Enterprise Console reporting online machines offline and not up to date

Hello David,

RMS communicates on ports 8192 and 8194 from endpoint to server (and ideally 8194 server to endpoint - but it wouldn't be considered offline if not available).

Check if the Sophos Message Router service is running on the endpoint. If it is. view the Network Communications report (%ProgramData%\Sophos\Remote Management System\3\Router\NetworkReport\ReportData.xml) on the endpoint and also check the router logs in %ProgramData%\Sophos\Remote Management System\3\Router\Logs.

Christian

Hi Christian,

Thanks for the reply and information.  I've checked the logs but nothing sticks out to say what is wrong.  Do you have any clues as to what I'm looking for?

Cheers,

David

Hello David,

so the Network Report doesn't indicate an error? If there are recent (not older than a few hours) Sent message (id=xxxxxxxx) to Router$yourserver lines in the Router log the problem is likely somewhere else. Please also check the \Envelopes folder - it should be empty. To force a message to be sent trigger a detection with eicar or make some change to the AV policy and check the current Router log. 

Christian

Hi Christian,

I have checked both and it seems the cause is elsewhere.  I'm looking in the Envelopes folder but I see a few things queued up going back to the 11th of June - I guess suggesting that's when this issue started?

I have updated the policy and some of the computers in question aren't receiving the update.  I'm going to start monitoring the network traffic in case that's where it is being blocked.

Thanks for your advise on this so far, do you have any other pointers/KB's that I can read through to diagnose further?

Cheers,

David

Hello David,

from the endpoint you can use telnet to test the connection to the server. telnet SECserver 8192 should give you an IOR as response and disconnect, telnet SECserver 8194  should open the connection and close if you then enter something.

The messages which can't be sent to the endpoint will get queued in the server's Envelopes folder. Messages eventually time out after four days or so (at least on the server) and will be removed, thus the issue might have started earlier.   

Christian

Hi Christian,

I have followed that and I noticed an error in the logs -

13.06.2014 14:16:34 0D6C E ACE_DLL::open failed for TAO_ImR_Client: Error: check log for details.
13.06.2014 14:16:34 0D6C E Unable to find service: ImR_Client_Adapter

I had a quick look on the forums and found this - /search?q= 8939 - not sure how relevant it is to my problem and it dates back to 2011...

The telnet succeeds to 8192 & 8194 as they are printed in the logs.

Depending on the article above, I think at this point it might be worth me trying to un-install and re-install the client - everything reports that it's up to date so I feel comfortable there isn't an infection to worry about.

Cheers,

David

Hello David,

no need to reinstall (yet), the error is "normal" (dunno what exactly it signifies but it's in all logs). The following lines are about the actual connection (attempt). Eventually you should see: Logged on to parent router as Router$computername:nnnn.  After that Routing, Received and Sent messages should commence.

Christian

Hey,

From what you've said, the logs show that the client and server are talking to each other correctly, however the SEC dashboard still suggests otherwise and the Envelopes folder is still building up.  Hmmm, any thoughts on where I should investigate now?

Thanks very much,

David

Hey,

Following on from this, the machine in question is still switched on, however SEC is now reporting the machine as offline.

Do you have any more suggestions or should I try removing and installing again?

Cheers,

David