Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 0 subscribers
  • Views 29270 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RMS issue - clients update just fine but do not report to SEC

asester

All,

It appears that after a recent update on 4/21/15 for the Sophos Update Manager on our message relay server, external clients are no longer reporting in SEC.  They are able to update as usual, but nothing reports to SEC.

After doing some digging, looking at the MRInit.conf files, policies, tearing my hair out, etc.....I think I see the issue - just not sure how to resolve it.

In the SEC application, I can see the primary server and the message relay both have the latest Update Manager version > 1.5.6.13.

However, looking at the Programs installed on the message relay server through control panel, it is not showing the proper version installed.  It shows 1.5.2.1060, whereas the primary server shows the proper 1.5.6.13 version.

I tried to run a repair on the Sophos Update Manager application on the message relay server via control panel, but that didn't change the version.  When I force an update through SEC, it downloads the binaries and appears like it's still at the latest version...

Also, using 5.2.2 on server 2008 R2.

Any help is appreciated.

:57312


This thread was automatically locked due to age.
  • 0

    Hello asester,

    [version of SUM in] Programs installed on the message relay server

    this could be a glitch and it might or might not bite you in the future (I assume the latter) but I think its not the cause of the communication issue.

    Please see Additional SUM as message relay and 10.3.13 first. To add some detail: Check if your SUM server considers itself a relay or not. Go to %ProgramData%\Sophos\Remote Management System\3\Router\NetworkReport and open ReportData.xml. If the RMS router type says endpoint the server has un-relayed itself, this would explain that no messages are received from the downstream endpoints. If so see my second post in that thread for the next steps.

    Christian

    :57321
  • 0

    Thanks for the reply Christian. 

    You were correct that the SUM server considered itself as an endpoint.  I looked at the link you provided....I didn't see a note on which registry keys you changed to resolve your issue.  I did, however, re-install the SUM following these instructions: https://www.sophos.com/en-us/support/knowledgebase/111484.aspx, and after doing that the versions are at least matching.  I'm still not seeing my remote clients relay yet though....any other suggestions?

    Adam

    :57325
  • 0
    Hello Adam,

    please look here: https://www.sophos.com/en-us/support/knowledgebase/14635.aspx ... near the end, guess you can figure out what to do.

    Christian
    :57327
  • 0

    Thanks for the article link Christian.  I compared the registry entries and they match.  I went ahead and ran configcid.exe again, and it ran successfully, but still not relaying messages.

    I should state this caveat - if the remote client hits our VPN, it appears it is then able to relay and shows up in SEC.

    More background on my setup:

    Primary SEC (internal DMZ 10.x.x.x)

    Message Relay Server (internal DMZ 192.x.x.x, NAT'd out for remote updating)

    It has been working fine for about 2 years.  I manage the firewall as well, so I can tell you the proper ports are for sure open.

    So, after seeing that the external clients that come in through our VPN end up communicating with the Message Relay Server, that led me to look at the netstat and local firewall logs.  In the local machines firewall logs, I can see the communication happening to the proper NAT'd IP address, but what's interesting is when I run a netstat, it shows the 8194 port connection attempt to the internal 192.x.x.x IP, not the NAT'd IP.  Obviously it cannot hit that IP from where it's at, so why is it displaying that?  Is there some sort of NAT translation happening and that's a normal occurance?  I would think it would be trying to establish the 8194 communication through the external NAT...

    I confirmed the MRINIT.conf file is set to the proper parent and MRparent addresses.

    Looking at the message router log on the client, I noticed this:

    While not on the VPN:

    -RMS router name:  Router$(PC name):279132

    -IOR port number: 8192

    -SSLIOP port number: 8194

    -Parent addresses: x.x.x.x (NAT'd IP), FQDN, Server name (this is all correct)

    -Current parent address:  Not available

    -RMS router type:  endpoint

    While on the VPN:

    -RMS router name:  Router$(PC name):279132

    -IOR port number: 8192

    -SSLIOP port number: 8194

    -Parent addresses: x.x.x.x (NAT'd IP), FQDN, Server name (this is all correct)

    -Current parent address:  x.x.x.x (NAT'd IP)

    -RMS router type:  endpoint

    While on the VPN it fills out hte current parent address field in the report, but while off the vpn it is unknown.  Not sure if this is relevant, but I figured I'd throw it out there.

    Thanks again for the assistance.

    Adam

    :57330
  • 0
    Hello Adam,

    strange that the endpoint doesn't connect to the NAT'd address when not on the VPN. Wait - before connecting to 8194 the endpoints try to obtain the IOR on port 8192 ... what do the Router logs on the endpoint say, what's different on and off VPN?

    Christian
    :57331
  • 0

    Here are the logs (minus the real IP's and domains/names):

    Not connected to VPN:

    20.05.2015 13:53:25 1528 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20150520-185325.log
    20.05.2015 13:53:25 1528 I Sophos Messaging Router 4.0.2.21 starting...
    20.05.2015 13:53:25 1528 I Setting ACE_FD_SETSIZE to 138
    20.05.2015 13:53:25 1528 I Initializing CORBA...
    20.05.2015 13:53:25 1528 I Connection cache limit is 10
    20.05.2015 13:53:26 1528 I Creating ORB runner with 4 threads
    20.05.2015 13:53:26 1528 I Compliant certificate hashing algorithm.
    20.05.2015 13:53:26 1528 I This computer is part of the domain acme
    20.05.2015 13:53:26 1528 I This router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000c0000003139322e3136382e312e3400012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001003d00004f4154010000001800000001003d00010001000100000001000105090101000000000014000000080000000100a60086000220
    20.05.2015 13:53:26 1528 I Successfully validated this router's IOR
    20.05.2015 13:53:26 1528 I Reading router table file
    20.05.2015 13:53:26 1528 I Host name: clientname
    20.05.2015 13:53:26 1528 I Local IP addresses: 192.168.1.4
    20.05.2015 13:53:26 1528 I Resolved name: clientname.acme
    20.05.2015 13:53:26 1528 I Resolved alias/es:
    20.05.2015 13:53:26 1528 I Resolved IP addresses: 192.168.1.4
    20.05.2015 13:53:26 1528 I Resolved reverse names/aliases: clientname.acme
    20.05.2015 13:53:26 0CCC I Routing to parent: id=015CA782, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 13:53:26 0CCC I Routing to parent: id=015CA8B5, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 13:53:26 0CCC I Routing to parent: id=015CA9CE, origin=Router$clientname:279132.Agent, dest=EM, type=EM-EntityEvent
    20.05.2015 13:53:26 0CCC I Routing to parent: id=035CB780, origin=Router$clientname:279132.Agent, dest=EM, type=EM-EntityEvent
    20.05.2015 13:53:26 1528 I Waiting for messages...
    20.05.2015 13:53:26 0CCC I Routing to parent: id=015CB793, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 13:53:26 0CCC I Routing to parent: id=015CB81A, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 13:53:26 0CCC I Routing to parent: id=015CB932, origin=Router$clientname:279132.Agent, dest=EM, type=EM-EntityEvent
    20.05.2015 13:53:26 0CCC I Routing to parent: id=015CCD32, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 13:53:26 1528 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 5, max number of user ports 15360
    20.05.2015 13:53:26 1690 I Getting parent router IOR from x.x.x.x (correct NAT'd IP):8192
    20.05.2015 13:53:26 1690 I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e362e3135300001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001002c00004f4154010000001800000001002c00010001000100000001000105090101000000000014000000080000000100a60086000220
    20.05.2015 13:53:26 1690 I Successfully validated parent router's IOR
    20.05.2015 13:53:26 1690 I Accessing parent
    20.05.2015 13:56:22 15EC I Client::LogonPushPush() successfully called back to client
    20.05.2015 13:56:22 15EC I Writing router table file
    20.05.2015 13:56:22 15EC I Logged on Agent as a client
    20.05.2015 13:56:22 0CCC I Routing to Agent: id=035CD8D6, origin=Router$clientname:279132, dest=Router$clientname:279132.Agent, type=EM-ClientLogon
    20.05.2015 13:56:22 172C I Sent message (id=035CD8D6) to Agent
    20.05.2015 13:56:43 0CCC I Routing to parent: id=015CD8EB, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 14:04:07 1690 E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO
     
    20.05.2015 14:04:37 1690 I Getting parent router IOR from x.x.x.x (correct NAT'd IP):8192
    20.05.2015 14:04:37 1690 I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e362e3135300001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001002c00004f4154010000001800000001002c00010001000100000001000105090101000000000014000000080000000100a60086000220
    20.05.2015 14:04:37 1690 I Successfully validated parent router's IOR
    20.05.2015 14:04:37 1690 I Accessing parent
    20.05.2015 14:15:18 1690 E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

    end of log

    While connected to the VPN:

    20.05.2015 14:16:34 0AC4 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20150520-191634.log
    20.05.2015 14:16:34 0AC4 I Sophos Messaging Router 4.0.2.21 starting...
    20.05.2015 14:16:34 0AC4 I Setting ACE_FD_SETSIZE to 138
    20.05.2015 14:16:34 0AC4 I Initializing CORBA...
    20.05.2015 14:16:34 0AC4 I Connection cache limit is 10
    20.05.2015 14:16:34 0AC4 I Creating ORB runner with 4 threads
    20.05.2015 14:16:34 0AC4 I Compliant certificate hashing algorithm.
    20.05.2015 14:16:34 0AC4 I This computer is part of the domain  acme
    20.05.2015 14:16:34 0AC4 I This router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000200000000000000a4000000010102000c0000003139322e3136382e312e3400012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001004300004f4154010000001800000001004300010001000100000001000105090101000000000014000000080000000100a6008600022000000000a4000000010102000c00000031302e32322e3135302e3700012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001004300004f41540100000018000000010043000100010001000000010001050901010000000000140000000800000001d9a60086000220
    20.05.2015 14:16:34 0AC4 I Successfully validated this router's IOR
    20.05.2015 14:16:34 0AC4 I Reading router table file
    20.05.2015 14:16:34 0AC4 I Host name: clientname.acme
    20.05.2015 14:16:34 0AC4 I Local IP addresses: 10.x.x.x 192.168.1.4
    20.05.2015 14:16:34 0AC4 I Resolved name: clientname.acme
    20.05.2015 14:16:34 0AC4 I Resolved alias/es:
    20.05.2015 14:16:34 0AC4 I Resolved IP addresses: 10.x.x.x 192.168.1.4
    20.05.2015 14:16:34 0AC4 I Resolved reverse names/aliases: clientname.acme
    20.05.2015 14:16:34 0E90 I Routing to parent: id=015CA782, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 14:16:34 0E90 I Routing to parent: id=015CA8B5, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 14:16:34 0E90 I Routing to parent: id=015CA9CE, origin=Router$clientname:279132.Agent, dest=EM, type=EM-EntityEvent
    20.05.2015 14:16:34 0E90 I Routing to parent: id=035CB780, origin=Router$clientname:279132.Agent, dest=EM, type=EM-EntityEvent
    20.05.2015 14:16:34 0AC4 I Waiting for messages...
    20.05.2015 14:16:34 0E90 I Routing to parent: id=015CB793, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 14:16:34 0E90 I Routing to parent: id=015CB81A, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 14:16:34 147C I Getting parent router IOR from x.x.x.x (correct NAT'd IP):8192
    20.05.2015 14:16:34 0AC4 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 5, max number of user ports 15360
    20.05.2015 14:16:34 0E90 I Routing to parent: id=015CB932, origin=Router$clientname:279132.Agent, dest=EM, type=EM-EntityEvent
    20.05.2015 14:16:34 0E90 I Routing to parent: id=015CCD32, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 14:16:34 0E90 I Routing to parent: id=015CD8EB, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 14:16:35 147C I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e362e3135300001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001002c00004f4154010000001800000001002c00010001000100000001000105090101000000000014000000080000000100a60086000220
    20.05.2015 14:16:35 147C I Successfully validated parent router's IOR
    20.05.2015 14:16:35 147C I Accessing parent
    20.05.2015 14:16:35 147C I Parent is Router$messagerelay servername:279129
    20.05.2015 14:16:35 147C I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
    20.05.2015 14:16:35 147C I RouterTableEntry state (router, logging on): Router$messagerelay servername:279129 is passive consumer, passive supplier
    20.05.2015 14:16:35 147C I Logged on to parent router as Router$clientname:279132
    20.05.2015 14:16:35 147C I This computer is part of the domain acme
    20.05.2015 14:16:35 0E90 I Routing to Agent: id=055CB40D, origin=Router$messagerelay servername:279129.Router$primary servername.EM, dest=Router$messagerelay servername:279129.Router$clientname:279132.Agent, type=EM-SetConfiguration
    20.05.2015 14:16:35 142C I Sent message (id=015CA782) to Router$messagerelay servername:279129
    20.05.2015 14:16:36 142C I Sent message (id=015CA8B5) to Router$messagerelay servername:279129
    20.05.2015 14:16:36 142C I Sent message (id=015CA9CE) to Router$messagerelay servername:279129
    20.05.2015 14:16:36 142C I Sent message (id=035CB780) to Router$messagerelay servername:279129
    20.05.2015 14:16:36 142C I Sent message (id=015CB793) to Router$messagerelay servername:279129
    20.05.2015 14:16:36 142C I Sent message (id=015CB81A) to Router$messagerelay servername:279129
    20.05.2015 14:16:36 142C I Sent message (id=015CB932) to Router$messagerelay servername:279129
    20.05.2015 14:16:36 142C I Sent message (id=015CCD32) to Router$messagerelay servername:279129
    20.05.2015 14:16:36 142C I Sent message (id=015CD8EB) to Router$messagerelay servername:279129
    20.05.2015 14:16:45 09A8 I SSL handshake done, local IP address = 10.x.x.x
    20.05.2015 14:16:51 09A8 I Client::LogonPushPush() successfully called back to client
    20.05.2015 14:16:51 09A8 I Logged on Agent as a client
    20.05.2015 14:16:51 08E0 I Sent message (id=055CB40D) to Agent
    20.05.2015 14:16:51 0E90 I Routing to Agent: id=035CDDA3, origin=Router$clientname:279132, dest=Router$clientname:279132.Agent, type=EM-ClientLogon
    20.05.2015 14:16:51 0EF8 I Sent message (id=035CDDA3) to Agent
    20.05.2015 14:17:12 0E90 I Routing to parent: id=015CDDB8, origin=Router$clientname:279132.Agent, dest=EM, type=EM-GetStatus-Reply
    20.05.2015 14:17:13 142C I Sent message (id=015CDDB8) to Router$messagerelay servername:279129

    End of log.

    I see the client in SEC within 20 seconds of restarting the Message Router service while on the VPN.

    :57332
  • 0

    Well, after scratching my head enough, and seeing the error: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0.........I knew it sounded all too familiar!!!

    I went through my old posts and found this gem:  /search?q= 41705

    Viola !!!!!  My own post to the rescue!!!!! LOL!  It appears as though for some reason after getting a major update, the versions not matching, and re-installing the SUM, the registry keys for ServiceArg and ImagePath were reset to their default values.

    https://www.sophos.com/en-us/support/knowledgebase/50832.aspx

    >>

    • Replace all example values, with values that reflect your organization.
    1. To immediately affect the service:
      1. Modify the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath
        to the following (all one line):

        "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=MR.domain.com
      2. Restart the Message Router service on the message relay.

    2. To make the change persistent when an RMS update/reinstall occurs:
      • Modify the key HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ServiceArgs to the following (all one line):
        -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=MR.domain.com

    I made the change to both registry keys, but it appears those changes reset when you have to re-install from the primary server's SUM share.

    Either way - clients are updating again.  The world is right again.

    Thanks Christian (and Jak, from my old post!)

    -Adam

    :57333
Unfiltered HTML