This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client not reporting to the the console Management

Hi All,

 

Not sure if this is the right place to post this but sure someone can advise or move it to the correct place if not.

 

At first it wasn't showing in the Management console at all.

So went through everything I can think of and all the guides given on the Sophos community. My first check was of the ReportData.xml file in C:\ProgramData\Sophos\Remote Management System\3\Router\NetworkReport\ and made sure the IPs where correct (which they are).

 

I then reset the Sophos Message Router Service to find it then started showing in the Sophos Enterprise console on the Management server, but now it is greyed out. I did the usual and made sure it was assigned to a group which it is and it isn't forcing the Policy on to the client. I have tried 3 Administrator accounts which are all connected through the domain the client is on.

 

I know the firewalls are all correct and everything has been set correctly, this is a new project I have recently took on as it has been an issue for a year. But the thing is the Endpoint client is updating perfectly fine.

 

So I tried a reinstallation from the Share folder (but I didn't use the SophosUpdateMgr account) which is set up in the SUM because who ever set it up previously have not saved the details to this account in our register we use for this particular infrastructure. Could this be the issue? If not, what could it be? There is the error message "The installation credentials you entered in the "Protect Computers Wizard" are either incorrect or do not give administrator access to the computer over the network, which I know they do because these are all connected to the domain. 

 

So I am now at a loss at to what this can be? 



This thread was automatically locked due to age.
Parents
  • Hello SecureIA Ltd,

    it was a simple issue until your last paragraph :-). Protect works with an account that has both administrator rights on the endpoint and at least read access to the install share (which is either the primary location or the Initial Install Share from the policy). Instead of Protect you could run the CIDs setup.exe from the endpoint.

    What does (or did) the Network Report say for the actual parent?

    Updating and RMS are independent (well, the latter is needed to report the status of the former but each can work without the other).

    Christian

  • Hi QC,

     

    I did do both protect and the CIDs setup from the share folder (on the endpoint client) I don't really understand it to be honest because it is fully updating with every other client on the management console, it just isn't basically telling Sophos Enterprise Console.

     

    The senior engineers are currently rolling out a password change through SUM (because my change has stopped everything from updating now, opps) so I will see if this then changes anything.

     

    If this doesn't start it reporting it to the Sophos Console what could this then be? Would it be something to do with the RMS?

     

    Kind Regards,

    James

  • Hello James,

    reporting is (part of) RMS.

    Start with the Network Report, is it recent, does it say there is a parent, not just a bunch of parent addresses? Is there a connection to the server's port 8194?

    Christian

  • Hi QC,

     

    So in the ReportData.xml file it says for ports:

     

    </router_name>
    <IOR_port>8192</IOR_port>
    <SSLIOP_port>8194</SSLIOP_port>

     

    For the parent address it has 1 IP and the Server name twice and for actual parent it has the same IP as "Parent Addresses" - unfortunately for security reasons I can't post the IP addresses online.

     

    Kind Regards,

    James

  • Hello James,

    for security reasons
    that's ok - suffices that you say there is one and it's the expected one.
    If the report is recent then AFAIK this suggests that the endpoint was able to contact the server (on port 8192), obtain the IOR, and connect to 8194 (netstat on the endpoint should show this connection). If its status in the console is still "grey" (I suppose it's disconnected, red cross on the computer icon)
    then you're perhaps not looking at the correct computer object.

    You can check that it's indeed reporting to SEC by inspecting the Router log - starting from the top you should see the endpoints IOR, the servers IOR and later lines that say  Sent message ... to Router$<yourserver>..

    Christian

  • Hi QC,

     

    So here is todays log files, I have taken the IP addresses out but I do 

     

    29.09.2017 07:16:35 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 08:12:58 1090 I Calling parent with heartbeat...
    29.09.2017 08:12:58 1090 I Heartbeat to parent succeeded.
    29.09.2017 08:16:35 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 08:47:14 00FC I SSL handshake done, local IP address = 0.0.0.0
    29.09.2017 08:47:14 00FC E GetterWorker: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/OBJECT_NOT_EXIST:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

    29.09.2017 08:47:14 00FC E Failed to get messages, logging Router$MTZ1MA01 off
    29.09.2017 08:47:44 1090 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
    29.09.2017 08:47:44 1090 I RouterTableEntry state (router, logging on): Router$MTZ1MA01 is passive consumer, passive supplier
    29.09.2017 08:47:44 1090 I Logged on to parent router as Router$CRER14A:504085
    29.09.2017 08:47:44 1090 I This computer is part of the domain CRUSO
    29.09.2017 08:47:44 079C I SSL handshake done, local IP address = 0.0.0.0
    29.09.2017 09:16:35 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 09:55:45 00FC I SSL handshake done, local IP address = 0.0.0.0
    29.09.2017 09:55:45 00FC E GetterWorker: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/OBJECT_NOT_EXIST:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

    29.09.2017 09:55:45 00FC E Failed to get messages, logging Router$MTZ1MA01 off
    29.09.2017 09:56:15 1090 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
    29.09.2017 09:56:16 1090 I RouterTableEntry state (router, logging on): Router$MTZ1MA01 is passive consumer, passive supplier
    29.09.2017 09:56:16 1090 I Logged on to parent router as Router$CRER14A:504085
    29.09.2017 09:56:16 1090 I This computer is part of the domain CRUSO
    29.09.2017 09:56:42 079C I SSL handshake done, local IP address = 0.0.0.0
    29.09.2017 10:16:35 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 11:16:36 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 12:16:36 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 12:50:16 1090 I Calling parent with heartbeat...
    29.09.2017 12:55:17 1090 I Heartbeat to parent succeeded.
    29.09.2017 13:16:36 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 14:16:36 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360

     

    We use Sophos Enterprise Console 5.3.1

     

    Regards,

    James

  • Hello James,

    thanks (NetBIOS names are still there), you haven't otherwise pruned the log, have you?
    The log covers 7 hours but there's no message routed or sent, I'd expect at least one AV update during this time. Please trigger an event (e.g. a "virus" detection using EICAR) that should cause a message to be sent and check the Router log what happens with it.

    Christian

  • Hi QC,

     

    Just done this, took me awhile because my own Sophos on my laptop kept deleting it! But I have copied the strings over to a text document, renamed it and scan it and it was then quarantined. I am currently waiting for the logs to update (seems to be taking a while though)

     

    In the Sophos Endpoint Security and Control, on the update log it does say the Server needs to be restarted for updates to take affect, could this possibly sort this out? I will need to organise this as its a live file transfer server so I can't just reboot it, although I will be checking traffic this weekend and if I don't see any I will reboot it then.

     

    Once the logs have updated though I will post them up.

     

    James

     

    EDIT: The Endpoint has never reported this to its updating log before until I started working on it!

  • Hi QC,

     

    Just a quick update from the client that isn't reporting to Sophos I did do a telnet (Management server IP) and port number 8192 which then stated the connection was lost. 

    And the second telnet I done for port 8194, I clicked enter after waiting 15 seconds and it did close. So I am now pretty sure or assuming this is going to be an internal/external firewall issue as the windows firewall has all the ports in.

    See guide below from the Sophos community used in regards to finding the information out vvvvvvvvvvvvvv

     

    "Please check if there are any RMS connectivity issues. On an endpoint view the Network Communications Report. Additionally  telnet server 8192 (for server use the MRParentAddress(es) from mrinit.conf) - this should for at least one address return an IOR. You can parse the IOR here. If you get no response there's likely a firewall involved. Otherwise telnet host 8194 (using host or hostname from the parser's output. You should get a connection but no output, wait some 15 seconds and press enter and the connection should close. again, if this doesn't work it suggests that something is blocking the communication."

     

    Regards,

    James

  • Hello James,

    port 8194 looks ok, apparently it can be reached. If telnet 8192 returned an IOR followed by Connection to host lost this seems to be ok as well.
    The Router log you've posted previously suggests there is a connection, question is: Did it ever send the information about the EICAR detection?

    Christian

  • HI QC,

     

    I am very sorry for such a delayed response, unfortunately the EICAR detection didn't forward to the logs. On the current machine Windows firewall is disabled, I mean would this be required to run Sophos and get it connected to the console?

     

    Regards,

     

    James

Reply
  • HI QC,

     

    I am very sorry for such a delayed response, unfortunately the EICAR detection didn't forward to the logs. On the current machine Windows firewall is disabled, I mean would this be required to run Sophos and get it connected to the console?

     

    Regards,

     

    James

Children
  • Hello James,

    RMS communication requires TCP remote ports 8192 and 8194 OUT to server_ip for RouterNT.exe (and ideally local port 8194 IN). If you can telnet, as you've said in a previous post, this requirement is apparently met and the endpoint should appear in the console as connected.

    Christian 

  • Understandable I have checked both through our own external and internal firewalls, windows and also wireshark and can see traffic between the 2. So it is an absolute mystery to why its not reporting its status to the console.

     

    If you require any additional information, I am currently on Sophos today on another infrastructure so I can jump on to this one if required and get it. I did try the Migration tool to see if trying to a repoint to the server would work but we can rule that out.

     

    I do believe there is an issue with the RMS or someone along the communication side of things, but finding it and diagnosing it is becoming a nuisance. I am going through patching to in regards to all the vulnerabilities from intel etc. So I am going to follow the uninstallation guide that Sophos sent to me and do exactly the way it says then go through the instillation process again. Hopefully I can do this by the end of the week and I will update the post to whether it worked or not.

     

    Regards,

    James

  • Hello James,

    you've a snippet from the Router log where it says Failed to get messages and then reconnects - still the same behaviour?
    But as you're about to patch it's probably better to un- and reinstall and check if this resolves the issue.

    Christian

  • I'll take another look through the logs as these seem quite old now the last ones, I will do the EICAR thing again as I can't remember if the logs caught that or not. And post anything here I find.

     

    Yes thats correct I am hopefully getting through it this week so the plan was to throw Sophos in to all this at same time haha! One way to get around it without having to do paperwork etc. 

     

    Regards,

    James