Cause with protecting clients in SEC

Hello Marvin,

the screenshot can't be from shortly after Protect as it is apparently already installed. Did you try to Protect a computer where Sophos is already installed?
Strange that it shows failed downloads RMSNT, SAVXP, AutoUpdate, and SSP due to error 86 (password incorrect) - the latter three are then downloaded from Sophos - but succeeds with NTP and SED. The credentials should be the same so why do they suddenly work? Is this a domain account?

As to the errors: The second says that the install task couldn't be created or started, the first tell that it was started but RMS failed to report back (either it's not running on the endpoint or it could not reach port 8192 or 8194 on the server).

Christian

Hello Christian,

Yes, i tried protect the computer where sophos AutoUpdate is installed.

0Sophos is my account like "SophosUpdateMgr".

After uninstall AutoUpdate and protect computer again i have this error :

If i make telnet connections from client to server, i see these:

Telnet to Server on Port 8192

Telnet to Server on Port 8194

I see the Cursor flicker

Marvin

Hello Marvin,

so the install has succeeded. The server answers on port 8192 - is 192.168.158.139 the IP you have used for telnet? - and the response on 8194 is the expected one. If so, please check the Router log in %ProgramData%\Sophos\Remote Management System\3\Router\Logs\. This should tell why the endpoint can't communicate with the server.

Christian

Hello Christian,

09.03.2018 10:48:27 1C8C I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20180309-094827.log
09.03.2018 10:48:27 1C8C I Sophos Messaging Router 4.1.1.127 starting...
09.03.2018 10:48:27 1C8C I Setting ACE_FD_SETSIZE to 138
09.03.2018 10:48:27 1C8C I Initializing CORBA...
09.03.2018 10:48:27 1C8C I Connection cache limit is 10
09.03.2018 10:48:28 1C8C I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
09.03.2018 10:48:28 1C8C I Creating ORB runner with 4 threads
09.03.2018 10:48:28 1C8C W No public key certificate found in the store. Requesting a new certificate.
09.03.2018 10:48:28 1C8C I Getting parent router IOR from 192.168.158.139:8192
09.03.2018 10:48:28 1C8C I This computer is part of the domain PARADOX
09.03.2018 10:48:49 1C8C I This computer is part of the domain PARADOX
09.03.2018 10:48:49 1C8C I Getting parent router IOR from fe80::bc28:431e:a704:4f2:8192
09.03.2018 10:48:49 1C8C E ACE_INET_Addr::ACE_INET_Addr: fe80::bc28:431e:a704:4f2: Authoritive: Host not found
09.03.2018 10:48:49 1C8C W Parent address unknown: Authoritive: Host not found (11001)
09.03.2018 10:48:49 1C8C I Getting parent router IOR from PXNPAPP07.paradox.local:8192
09.03.2018 10:49:10 1C8C I Getting parent router IOR from PXNPAPP07:8192
09.03.2018 10:49:32 1C8C I This computer is part of the domain PARADOX
09.03.2018 10:49:32 1C8C E Failed to get parent router IOR
09.03.2018 10:49:32 1C8C W Failed to get certificate, retrying in 600 seconds
09.03.2018 10:59:33 1C8C I Getting parent router IOR from 192.168.158.139:8192
09.03.2018 10:59:54 1C8C I Getting parent router IOR from fe80::bc28:431e:a704:4f2:8192
09.03.2018 10:59:54 1C8C E ACE_INET_Addr::ACE_INET_Addr: fe80::bc28:431e:a704:4f2: Authoritive: Host not found
09.03.2018 10:59:54 1C8C W Parent address unknown: Authoritive: Host not found (11001)
09.03.2018 10:59:54 1C8C I Getting parent router IOR from PXNPAPP07.paradox.local:8192
09.03.2018 11:00:15 1C8C I Getting parent router IOR from PXNPAPP07:8192
09.03.2018 11:00:36 1C8C E Failed to get parent router IOR
09.03.2018 11:00:36 1C8C W Failed to get certificate, retrying in 600 seconds
09.03.2018 11:08:32 1C8C E Router::Start: Caught Router stopped before certificate obtained

This is the Logfile... The only entry is from the 09.03 ?

Have you a idea? I am so desperate....

Marvin

This Logfile is from the Endpoint or do you need the log from the server ?

Hello Marvin,

the logs are removed upon a reinstall.
Now you showed that telnet 192.168.158.139 responds with the expected IOR, the logs indicate that RMS' connection attempt to the IPv6 address immediately fails, the requests with the IP and the names time out though (you see the 20+ seconds gap in the timestamps). Question is, why does RouterNT.exe not get a response but telnet does?

Christian

Hello Christian,

ah okay. Do you have a idea? Sorry but i am a total beginnner with sophos...

I would not even know how to continue to apply the topic..

Marvin

Hello Marvin,

does the firewall generally permit outbound connections? Or did you have to explicitly allow telnet? If not then that one process gets a response and another not would be surprising - but anyway it suggests some local problem.
My preferred approach is to run Wireshark to see what goes out and comes or doesn't come in.

Christian

Hello Christian,

I could not see anything in wireshark, at least not with the ports.

This cannot be true...

Marvin

Hello Marvin,

using just port 8192 or port 8194 as capture filter you should see at least something (i.e. the SYNs) when you (re-)start the Sophos Message Router service. To make sure Wireshark works as it should also telnet to port 8192.

Christian