This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console - Secondary Update Server

Hi All,

 

Currently having an issue where we have the Primary and Secondary Update servers listed on the SEC.

The primary, which is our on-prem server shows up on client machines but the secondary does not (this is linked to the account username and licencing key).

Is there a reason the secondary is not showing up?

 

All help appreciated.

 

Kind Regards

Stephen



This thread was automatically locked due to age.
Parents Reply
  • Hello Stephen,

    the could not be started can have several reasons, but it seems the install has run on those not yet managed. This usually means that the install task has been run the endpoint has not yet "called back".
    Can you confirm that a telnet connection from one of these endpoints to the server's 8192 succeeds?

    Christian

Children
  • Hi CHristian,

     

    I have tested this and it is not getting blocked

     

    Kind Regards

    Stephen

  • Hello Stephen,

    so you do get back a string that starts with IOR: followed by quite a number of hex digits?

    Christian

  • IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e312e3134310001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100fc00004f415401000000180000000100fc00010001000100000001000105090101000000000014000000080000000100a60086000220

    Connection to host lost.

  • Hello Stephen,

    guess I don't disclose any secret information here. The IOR advertises 192.168.1.141 as the management server's IP, is this the correct address?
    If so, and if this endpoint does not appear connected please restart the Sophos Message Router service on the endpoint and then check the latest Router-202001....log in %ProgramData%\Sophos\Remote Management System\3\Router\Logs. It should help to determine why the endpoints don't talk to the server.

    Christian

  • 16.01.2020 08:34:53 481C I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20200116-083453.log
    16.01.2020 08:34:54 481C I Sophos Messaging Router 4.1.2.24 starting...
    16.01.2020 08:34:54 481C I Setting ACE_FD_SETSIZE to 138
    16.01.2020 08:34:54 481C I Initializing CORBA...
    16.01.2020 08:34:54 481C I Connection cache limit is 10
    16.01.2020 08:34:54 481C I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
    16.01.2020 08:34:54 481C I Creating ORB runner with 4 threads
    16.01.2020 08:34:54 481C W No public key certificate found in the store. Requesting a new certificate.
    16.01.2020 08:34:54 481C I Getting parent router IOR from 192.168.1.141:8192
    16.01.2020 08:34:54 481C I This computer is part of the domain CASHFACSOLUTION
    16.01.2020 08:34:54 481C I Getting a new router certificate...
    16.01.2020 08:34:54 481C W SSL connection alert, peer address 192.168.1.141
    16.01.2020 08:34:54 481C W Cannot verify peer's SSL certificate, unknown CA
    16.01.2020 08:34:54 481C E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    16.01.2020 08:34:58 481C I This computer is part of the domain CASHFACSOLUTION
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C W SSL connection alert, peer address 192.168.1.141
    16.01.2020 08:34:58 481C W Cannot verify peer's SSL certificate, unknown CA
    16.01.2020 08:34:58 481C E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

    16.01.2020 08:34:58 481C W Failed to get certificate, retrying in 600 seconds

  • Hello Stephen,

    sorry for the delay, just migrating one of my management servers [:)].

    On this endpoint: Has Protect worked? A bunch of Install logs in \Windows\Temp\ would be an indicator.
    It looks like an issue with the certificates. Did you import the certificates from the old server? If you didn't, Protect (i.e. a reinstall on the endpoints) or using the Migration Utility is required. If you did (correctly) endpoints won't see a change. Now apparently the endpoint contacts the correct server (or did you reuse the old's IP for the new one?) - this suggests it is using the current mrinit.conf and in turn the certificates should be correct. Only if the certificates have been imported in the new server after initial install of the management component there could be a mismatch.

    I'd compare the relevant entries on the server and this endpoint, and also the server's registry entries to the values in the CID's mrinit.conf

    Christian 

  • Hi Christian,

     

    Thanks for all your help on this, looks like we may be forced to go down the Sophos Central route as we are being told our Servers OS is not supported directly by Sophos.

     

    Again thanks for all your invaluable help.

     

    Kind Regards

    Stephen

  • Hello Stephen,

    go down the Sophos Central route
    that likely takes longer than one or two days. And until then ...?

    Christian
    P.S.: our Servers OS is which one?

  • Hi Christian,

     

    Our new servers are running MS Server 2019 Standard

     

    Sophos Support have directly told us to get Sophos Central which they tell me is fully supported on our Server OS.

     

    Kind Regards

    Stephen

  • Hi  

    Would you please PM me the case number you have registered with Sophos Support so that I can take a look? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids