Sophos Enterprise Console - Secondary Update Server

Hi Stephen,

Is this secondary SUM newly installed?

Can you confirm that you applied the SUM to the applicable machines AutoUpdate policy?

Please see the following article on configuring policies to use a secondary update location for failover purposes, the article does specify using Sophos, but you can use which ever update location you choose: https://community.sophos.com/kb/en-us/12354

 Let me know if this helps.

Thanks,

SUM already existed 

Client machines do not see it, but the installed client on the server sees the secondary location???

All client machines have the message awaiting transfer policy

Hello Stephen,

it's not clear what you mean by machines do not see it. As you mention Awaiting policy transfer - are you perhaps talking about the Update Details view in the Console and the Secondary location is blank? If so, and if the (most, the ones that are running) endpoints show as Connected (the green icon) select them, right-click Comply with  → Group updating policy.

Christian

Hi CHristian,

All machines have a cross through them and have the Awaiting policy transfer  apart from the client software installed on the SEC server itself

Kind Regards

Stephen

Hello Stephen,

you did reprotect them and they did connect after install, i.e. the down-arrow and the hourglass disappeared from the computer icon and there are no error messages?
You can in addition check from the Computer Details view, column Last message time.

Christian

Hi Christian,

I reprotected them, got the hourglass, then they went back to a cross next to the machine

Above is what I am currently seeing

Kind Regards

Stephen

Hi Christian,

I reprotected them, got the hourglass, then they went back to a cross next to the machine

Above is what I am currently seeing

Kind Regards

Stephen

Hello Stephen,

guess the error reported are install errors, could you check the Alert and Error Details view, the Update errors column is on the far right. Or double-click a computer to view its details.

Could it be that a firewall (network or server-local, unlikely on the endpoints) is blocking the connection? Simple test is to try to telnet to port 8192 on the management server from an endpoint.

Christian

Hi Christian,

I get the following on the install error section on most of the endpoints.

Kind Regards

Stephen

There's also nothing blocking ports as far as I can see

Hello Stephen,

the could not be started can have several reasons, but it seems the install has run on those not yet managed. This usually means that the install task has been run the endpoint has not yet "called back".
Can you confirm that a telnet connection from one of these endpoints to the server's 8192 succeeds?

Christian

Hi CHristian,

I have tested this and it is not getting blocked

Kind Regards

Stephen

Hello Stephen,

so you do get back a string that starts with IOR: followed by quite a number of hex digits?

Christian

IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e312e3134310001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100fc00004f415401000000180000000100fc00010001000100000001000105090101000000000014000000080000000100a60086000220

Connection to host lost.

Hello Stephen,

guess I don't disclose any secret information here. The IOR advertises 192.168.1.141 as the management server's IP, is this the correct address?
If so, and if this endpoint does not appear connected please restart the Sophos Message Router service on the endpoint and then check the latest Router-202001....log in %ProgramData%\Sophos\Remote Management System\3\Router\Logs. It should help to determine why the endpoints don't talk to the server.

Christian

16.01.2020 08:34:53 481C I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20200116-083453.log
16.01.2020 08:34:54 481C I Sophos Messaging Router 4.1.2.24 starting...
16.01.2020 08:34:54 481C I Setting ACE_FD_SETSIZE to 138
16.01.2020 08:34:54 481C I Initializing CORBA...
16.01.2020 08:34:54 481C I Connection cache limit is 10
16.01.2020 08:34:54 481C I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
16.01.2020 08:34:54 481C I Creating ORB runner with 4 threads
16.01.2020 08:34:54 481C W No public key certificate found in the store. Requesting a new certificate.
16.01.2020 08:34:54 481C I Getting parent router IOR from 192.168.1.141:8192
16.01.2020 08:34:54 481C I This computer is part of the domain CASHFACSOLUTION
16.01.2020 08:34:54 481C I Getting a new router certificate...
16.01.2020 08:34:54 481C W SSL connection alert, peer address 192.168.1.141
16.01.2020 08:34:54 481C W Cannot verify peer's SSL certificate, unknown CA
16.01.2020 08:34:54 481C E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
16.01.2020 08:34:58 481C I This computer is part of the domain CASHFACSOLUTION
16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
16.01.2020 08:34:58 481C W SSL connection alert, peer address 192.168.1.141
16.01.2020 08:34:58 481C W Cannot verify peer's SSL certificate, unknown CA
16.01.2020 08:34:58 481C E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
16.01.2020 08:34:58 481C E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

16.01.2020 08:34:58 481C W Failed to get certificate, retrying in 600 seconds

Hello Stephen,

sorry for the delay, just migrating one of my management servers [:)].

On this endpoint: Has Protect worked? A bunch of Install logs in \Windows\Temp\ would be an indicator.
It looks like an issue with the certificates. Did you import the certificates from the old server? If you didn't, Protect (i.e. a reinstall on the endpoints) or using the Migration Utility is required. If you did (correctly) endpoints won't see a change. Now apparently the endpoint contacts the correct server (or did you reuse the old's IP for the new one?) - this suggests it is using the current mrinit.conf and in turn the certificates should be correct. Only if the certificates have been imported in the new server after initial install of the management component there could be a mismatch.

I'd compare the relevant entries on the server and this endpoint, and also the server's registry entries to the values in the CID's mrinit.conf. 

Christian