This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Computer Details - IP address - RMS

Not exactly a can of worms but ...

In case you wonder about the problems mentioned here: I'm in an "academic environment" and only a part of the computers is under our control.

  • Sometimes the Computer Details - IP Address field is empty even though Sophos is successfully installed.Why is it missing?
  • Sometimes a private or APIPA address is reported. I assume that these machines have a second adapter (I have one client which reports 5.5.5.5 and this is indeed the address configured on the second NI). How does Sophos select the address/NI it reports? 
  • Last question (in this post): I see two-way connections (again using TcpView) with some clients but they don't show in the Console (I'm pretty sure they are not among those without a reported address - but who knows). The security log suggests they are connecting to the CID. The router logs don't contain addresses, just names, and the ones I'd expect can't be found.

All thoughts are welcome

Christian  

:93


This thread was automatically locked due to age.
  • Hi,

    The IP address shown in Enterprise Console is updated if there is a change in the IP address when the client sends back a status message.  A client will send a status message back to the management server when it does an update and when the Sophos Agent service starts up (or 20 seconds after statup of the service) which would be at machine start-up.

    I suspect some sort of timing issue of events; the machine is perhaps creating a status message which is destined to the management server at system start-up when the client perhaps hasn't got an IP address yet., Do these machines use some third-party wireless manager software or in some way are delayed in getting an IP address? Once the connection is established to the server, the client is then able to send this queued status message.  I suspect on next ide or full update the IP address is sent correctly?

    In order for a client to be managed in Enterprise Console, the client is required to be able to access ports 8192 (TCP) and 8194 (TCP) of the server.  It also helps with speed of downstream messages (Enterprise Console to client) if the parent message router to the client can connect to the client on port 8194 (TCP) although not essential as the client will eventually get the messages destined for it as it polls the server for outstanding messages (15 minute loop by default).

    The following article should be helpful:
    http://www.sophos.com/support/knowledgebase/article/38439.html
    in understanding why the machines are perhaps showing as unmanaged.

    Thanks.

    :104

  • Elmo wrote:

    I suspect on next ide or full update the IP address is sent correctly?


    Yes and no.

    Yes - an empty address is a "known transient condition", this doesn't worry me .

    No - a number of clients report an up-to-date status, but the "wrong" address stays.

    So far I identified the following cases (for currently active and managed clients):

    1. There is only a one-way connection Client->Server (sometimes more than one). These clients report no,  a 10.0.n.n, a 172.16.n.n or a 19 2.168.n.n address. One reports 169.254.32.2
    2. There is a two-way connection but another NI is reported (the 5.5.5.5 case f or example).
    3. There is a two-way connection but 10.37.129.2 is reported (Macbooks)

    Only a few dozen out of some 2000 clients show this behaviour - not a big problem, but I aim for 100%. And there's still a number of clients which update and have at least a one-way connection but don't show in the console.

    I can't tell whether these are all symptoms of the same underlying error (that the problematic clients are partially "clustered", i.e. located at the same sub-department suggests some incorrect client-side setting) or some minor "misbehaviour" of RMS is also triggered.

    Regards

    Christian

    :122