This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade to Sec5.5 half successful. Patch Service Issues - stuck in staring state

Hi Guys, 

So Im stuck in quite a strange problem. I will try to explain as best as i can below and also will lay out some background info:

3 days ago:

So we was happily running Sec5.4.1 on a Windows 2008r2 Standard and then we decided to upgrade the console to 5.5. 

However we did not have the SUM password or the SophosManagment Database access accout password. So we reset the passwords in AD and re-ran the sec5.4.1 Installer in to reset the passwords. If i remember correctly that went fine. 

Then we Ran the Sec5.5 installer to update it. Initially it failed because of a cached password policy we had. So I removed the policy and re-ran it. This time the installation a completed, but when i restarted the server, enterprise console failed to open. I think the database upgrade to from 540 to 550 failed. so i dropped the Sophos550 databse and recreated it manually using the UPgradeDB utility no the sophos console would open but it i had lost all my policies and computers. so i contacte Sophos support and they issues the folwoing commands: 

sqlcmd -S -S .\SOPHOS -d SOPHOS550 -q "Update Upgrade Set UpgradeStatus=1" 
sqlcmd -E -S .\SOPHOS -d SOPHOS550 -q "From540" 
sqlcmd -S -S .\SOPHOS -d SOPHOS550 -q "Update Upgrade Set UpgradeStatus=2" 

So after this everything seemed to work. I had al my policies and computers back,  The clients were updating fine and the console was updating fine and i could change policies and protect clienst form the console all fine. 

 

Today:

So we come in today with a plan to migrate the console to another machine. So i go into to services to stop them and i find the:

  1. The three Sophos Patch Services are stuck on starting – 
  2. I am getting this log in the Event Viewer: Event 0, PatchFeedProcessor, Processing stopped (handled error):'Failed to check upgrade complete status'
  3. Also I’m getting the following log in windows event logger like every 30 seconds: Event 18456, MSSQL$SOPHOS, Login failed for user 'DOMAIN\SophosManagement'. Reason: Failed to open the explicitly specified database. [CLIENT: <local machine>]

So I verified with the following :

SQLCMD -E -S SQLSERVER\SOPHOS

1> SELECT * FROM SYSDATABASES WHERE NAME LIKE "%PATCH%"
2> GO

This showed that SophosPatch52 is the database name which is correct. 

Then i went into SQL Servermanagement Studio and checked the properties of the SophosPatch52 database. it had no users/groups in the permissions tab. so i manualy added the Sophos DB Admins Group to it and gave it connect permissions (same as the other databases) - (THIS STEP CLEARED THE WINDOWS MSSQL$SOPHOS LOGIN FAILED ERROR)

But the services still did not start after taskilling them and re-trying. 

Then i tried this:

 

1> USE SOPHOSPATCH52
2> UPDATE Upgrade
3> SET UpgradeStatus=2 WHERE ID=1
4> GO

it seemed to do something but still the patch services did not start. 

 

i have also tried running: the updatepatchDB.bat Domain\SOPHOS NetbiosDomain SOPHOSpatch52 Sophos_updatepatchDB.log it seems to do something but nothing changes. 

 

So i spoke to Sophos Support and they said i should go ahead with the migration which might fix the issue. 

so i did backup up the old server and  then i restored them to the new server. however when i try tried to instal enterprise console on the new server it failed. i checked the services and the patch services were stuck in starting state. 

I dont know where to go from here..

 

Does any one have any advice suggestions please?

 

Cheers, 



This thread was automatically locked due to age.
  • Hello Redfern,

    is Protect supposed to work i.e. you've used it before? How did it not work - what's the error shown in the console? There's an article that describes how Protect works.

    Indeed Protect is the recommended method to redirect the endpoints. You did export and import the RMS certificates during migration, didn't you? I assume the new server has a different name and IP. Using an alias can work - it depends on your mrinit.conf - usually it contains not just an IP but the server's NetBIOS and FQDN. You'd have to turn off old, add old's name (preferably a DNS FQDN) as an alias for new - the endpoints should then find new. 

    Christian

  • well protect worked on the old console just fine. Its how we always deployed Sophos. We never had to manually run setup.exe or use any scripts etc. the migration guide i was following instructed to do backup. I can see in the saved backup from old server that the certificationmanager REG Entry is backed up along with with 5 other reg files. also i restored these to the new server as part of the migration guide. 

    Yes the server has a different name and IP, but the old server cannot be turned off as it is DC and holds other critical services (one of the reasons why we are migrating the Sophos Console). 

    the error i am getting are genericish - it will say things like:

    Install failed. computer may need additional config. - awaiting response from computer

    if i check the Sophos communication report it says :

    There is a problem communicating with the server. - DNS issues

    State of outgoing communications to server - comunication failure 

     

    Whats strange is that when i try to push protect form the console, the client PC recived the task in tsk schduler but then it doesnt run. one of the clients said that there was already an instance of the task running. 

     

    Im sure i have my DNS fine, firewall rules are fine, shares and security is fine. its just so strange that it still wont work. :-(

     

  • Hello Redfern,

    I'll have to think about it, it's almost 6pm (and I'm anyway not Sophos). Should be possible to make it work again if it worked before.
    Is your old SEC still alive and do the endpoints communicate?

    Christian

  • Hi Christian,   I know you are not Sophos, Ive been following your advice for other issues for quite well over a year now (worked as tech support for an IT company, managing schools ICT who all used Sophos) and  I thank you for helping me and responding to my messages. 

    Yes the old SEC is still alive and communicating fine. 

    I think I'm going to have to revisit the Sonicwall and windows firewalls...

    Cheers. 

  • Hello Redfern,

    it might be a firewall might preventing successful use of Protect.

    if i check the Sophos communication report
    the one on an endpoint you attempted to re-protect? First thing to check is whether the Parent addresses: are those for the new server. If they are then the install has principally succeeded. There shouldn't be DNS issues - but if there are they must have been present before. Can't say what they could be or whether they'd prevent communication in all cases.

    Christian

  • Hi Christian, 

     

    It was the a firewall issue. Windows firewall had the old IP in the scope which needed changing. This allowed the clients communicate with the server properly. we did still have an issue where we couldn't re-protect over half the clients. however we solved that by using the script you referenced in another post! Thanks :-)

     

    so now that thats done, we will look at upgrading to 5.5.1 ( finger crossed it goes smoothly) and deploying a child Enter prise console aswell. 

    Cheers

    Thanks again.