This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AutoUpdate failing with "URL is invalid" error

I am have be unable to get Sophos AutoUpdate to work on a standalone installation on Mac OS X Mavericks.

The primary update location is set to "Sophos" but I get an on screen message telling me the primary server cannot be contacted and the logs gives just two errors:

"Failed to download packages"
"Could not contact primary server ... URL is invalid"

AutoUpdate is working on another Mac on the same network.

This is a clean install of version 9.4.3 (I was having the same problems with an earlier version which I removed in an attempt to fix the problem).

I tried setting a secondary update location and used http://dci.sophosupd.com and got the same error. Putting this URL in a browser confirmed the connection so it is not a DNS problem. The proxy setting is "Use System Proxy Settings".

Any advice on what to check next would be appreciated. Even just advise on how to set verbose logging for SAU may help.



This thread was automatically locked due to age.
Parents
  • Hello Lotus,

    setting an explicit URL instead of Sophos won't work anyway as Sophos is not only an alias for the URL but also implies a different mechanism. AFAIK /var/log/install.log should have some details - although they might not directly state the actual issue.

    Christian

  • Thanks Christian

    Unfortunately /var/log/install.log doesn't contain any information. Triggering an update and then viewing the log shows that nothing has been appended.

    I can have a look using Wireshark when things are a bit quieter, but not knowing what the conversation should look like I'm not convinced I'll find the answer.

     

     

  • Hello Lotus,

    the regular log doesn't have even the shortest message in addition to the URL is invalid?
    the conversation is preceded by a DNS lookup (which should return one or more IPs on a CDN). An HTTP GET is sent to port 80 either directly or via the system proxy (if it's set it's anonymous, isn't it?). Don't have a Mac to test right now but from past tests I'd assume that the conversation is rather short (if it ever commences). To infer the actual error from it might or might not be a cinch.

    Christian

  • Hello Christian

    install.log doesn't even have that error. "Sophos Anti-Virus.log" contains "Could not contact primary server" as well as the "URL is invalid".

    I've done a packet trace and compared it with a Mac which is downloading successfully.

    Working system
    9.4.3 on Snow Leopard (yes I realise it is not supported but this version appears to work and Sophos AutoUpdate downloads as expected although downloads since about the middle of last month don't install)

    1.  DNS query on dci.sophosupd.com
    3.  DNS response giving alias
    5.  DNS query on alias
    8.  DNS response giving IP address
    9.  TCP initiate conversation with remote
    10. TCP acknowledge and initiate from remote
    11. TCP acknowledge to remote
    12. HTTP Get
    13. TCP acknowledge
    14. TCP segment  

    The DNS conversation seems to be done twice in parallel, once for IPv4 and once for IPv6. This machine is using IPv4 so the results of the IPv6 conversation seem to be ignored (they are the gaps in the line numbers)

    Failing system

    9.4.3 on Mavericks

    The DNS conversation is a little longer. This machine is using IPv6 but the IPv6 requests don't seem to resolve to an IP address. However, the TCP conversation then goes ahead using the results from the IPv4 lookup.

    The conversation is almost identical (certainly in order, size of packets) but the GET command on the Mavericks machine is trying to get a dat file from a different directory "/update/3/04/" rather than "/update/2/3e/". The first major difference is the line which corresponds to the last line (14) above. It is a 404 error.

  • Hello Lotus,

    I was having the same problems with an earlier version
    could be some leftover configuration. Dunno if the "universal removal tool" does a better job than the regular uninstaller. Did you try it?
    You have an Endpoint on-premise license but use the SA version for these Macs and let them update from Sophos? The mechanism has changed since I've last looked into it so I can't say what the /update/ subdirectories signify and why they are different. I assume you are sure the credentials are correct and guess you don't have yet another Mac for comparison. You might have to contact Support directly.

    Christian

Reply
  • Hello Lotus,

    I was having the same problems with an earlier version
    could be some leftover configuration. Dunno if the "universal removal tool" does a better job than the regular uninstaller. Did you try it?
    You have an Endpoint on-premise license but use the SA version for these Macs and let them update from Sophos? The mechanism has changed since I've last looked into it so I can't say what the /update/ subdirectories signify and why they are different. I assume you are sure the credentials are correct and guess you don't have yet another Mac for comparison. You might have to contact Support directly.

    Christian

Children
  • I have not tried the universal removal tool. I tend to use the standard uninstaller and then do manual clean-up (it doesn't remove the logs for example).


    Unfortunately I have had to update directly from Sophos since CIDs were abandoned. I have no Windows machines (permanently) connected to the network. Credentials are of course the first thing I check when there are download failures for anything ;-)

    I decided to go through the same procedure again. Used the standard removal tool, made sure no processes were running, did the clean-up and re-installed. I must have either missed something last time or there was corruption between the installation and setting up autoupdate (probably the former) as it works as expect now.


    Thanks for your help.