Parent SUM not updating child SUMs

Hello - 

We have four Sophos servers on prem.  One parent SEC and three child SUMs.  The parent SEC gets updates from Sophos and the child SUMs update from the parent.  The SEC and SUMs are configured to use WebCIDs for updating.  This has been the configuration for our Sophos environment for the last 10 years.  All of the necessary ports on the SEC's firewall have been configured correctly.  On August 24, 2021, the child SUMs stopped getting updates from the parent SEC.

If I turn off the host firewall on our SEC, the child SUMs update successfully.  When the host firewall on SEC is on, the child SUMs can no longer receive updates from the SEC.  AFAIK, no changes have been made on the SEC or SUMs.  Most of the firewall exceptions have been pushed to the SEC and SUMs via group policy. 

I have an opened support request with Sophos and we are unable to solve the issue after a couple of Zoom sessions.

I guess the work around will have to do for now, which is turning off the firewall on the SEC.

  • What are the inbound ports allowed in the firewall config?

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello dluneau,

    there has been a change, I'm pretty sure that SUM has updated to 1.7.2.that day. The article makes no mention of significant changes in the updating mechanism.
    You publish the WebCID over HTTPS using IIS? Firewall logs would be the first place to look but with the on-beard firewall it's, not a, hm gratifying exercise. Perhaps the SUMTrace log (on the childs) has some useful information.

    Christian

  • Sophos RMS: 8192-8194

    HTTP: 80

    HTTPS: 443

    File and Print Sharing: 137, 138, 139, 445

  • Hi QC,

    Yes.  SUM 1.7.2 is the current version installed.  I publish the WebCID over HTTP using IIS.  I will grab the SUMTrace log from one of the child SUMs.  Perhaps there would be a particular section of the log that would be helpful?

    Thank you

  • is the https certificate self-signed? Signed by your internal CA? What happens if you nav to the webcid from one of the child sums? Do you see a cert warning pop-up in the browser?

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Not using HTTPS.  Only HTTP

  • Hello dluneau,

    similar setup here, using HTTP only. Didn't encounter any problem after the upgrade. And anyway I can't see how or why the firewall (on the SEC server) should come into play. Nevertheless you should check whether you can browse to /warehouse/catalogue/sumcf.dat on the share when the firewall is on.  

    I assume that the download fails early so search for the string Started dispatcher with ID and scroll down. If you don't see Successfully downloaded remote customer file content from http://.... after 20 lines or so there's likely a message indicating the error.

    Christian

  • Hey QC,

    Here are some lines from the SUMTrace log from one of the child SUMs

    2021-09-23 05:57:58 : Cmd-ALL << [I1018][DispatcherPrograms-2021-09-23T10-57-58-56][2] Started dispatcher with ID 'DispatcherPrograms-2021-09-23T10-57-58-56'. It will run 2 events.
    2021-09-23 05:57:58 : Cmd-ALL << [I1025][0] Performing action with ConnectionMode '0'.
    2021-09-23 05:57:58 : Cmd-ALL << [I1021][ActionUpdateMetadata][DispatcherPrograms-2021-09-23T10-57-58-56] Action 'ActionUpdateMetadata' with caller 'DispatcherPrograms-2021-09-23T10-57-58-56' started...
    2021-09-23 05:57:59 : Thu Sep 23 05:57:59 2021 - __MAINTENANCE_DISPATCHER__ No action
    2021-09-23 05:57:59 : Thu Sep 23 05:57:59 2021 - DispatcherSupplements No action
    2021-09-23 05:58:00 : <ERROR> WarehouseListData: Failed to load valid customer file content. Error: Cannot locate server for sophosparent/.../sumcf.dat
    2021-09-23 05:58:00 : <Info> WarehouseListData: Failure loading customer file content. Attempting to read backed up customer file...
    2021-09-23 05:58:02 : <ERROR> WarehouseListData: Failed to load valid backup customer file content. Error: Cannot locate server for sophosparent/.../sumcf.bk
    2021-09-23 05:58:02 : <ERROR> Warehouse status operation failed: WarehouseListData: Failed to read customer file content.
    2021-09-23 05:58:02 : Cmd-ALL << [E400D][ActionUpdateMetadata][DispatcherPrograms-2021-09-23T10-57-58-56] Action 'ActionUpdateMetadata' with caller 'DispatcherPrograms-2021-09-23T10-57-58-56' failed!
    2021-09-23 05:58:02 : Cmd-ALL << [W4045] There was an error during HTTPS (secure) synchronization. The problem was related to the usage of HTTPS.
    2021-09-23 05:58:03 : Cmd-ALL << [W4042] The connection is falling back to HTTP.
    2021-09-23 05:58:03 : Cmd-ALL << [I1021][ActionUpdateMetadata][DispatcherPrograms-2021-09-23T10-57-58-56] Action 'ActionUpdateMetadata' with caller 'DispatcherPrograms-2021-09-23T10-57-58-56' started...
    2021-09-23 05:58:03 : <Info> WarehouseStatusOperation was successful.
    2021-09-23 05:58:03 : Cmd-ALL << [I000F][0][<signatures><contents>4a61809836b6c1d4ae643d7735174a32:9c13615b7a93cb062c42c2d79c002842</contents><dictionary>81d1e064aedadedff14631a4c56b283f</dictionary><published_time>2021-08-12T07:41:46</published_time></signatures>][Endpoint Protection Advanced and Server Protection][] Successfully checked warehouse status.
    2021-09-23 05:58:03 : Cmd-ALL << [I0009][ActionUpdateMetadata][DispatcherPrograms-2021-09-23T10-57-58-56] Action 'ActionUpdateMetadata' with caller 'DispatcherPrograms-2021-09-23T10-57-58-56' succeeded!
    2021-09-23 05:58:03 : Cmd-ALL << [S0012][DispatcherPrograms-2021-09-23T10-57-58-56] Event with dispatcher ID 'DispatcherPrograms-2021-09-23T10-57-58-56' completed successfully.
    2021-09-23 05:58:03 : Cmd-ALL << [I1025][0] Performing action with ConnectionMode '0'.
    2021-09-23 05:58:03 : Cmd-ALL << [I1021][ActionUpdateLogViewerDictionaries][DispatcherPrograms-2021-09-23T10-57-58-56] Action 'ActionUpdateLogViewerDictionaries' with caller 'DispatcherPrograms-2021-09-23T10-57-58-56' started...
    2021-09-23 05:58:03 : Cmd-Sock-952 >> DeleteObject WHStatusAction-0
    2021-09-23 05:58:03 : Cmd-Sock-952 << [R4000] Could not find object named WHStatusAction-0

    Let me know your thoughts when you have time.  Thanks

  • I received an update from Sophos Support.  Changing the registry values below on the child SUMs solved the problem.  I did come across the article talking about this but I didn't think it applied to us because we were using HTTP and not HTTPS.

    -"HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\UpdateManager\Security" 

    <Value Name="ConnectionMode" Data="0" Type="REG_DWORD"/> This value should be "0" as default, but please change it to "1"