Please contact Support with the SDU logs as previously mentioned and I am sure this situation can be resolved, we need to identify what is the true cause of the failure before making assumptions about the possible fix. If you already have a case reference then please PM me and I will do what I can to help.

    AK

    :4108
Unfiltered HTML