Sophos Enterprice Console dashboard is not functioning properly

Hello Shariar,

that's quite a lot for one post (and I must admit it makes my head spinning).

When (and why) have the IP addresses been changed? Is it since then that you have these problems? On the management server, what's the value of ParentAddress in HKLM\Software[\Wow6432Node]\Sophos\Messaging System\Router?

Christian

Hello Christian,

1. Our datacenter has been shifted from one location to another, that’’’’s why we changed the IP address dated 07-04-2011.
2. No from 11-04-2011 we have faced these problem
3. The value of ParentAddress in HKLM\Software\Sophos\Messaging System\Router is new IP addresses of the server

Thanks & Regards,

Hello Shariar,

it's still not clear to me what is working and what is not. So please excuse me if I suggest something you've already tried.

I'd start with the Update managers view (do you have more than one update manager?). Does the dashboard show green for the updates and are software and threat detection data current? If not, are there any errors in the details view?

Switching to the Endpoints view - the management server's computer details (does it appear with our without the red x?): Is the Last message received current and does it report the correct status and number of IDEs?

I assume that most clients show the red x. What's the Last message received timestamp (give or take a few hours) - April 11th or earlier? Are any clients reporting (I understand that you have verified that they are successfully updating)?

Last question (or perhaps it should be the first): Where is the mrinit.conf you modified located? Note that it exists in several locations (please see here and don't worry about the subject of the article) - please verify that all of them are correct.

Christian

Hello Christian,

1.I'd start with the Update managers view (do you have more than one update manager?).

We have almost 150 update manager (most of them are in remote branches 148 + Sophos Application Server + Sophos Database Server)

Does the dashboard show green for the updates and are software and threat detection data current? If not, are there any errors in the details view?

Dashboard does not show green for the updates. Software and threat detection data currently

2.Switching to the Endpoints view - the management server's computer details (does it appear with our without the red x?):

Yes. For some PC we can ping them but in dashboard it shows Red x.
Is the Last message received current and does it report the correct status and number of IDEs?
Last message received is not correct in dashboard but PC shows updated successfully.

3.I assume that most clients show the red x. What's the Last message received timestamp (give or take a few hours) - April 11th or earlier? Are any clients reporting (I understand that you have verified that they are successfully updating)?

In dashboard Last message received shows l 04/28/2011.

For new PC it’’’’s not discovered.

4.Last question (or perhaps it should be the first): Where is the mrinit.conf you modified located? Note that it exists in several locations (please see here and don't worry about the subject of the article) - please verify that all of them are correct.

Yes all of them are correct. Even I check some of the red x PC it’’’’s also changed with the new IP mrinit.conf

Thanks & Regards,

Shariar

Hello Shariar,

quite a lot of SUMs. And all of the listed in the Update managers view (just curious)? If you sort the Last updated column - is the current date only shown for your main server and all other SUMs have some date in the past?

2.Switching to the Endpoints view - the management server's computer details

I should have expressed myself more clearly: Locate you main server and double click to view its details. But from what you said I glean it's current - so it's talking to itself.

I see at least two different issues (which might or might not be related):

1. Some (many, all? - I did not understand this part yet) clients appear as disconnected (the x) but they do update from their respective CIDs
2. You are no longer able to find new computers - is this correct? Which method do you use - on the network or by IP (I assume you're not using with AD)

For 1. you should check a client's router logs (([...All Users\Application Data|ProgramData]\Sophos\Remote Management System\3\Router\Logs). They likely can give a hint why the communication is not working. BTW - do you also use the SUMs as message relays?

Problem 2. is likely something different. As in two recent "cases" firewall settings were the culprit I'll just want to mention them here. If you can't browse from the server to an undetected PC C$ share it might not be found. Also try to telnet from the server to the client's 8194 port and from the client to the server's 8192.

Christian

Hi Christian

-          If you sort the Last updated column - is the current date only shown for your main server and all other SUMs have some date in the past?

No, varies,

May 4, 2011 – 39 Unit – Including Servers which takes update from Sophos

May 3, 2011 – 63

May 2, 2011 – 08

April 28 to April 20, 2011 – 19

Older then April 19, 2011 – 10

-          Some (many, all? - I did not understand this part yet) clients appear as disconnected (the x) but they do update from their respective CIDs

Many clients appear as disconnected (the x) but they do update from their respective CIDs

-          You are no longer able to find new computers - is this correct? Which method do you use - on the network or by IP (I assume you're not using with AD)

I use “find by IP address”, I am able to find new computers but it sometimes shows the following error message “Search for computers by IP address has failed”

Last few lines of Log (from a Client including SUM) :

04.05.2011 12:31:51 0230 I Getting parent router IOR from 10.20.0.57:8192

04.05.2011 12:37:12 0230 I This computer is part of the domain BD-BRACBANK

04.05.2011 12:37:12 0230 I Getting parent router IOR from sophossrv.bd.bracbank.com:8192

04.05.2011 12:37:12 0230 I This computer is part of the domain BD-BRACBANK

04.05.2011 12:37:12 0230 I Received parent router's IOR:

IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000b00000031302e352e31342e31310000012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001a4a200004f4154010000001400000001a4a20001000100000000000901010000000000140000000800000001a4a60086000220

04.05.2011 12:37:12 0230 I Successfully validated parent router's IOR

04.05.2011 12:37:12 0230 I Accessing parent

04.05.2011 12:37:12 0230 E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'

OMG minor code (2), described as '*unknown description*', completed = NO

 04.05.2011 12:37:42 0230 I Getting parent router IOR from 10.20.0.57:8192

** Please note that 10.20.0.57 is OLD IP address, new IP address is 10.5.14.11

We have checked the mrinit.conf file in client and found new IP address 10.5.14.11

Last few lines of Log file From Server:

04.05.2011 11:38:30 0CFC I Routing to EM:, origin=Router$W-1549-010:1630333.Agent, dest=EM,-GetStatus-Reply

04.05.2011 11:38:30 0CC0 I Sent message (id=01C0D677) to EM

04.05.2011 11:38:34 0CFC I Routing to EM:, origin=Router$W-4901-001:1360318.Agent, dest=EM,-GetStatus-Reply

04.05.2011 11:38:34 0CF4 I Sent message (id=01C0E656) to EM

04.05.2011 11:38:34 0A24 I RouterTableEntry state (router, logging on): Router$W-1512-021:1297334 is active consumer (will try to notify), active supplier

04.05.2011 11:38:34 0A24 I Logged on Router$W-1512-021:1297334 as a router

04.05.2011 11:38:34 0CFC I Routing to EM:, origin=Router$sophossrv, dest=Router$sophossrv.EM,-RouterLogon

04.05.2011 11:38:34 0BE4 I Sent message (id=01C0E65A) to EM

04.05.2011 11:38:34 0CFC I Routing to EM:, origin=Router$W-1512-021:1297334.Agent, dest=EM,-EntityEvent

04.05.2011 11:38:34 0C8C I Sent message (id=01BFFBB1) to EM

04.05.2011 11:38:34 0CFC I Routing to EM:, origin=Router$W-1512-021:1297334.Agent, dest=EM,-GetStatus-Reply

04.05.2011 11:38:34 0CBC I Sent message (id=01C0CB5E) to EM

04.05.2011 11:38:34 0CFC I Routing to EM:, origin=Router$W-1512-021:1297334.Agent, dest=EM,-EntityEvent

04.05.2011 11:38:34 0C90 I Sent message (id=01C0CC8A) to EM

04.05.2011 11:38:34 098C I Communications timeout, logging Router$W-6304-004:1262043 off

04.05.2011 11:38:34 0CFC I Routing to EM:, origin=Router$sophossrv, dest=Router$sophossrv.EM,-RouterLogoff

04.05.2011 11:38:34 0CC4 I Sent message (id=03C0E65A) to EM

04.05.2011 11:38:34 0CFC I Routing to EM:, origin=Router$W-1512-021:1297334.Agent, dest=EM,-GetStatus-Reply

04.05.2011 11:38:34 0CC0 I Sent message (id=01C0CCA3) to EM

04.05.2011 11:38:34 0CFC I Routing to EM:, origin=Router$W-1512-021:1297334.Agent, dest=EM,-GetStatus-Reply

04.05.2011 11:38:34 0CF4 I Sent message (id=01C0DA9D) to EM

-          Problem 2. is likely something different. As in two recent "cases" firewall settings were the culprit I'll just want to mention them here. If you can't browse from the server to an undetected PC C$ share it might not be found. Also try to telnet from the server to the client's 8194 port and from the client to the server's 8192.

Yes we can access C$, can telnet client's 8194 port from Server, can telnet server's 8192 from Client

Thanks

Shariar

HI,

I'd just like to say that mrinit.conf is only used as a mechanism to get the config to the machines,  during the installation of the RMS package, the values are transferred from mrinit.conf (and cac.pem for that matter) into the registry.  Cac.pem and Mrinit.conf are then not touched again unless you re-protect the machine at which point they are re-copied down by setup.exe to the client.

So the logs suggest that the machine: 10.20.0.57 still has a message router on it as the SUM client managed to obtain an IOR.   However your saying that the SUM machine should be pointing to: 10.5.14.11 which is where the updated Mrinit.conf is pointing.

I hope that the new location has the right certificates but as a quick test,  if you stop the Sophos Message Router Service on the SUM machine and then in the registry edit:
hklm\software\[wow6432node]]sophos\messaging system\router
ParenAddress to be your expected location and then start the router service.  Does thismachine then appear correctly in SEC after a minute?

If so we can fix it quite easily.

Regards,
Jak

Hello Shariar,

Received parent router's IOR

the IOR contains the correct IP (31302e352e31342e3131 -> 10.5.14.11). The preceding Getting parent router IOR from 10.20.0.57:8192 suggests though that HKLM\SOFTWARE\Sophos\Messaging System\Router\\ParentAddress still contains the old value.

@Jak - from the timestamps I conclude that it unsuccessfully tries the old IP and after 20+300 (TotalConnectRetryTimeSecs) seconds attempts the FQDN, succeeds and receives a valid IOR. Can't say why the ParentLogon immediately fails though (AFAIR an incorrect certificate will give a specific error message).

can telnet server's 8192 from Client

I assume you've also checked 8194?

Christian

Hi,

Is there will be any problem if we reinstall only application server (console only) from 4.7 (3, 4, 4.5 and then 4.7) without any change in database server (4.7) end. Because we are still suffering with the dashboard.

Thanks,

Shariar

Hello Shariar,

so your main server is now 4.7 and you want to uninstall SEC and reinstall 4.7? Just in case you should take a backup of the database after stopping the Management service. Save the "private store information" using ExportPrivateStore.exe and the Certification Manager keys. There shouldn't be a problem as far as I know. Although I've never done it with a remote database I've recently uninstalled the database component (which leaves the database itself intact and running), did a custom reinstall w/o the database and subsequently re-connected the local database (don't ask why, I've just too much time on my hands :smileywink:).

I can't say if this will solve all your problems though (like the client with the SUM first trying the server's old IP for RMS).

Christian