This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console - Secondary Update Server

Hi All,

 

Currently having an issue where we have the Primary and Secondary Update servers listed on the SEC.

The primary, which is our on-prem server shows up on client machines but the secondary does not (this is linked to the account username and licencing key).

Is there a reason the secondary is not showing up?

 

All help appreciated.

 

Kind Regards

Stephen



This thread was automatically locked due to age.
Parents
  • Hi Stephen,

     

    Is this secondary SUM newly installed?

    Can you confirm that you applied the SUM to the applicable machines AutoUpdate policy?

    Please see the following article on configuring policies to use a secondary update location for failover purposes, the article does specify using Sophos, but you can use which ever update location you choose: https://community.sophos.com/kb/en-us/12354

     Let me know if this helps.

    Thanks,

    ZGV
    Community Support Engineer | Sophos Technical Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
  • SUM already existed 

     

    Client machines do not see it, but the installed client on the server sees the secondary location???

    All client machines have the message awaiting transfer policy

  • Hi CHristian,

     

    All machines have a cross through them and have the Awaiting policy transfer  apart from the client software installed on the SEC server itself

     

    Kind Regards

    Stephen

  • Hello Stephen,

    you did reprotect them and they did connect after install, i.e. the down-arrow and the hourglass disappeared from the computer icon and there are no error messages?
    You can in addition check from the Computer Details view, column Last message time.

    Christian

  • Hi Christian,

    I reprotected them, got the hourglass, then they went back to a cross next to the machine

     

     

    Above is what I am currently seeing

     

    Kind Regards

    Stephen

  • Hello Stephen,

    guess the error reported are install errors, could you check the Alert and Error Details view, the Update errors column is on the far right. Or double-click a computer to view its details.

    Could it be that a firewall (network or server-local, unlikely on the endpoints) is blocking the connection? Simple test is to try to telnet to port 8192 on the management server from an endpoint.

    Christian

  • Hi Christian,

     

    I get the following on the install error section on most of the endpoints.

     

    Kind Regards

    Stephen

  • There's also nothing blocking ports as far as I can see

  • Hello Stephen,

    the could not be started can have several reasons, but it seems the install has run on those not yet managed. This usually means that the install task has been run the endpoint has not yet "called back".
    Can you confirm that a telnet connection from one of these endpoints to the server's 8192 succeeds?

    Christian

  • Hi CHristian,

     

    I have tested this and it is not getting blocked

     

    Kind Regards

    Stephen

  • Hello Stephen,

    so you do get back a string that starts with IOR: followed by quite a number of hex digits?

    Christian

  • IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e312e3134310001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100fc00004f415401000000180000000100fc00010001000100000001000105090101000000000014000000080000000100a60086000220

    Connection to host lost.

Reply
  • IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e312e3134310001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100fc00004f415401000000180000000100fc00010001000100000001000105090101000000000014000000080000000100a60086000220

    Connection to host lost.

Children
  • Hello Stephen,

    guess I don't disclose any secret information here. The IOR advertises 192.168.1.141 as the management server's IP, is this the correct address?
    If so, and if this endpoint does not appear connected please restart the Sophos Message Router service on the endpoint and then check the latest Router-202001....log in %ProgramData%\Sophos\Remote Management System\3\Router\Logs. It should help to determine why the endpoints don't talk to the server.

    Christian

  • 16.01.2020 08:34:53 481C I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20200116-083453.log
    16.01.2020 08:34:54 481C I Sophos Messaging Router 4.1.2.24 starting...
    16.01.2020 08:34:54 481C I Setting ACE_FD_SETSIZE to 138
    16.01.2020 08:34:54 481C I Initializing CORBA...
    16.01.2020 08:34:54 481C I Connection cache limit is 10
    16.01.2020 08:34:54 481C I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
    16.01.2020 08:34:54 481C I Creating ORB runner with 4 threads
    16.01.2020 08:34:54 481C W No public key certificate found in the store. Requesting a new certificate.
    16.01.2020 08:34:54 481C I Getting parent router IOR from 192.168.1.141:8192
    16.01.2020 08:34:54 481C I This computer is part of the domain CASHFACSOLUTION
    16.01.2020 08:34:54 481C I Getting a new router certificate...
    16.01.2020 08:34:54 481C W SSL connection alert, peer address 192.168.1.141
    16.01.2020 08:34:54 481C W Cannot verify peer's SSL certificate, unknown CA
    16.01.2020 08:34:54 481C E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    16.01.2020 08:34:58 481C I This computer is part of the domain CASHFACSOLUTION
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C W SSL connection alert, peer address 192.168.1.141
    16.01.2020 08:34:58 481C W Cannot verify peer's SSL certificate, unknown CA
    16.01.2020 08:34:58 481C E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E ACE_SSL (24552|18460) error code: 336462231 - error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    16.01.2020 08:34:58 481C E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

    16.01.2020 08:34:58 481C W Failed to get certificate, retrying in 600 seconds

  • Hello Stephen,

    sorry for the delay, just migrating one of my management servers [:)].

    On this endpoint: Has Protect worked? A bunch of Install logs in \Windows\Temp\ would be an indicator.
    It looks like an issue with the certificates. Did you import the certificates from the old server? If you didn't, Protect (i.e. a reinstall on the endpoints) or using the Migration Utility is required. If you did (correctly) endpoints won't see a change. Now apparently the endpoint contacts the correct server (or did you reuse the old's IP for the new one?) - this suggests it is using the current mrinit.conf and in turn the certificates should be correct. Only if the certificates have been imported in the new server after initial install of the management component there could be a mismatch.

    I'd compare the relevant entries on the server and this endpoint, and also the server's registry entries to the values in the CID's mrinit.conf

    Christian 

  • Hi Christian,

     

    Thanks for all your help on this, looks like we may be forced to go down the Sophos Central route as we are being told our Servers OS is not supported directly by Sophos.

     

    Again thanks for all your invaluable help.

     

    Kind Regards

    Stephen

  • Hello Stephen,

    go down the Sophos Central route
    that likely takes longer than one or two days. And until then ...?

    Christian
    P.S.: our Servers OS is which one?

  • Hi Christian,

     

    Our new servers are running MS Server 2019 Standard

     

    Sophos Support have directly told us to get Sophos Central which they tell me is fully supported on our Server OS.

     

    Kind Regards

    Stephen

  • Hi  

    Would you please PM me the case number you have registered with Sophos Support so that I can take a look? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.