This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console will not open following 5.5.2 update - "unable to log in as the specified user"

Hello

Following a recent update of our customer's Sophos 5.5.1 to 5.5.2 I am getting the following message when opening up the Enterprise Console:

unable to log in as the specified user
----- [outer exception] -----
-- error: 0x800706BE
-- facility: Win32

and

The RPC server is unavailable.

----- [outer exception] -----
-- error: 0x800706BA
-- facility: Win32

Looking at the services the Sophos Management Service, Sophos Agent and Sophos Certification Manager will not start. When starting the Sophos Management Service the following error message occurs:

---------------------------
Services
---------------------------
Windows could not start the Sophos Management Service service on Local Computer.

Error 0x80004005: Unspecified error

---------------------------
OK
---------------------------

In the event viewer 2 events get logged:

Initialization failed.

Step: Creating the messaging connection
Error: std::runtime_error
Data: Failed to connect to router. Error code: -2.

and

Faulting application name: MgntSvc.exe, version: 5.5.2.710, time stamp: 0x5e430038
Faulting module name: ucrtbase.dll, version: 10.0.14393.3659, time stamp: 0x5e914092
Exception code: 0xc0000409
Fault offset: 0x00088b2b
Faulting process id: 0x1454
Faulting application start time: 0x01d67a2c2e4d5605
Faulting application path: C:\Program Files (x86)\Sophos\Enterprise Console\MgntSvc.exe
Faulting module path: C:\Windows\System32\ucrtbase.dll
Report Id: c8659bac-7b77-4bde-b2fe-0ccb491f46b8
Faulting package full name:
Faulting package-relative application ID:

The service account been used is a member of the Sophos DB admins group and has full access to the Database, its also been given access to the local Sophos groups on the SEC server. The database connection string is fine in AD and to ensure there was no issue with the credentials of the account the installer was ran again inputting the credentials with no issues logged except for the same issue above when attempting to open the console.

Has anyone had this issue or able to offer any advise?



This thread was automatically locked due to age.
Parents
  • Hello Stephen Onyons,

    the Sophos Message Router is running but the Sophos Agent isn't? I'd check the logs for Router and Agent. What's the process that reports the first event?

    Christian

  • Checking the logs Im not seeing anything of note:

     

    20.08.2020 16:27:42 0A0C I Successfully validated this router's IOR gets logged and then a few resolved entries followed by the below and previous logs appear to be the same

    24.08.2020 09:27:10 0490 I Waiting for messages...
    24.08.2020 09:27:10 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 9, max number of user ports 15360
    24.08.2020 10:27:10 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 11:27:10 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 12:27:10 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 13:27:10 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 14:27:10 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 15:27:11 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 16:27:11 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 17:27:11 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 18:27:11 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 19:27:11 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 20:27:11 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 21:27:11 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 22:27:11 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    24.08.2020 23:27:12 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    25.08.2020 00:27:12 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    25.08.2020 01:27:12 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    25.08.2020 02:27:12 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    25.08.2020 03:27:12 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    25.08.2020 04:27:12 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    25.08.2020 05:27:13 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    25.08.2020 06:27:13 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360
    25.08.2020 07:27:13 0490 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 10, max number of user ports 15360

     

    Looking in the agent log I see the following:

    25.08.2020 08:28:51 1C20 E MSClient::InitialiseClientLibraryLocal: failed to get the port number for the local message router.
    25.08.2020 08:28:51 1C20 E Agent::Start: Caught MSClient::InitialiseClientLibraryLocal: failed to get the port number for the local message router.
     
    25.08.2020 08:28:51 1C20 I Shutting down...
    25.08.2020 08:28:51 1C20 I Stopping AdapterManager ...
    25.08.2020 08:28:55 0348 I Terminating the AdapterMonitor thread ...
    25.08.2020 08:28:55 1C20 I Unloading  adapter SDDM ...
    25.08.2020 08:28:55 1C20 I SDDMA: The socket 820 was shut down.
    25.08.2020 08:28:55 1C20 I SDDMA: The socket 820 was closed.
    25.08.2020 08:28:55 1228 I SDDMA: Socket 4294967295: receive failed with error code 10004.
    25.08.2020 08:28:55 1C20 I Restarting...

  • Hello SimpleTechie,

    I can provoke the same error messages from the Agent when I remove the value IORSenderPort from the HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\ registry key. Can't say though why it should disappear or the Agent fail to retrieve it.

    Christian

Reply
  • Hello SimpleTechie,

    I can provoke the same error messages from the Agent when I remove the value IORSenderPort from the HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\ registry key. Can't say though why it should disappear or the Agent fail to retrieve it.

    Christian

Children
  • Amazing create the IORSenderPort DWord and the services have started along with the Enterprise console now been accessible. Though comparing the  HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\ to the same location on the customer's 5.5.1 installation there is a big difference in the number of keys present.

    This does seem very odd and something I really need to get to support then I guess as I certainly cannot explain such a weird behaviour.

  • Hello SimpleTechie,

    the RMS version hasn't changed so there shouldn't be major differences. Guess ClientMRInit.exe is responsible for setting these values based on MRInit.conf. As far as I can see it hasn't been run when I upgraded 5.5.1 to 5.5.2. 

    Christian

  • Thank you again

     

    Seems like my troubles have not ended, it took a long time to get the SUM to work on the SEC Server and the secondary SUM is not working aswell. However after successfully updating the SUM with the latest av definitions and attempting to run an update on an online device I get the following. After this the console crashes:

     

    Failed to open audit event
    ----- [outer exception] -----
    -- error: 0x829E0033
    -- facility: Sophos Management Service Exception
    -- source: struct ISMT_ComputerActions

    at void __thiscall bl::UpdateAction::ApplyToComputerList(const class bl::ComputerList &)
    at void __thiscall CCompListCtrl::ApplyToSelectedItems(class bl::ActionBase &)
    at long __thiscall CCompListCtrl::OnActionForceUpdate(unsigned short,unsigned short,struct HWND__ *,int &)
    at int __cdecl Run(int,class bl::CommandLine,enum bl::ConsoleType::Type)
    at int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)

    In the event Log:

    Audit event was not created:
    Sophos.Management.Auditing.Interfaces.AuditException: Failed to open audit event ---> Sophos.Management.Dali.SPException: Stored procedure call returned error: 2
    at Sophos.Management.Data.SPErrorHandler.CheckReturnCode(SqlCommand cmd)
    at Sophos.Management.Data.GeneralCommand.ExecuteImpl()
    at Sophos.Management.Data.Utils.ExecuteAndHandleTransientErrors(ISqlConnectionContext scc, MethodThatMayThrowTransientError methodToCall)
    at Sophos.Management.Data.GeneralCommand.Execute()
    at Sophos.Management.Auditing.EventRepository.AddBeginEvent(BeginEvent beginEvent)
    at Sophos.Management.Auditing.AuditLog.BeginEvent(String sessionId, AuditAction action, AuditTargetType targetType, String targetName, AuditParameterType parameterType, String parameterValue, Int32 targetSubType, String configData)
    --- End of inner exception stack trace ---

  • Hello SimpleTechie,

    SUM shouldn't cause troubles.
    There's something not working as it should. Never seen this type of error and my interpretation is perhaps wrong. It looks like Auditing is enabled (Console ToolsManage Auditing ...) but fails. If the console also crashes (provided it can still be started) on other actions (like moving a computer to another group) with a similar error I'd try to re-run the Installer (SEC's setup.exe) though I'm not sure that it'd help.

    Was this a 5.5.1 to 5.5.2 upgrade with a local database?

    Christian

  • Yes this was an update from 5.5.1 to 5.5.2 but the database is on a remote server.

    Looking at the HKEYLM>SOFTWARE>WOW6432Node>Sophos>Messaging System>Router keys there seems to be only a few:

    Compared to the production 5.5.1 install:

     

     

    Its seeing more and more like something has not ran during the installation of settings have been removed during the update to 5.5.2

  • Hello SimpleTechie,

    I'm not aware that the upgrade removes these settings. Is there a ClientMRInit log from around the time of the upgrade somewhere (indeed I mean searching the whole C: drive)? Or is there a hint that ClientMRInit has been run in the server64 msi log? As said, as far as I can tell it hasn't been run on the two servers I've upgraded.

    Christian