This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console V5.5

Hi

I have an issue with a sophos enterprise console running on a windows 2008 server, Issue is the console opens but then shows that it hasnt updated definitions from sophos. and none of the clients are talking to the server. I know that the server is getting the updates, and i can see the warehouse files updating when it is run. Even the clients are updating from the server and say they are up to date.

Any help would be most appriecated 



This thread was automatically locked due to age.
Parents
  • Hello Lee Calvert,

    look like communication is stuck.
    If you view the management server in the Endpoints view, tab Computer Details, what is the Last message time? On the dashboard - what are the numbers for Managed and Connected Computers? I assume Connected is much less than you expect. If you didn't reboot the server recently please restart the Sophos Message Router service.

    Christian

  • Hi Christian

    Thanks for the reply server has been restarted many times, console say 130 managed connected 0.

    Below is log from updating log for server client, which also isnt reporting to itself. last update time is 23/02/2018 09:19:20.

  • Hello Lee Calvert,

    connected 0 is a communication problem.
    Please restart the mentioned service on the management server, and after a minute or so check the latest Router- log (%ProgramData%\Sophos\Remote Management System\3\Router\Logs\).

    Christian

  • Hi Christian

     

    have restart service and have got the agent file log from the server, as im doing this remotely at present, so sorry for the slow response working on different site.

    i also have the router log if you need that as well

     

    lee

    Agent-20180223-141233.log

  • Router-20180223-150055.logHi Christian 

     

    here is the router log for the server client

     

    tks

  • Hello Lee,

    yes, it's the Router log that should have some more information, SUM seems to be running fine and also talks to the Agent.

    Christian

  • Based on the IOR of the server router:

    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000300000000000000a8000000010102000f0000003136392e3235342e3234302e39340000012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001004000004f4154010000001800000001004000010001000100000001000105090101000000000014000000080000000100a6008600022000000000a4000000010102000d00000031302e32312e32372e323533003401204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657275746503000000000000000800000001004000004f4154010000001800000001004000010001000100000001000105090101000000000014000000080000000100a6008600022000000000a800000001010200100000003136392e3235342e3139322e31393600012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001004000004f4154010000001800000001004000010001000100000001000105090101000000000014000000080000000100a60086000220

    Which equates to the 3 IPs:

    Profiles:
    1. IIOP 1.2 169.254.240.94 8193 "....NUP...!........RootPOA.RouterPersistent.........MessageRouter"
                TAG_ORB_TYPE 0x54414f00
                TAG_CODE_SETS char native code set: ISO-8859-1
                              char conversion code set: UTF-8
                              wchar native code set: UTF-16
                              wchar conversion code set: 
                
                TAG_SSL_SEC_TRANS port = 8194 supports = 166 requires = 134
    
    2. IIOP 1.2 10.21.27.253 8193 "....NUP...!........RootPOA.RouterPersistent.........MessageRouter"
                TAG_ORB_TYPE 0x54414f00
                TAG_CODE_SETS char native code set: ISO-8859-1
                              char conversion code set: UTF-8
                              wchar native code set: UTF-16
                              wchar conversion code set: 
                
                TAG_SSL_SEC_TRANS port = 8194 supports = 166 requires = 134
    
    3. IIOP 1.2 169.254.192.196 8193 "....NUP...!........RootPOA.RouterPersistent.........MessageRouter"
                TAG_ORB_TYPE 0x54414f00
                TAG_CODE_SETS char native code set: ISO-8859-1
                              char conversion code set: UTF-8
                              wchar native code set: UTF-16
                              wchar conversion code set: 
                
                TAG_SSL_SEC_TRANS port = 8194 supports = 166 requires = 134

    I assume that the clients that connect to this server all reference it on the 10.21.27.253 interface.

    As a result. I would suggest to edit:
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Message Router"
    changing the value for ImagePath from:

    "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
    to
    "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://10.21.27.253:8193/ssl_port=8194

    Then edit: 
    "HKEY_LOCAL_MACHINE\SOFTWARE\sophos\Messaging System\Router"(32bit) or "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\sophos\Messaging System\Router"(64bit)
    changing the value for ServiceArgs from:

    "-ORBListenEndpoints iiop://:8193/ssl_port=8194"
    to
    "-ORBListenEndpoints iiop://10.21.27.253:8193/ssl_port=8194"

    Restart the Sophos Message Router Service and then restart the Sophos Agent service.

    If this still fails. Can you provide the new Sophos Message Router and Sophos Agent log file?

    Regards,

    Jak

  • Hello Lee,

    in addition to Jak's suggestion:

    1. please check when this issue started - most endpoints (including the server itself) should show approximately the same Last message time in the Computer Details view. This is "when it happened" and maybe it gives a hint what else could have happened then
    2. is RouterNT.exe listening on ports 8192-8194?
    3. in another post Jak showed how to turn on more logging, perhaps it's a good idea to turn it on if setting an explicit address doesn't help

    Christian

  • Hi Christian / Jak 

     

    What i have now found out going through event logs that is seems that there is more than one database available and syncing, I think i had 4 mention in the event logs. so it could be possible that this have been an upgrade error form a previous engineer not upgrading the database correctly.

    So im going to look at stripping this all off and starting from scratch with a clean install. unless you have any other suggestions.

    But thanks for you help in the mean time

    .

  • Hello Lee,

    more than one database available and syncing
    not sure what you mean by this, could you perhaps post the details? And I don't think it is the database as both the Agent and Router logs show that the server isn't able to "talk to itself". But do the last message times and the date of the upgrade from the previous version coincide?

    Christian

  • Hi

     

    below is a pciture of sql databases and it show them all syncing is what i meant

     

  • Hello Lee,

    I see. This is normal, the Last modified date doesn't indicate that SEC actually works with (i.e. selects from or stores into) the databases. As long as they are not taken offline the SQL server will occasionally "touch" them, also SEC will enumerate them at start-up. As said, your problem is likely not related to the database(s).

    Christian 

Reply
  • Hello Lee,

    I see. This is normal, the Last modified date doesn't indicate that SEC actually works with (i.e. selects from or stores into) the databases. As long as they are not taken offline the SQL server will occasionally "touch" them, also SEC will enumerate them at start-up. As said, your problem is likely not related to the database(s).

    Christian 

Children
  • Hi Christian

     

    Since i did what Jak said i now get the error that sophos message router wont start as the file cant be found. Any ideas why to go with this.

     

    lee

  • Hello Lee,

    I see that Jak didn't explicitly state that you amend just the -ORBListenEndpoints parameter but leave the path as it is. He referred to bitness in the second part though. I assume you have a 64bit system so it's C:\Program Files (x86)\Sophos\Enterprise Console\Remote Management System\RouterNT.exe.

    Christian