Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 10340 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

move clients to new sophos enterprise console

HaridimosManoussakis

Our old Sophos Enterprise Console crashed (got infected by a ransomware/cryptolocker variation) .

We installed SEC on a new device (which has the same IP as the old one), but we can't manage to migrate computers from the existing old SEC to the new one.

We have followed the instructions stated in here

https://www.sophos.com/en-us/support/knowledgebase/116737.aspx

created the SophosReinit.vbs,

and run in on a couple of computes (running windows 7) but although the script is being run without errors (as we see in the logfile), the computer isnt changing to the new management server ..



This thread was automatically locked due to age.
  • 0

    Hello Hmantech,

    could you post the start of the Router log, say 30-40 lines? It contains host names and IPs so be careful to not disclose sensitive information.

    Christian

  • 0 in reply to QC

    this is the start of the router log

    08.04.2016 08:25:01 0D78 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20160408-052501.log
    08.04.2016 08:25:01 0D78 I Sophos Messaging Router 4.0.2.21 starting...
    08.04.2016 08:25:01 0D78 I Setting ACE_FD_SETSIZE to 138
    08.04.2016 08:25:01 0D78 I Initializing CORBA...
    08.04.2016 08:25:01 0D78 I Connection cache limit is 10
    08.04.2016 08:25:05 0D78 I Creating ORB runner with 4 threads
    08.04.2016 08:25:05 0D78 I Non-compliant certificate hashing algorithm.
    08.04.2016 08:25:05 0D78 I This computer is part of the workgroup WORKGROUPNAME
    08.04.2016 08:25:05 0D78 I This router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000300000000000000a0000000010102000a000000312e302e302e3137370001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100c900004f415401000000180000000100c900010001000100000001000105090101000000000014000000080000000100a6008600022000000000a0000000010102000a00000031302e302e302e39330001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100c900004f415401000000180000000100c900010001000100000001000105090101000000000014000000080000000100a6008600022000000000a4000000010102000e0000003139322e3136382e312e3138330001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100c900004f415401000000180000000100c900010001000100000001000105090101000000000014000000080000000100a60086000220
    08.04.2016 08:25:05 0D78 I Successfully validated this router's IOR
    08.04.2016 08:25:05 0D78 I Reading router table file
    08.04.2016 08:25:09 0D78 I Host name: COMPUTERNAME
    08.04.2016 08:25:09 0D78 I Local IP addresses: 1.0.0.xx 10.0.0.xx 192.168.1.xx
    08.04.2016 08:25:09 0D78 I Resolved name: COMPUTERNAME
    08.04.2016 08:25:09 0D78 I Resolved alias/es:
    08.04.2016 08:25:09 0D78 I Resolved IP addresses: 1.0.0.xx 10.0.0.xx 192.168.1.xx
    08.04.2016 08:25:09 0D78 I Resolved reverse names/aliases: COMPUTERNAME
    08.04.2016 08:25:09 104C I Routing to parent: id=00FBE652, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=00FCB6E0, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=00FCB8AE, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=00FCDEDD, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=00FCDFBD, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 0D78 I Waiting for messages...
    08.04.2016 08:25:09 104C I Routing to parent: id=00FCDFFF, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=00FE0915, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=00FE3F0E, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=0101FB94, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=010207AE, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=010209A1, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=01033743, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=01034E18, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=010351A9, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=01049F55, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 104C I Routing to parent: id=0105F074, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-GetStatus-Reply
    08.04.2016 08:25:09 104C I Routing to parent: id=0105F1DF, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-EntityEvent
    08.04.2016 08:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 4, max number of user ports 15360
    08.04.2016 08:25:09 105C I Getting parent router IOR from 169.254.73.250:8192
    08.04.2016 08:25:09 104C I Routing to parent: id=0105F1EC, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-GetStatus-Reply
    08.04.2016 08:25:09 104C I Routing to parent: id=0106462B, origin=Router$COMPUTERNAME:234027.Agent, dest=EM, type=EM-GetStatus-Reply
    08.04.2016 08:25:09 104C I Routing to Agent: id=01065F86, origin=Router$COMPUTERNAME:234027, dest=Router$COMPUTERNAME:234027.Agent, type=EM-ClientLogoff
    08.04.2016 08:25:09 106C W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$COMPUTERNAME:234027.Agent
    08.04.2016 08:25:09 106C W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$COMPUTERNAME:234027.Agent
    08.04.2016 08:25:09 106C W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$COMPUTERNAME:234027.Agent
    08.04.2016 08:26:19 106C W Delivery failed(Timeout) for message type EM-ClientLogoff, originator Router$COMPUTERNAME:234027
    08.04.2016 08:30:29 105C I This computer is part of the workgroup WORKGROUPNAME
    08.04.2016 08:30:29 105C I Getting parent router IOR from 1.0.0.xx:8192
    08.04.2016 08:30:29 105C I This computer is part of the workgroup WORKGROUPNAME
    08.04.2016 08:30:29 105C I Received parent router's IOR:

  • 0 in reply to HaridimosManoussakis

    Hello Hmantech,

    thanks, unfortunately the snippet stops where it gets interesting. Normally this number of lines would suffice but this is a rather uncommon scenario. It looks like the endpoint has  3 (three) addresses and the server at least two. The endpoint fails to obtain an IOR from  the first address it tries (Getting parent router IOR from 169.254.73.250:8192) but then seems to succeed with Getting parent router IOR from 1.0.0.xx:8192.

    So - what's in the following lines?

    Christian

  • 0 in reply to QC

    these are the following lines .

    08.04.2016 08:30:29 105C I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000400000000000000a8000000010102000f0000003139322e3136382e31312e3234300000012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a4000000010102000e0000003139322e3136382e312e3234300001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657275746503000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a8000000010102000f0000003139322e3136382e31322e3234300020012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a00000000101020009000000312e302e302e3937000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a60086000220
    08.04.2016 08:30:29 105C I Successfully validated parent router's IOR
    08.04.2016 08:30:29 105C I Accessing parent
    08.04.2016 08:46:30 105C W SSL connection alert, peer address 1.0.0.xx
    08.04.2016 08:46:30 105C W Cannot verify peer's SSL certificate, unknown CA
    08.04.2016 08:46:30 105C E ACE_SSL (2556|4188) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    08.04.2016 09:02:31 105C W SSL connection alert, peer address 1.0.0.xx
    08.04.2016 09:02:31 105C W Cannot verify peer's SSL certificate, unknown CA
    08.04.2016 09:02:31 105C E ACE_SSL (2556|4188) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    08.04.2016 09:02:31 105C E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO
     
    08.04.2016 09:03:01 105C I Getting parent router IOR from 169.254.73.250:8192
    08.04.2016 09:08:21 105C I This computer is part of the workgroup WORKGROUPNAME
    08.04.2016 09:08:21 105C I Getting parent router IOR from 1.0.0.xx:8192
    08.04.2016 09:08:21 105C I This computer is part of the workgroup WORKGROUPNAME
    08.04.2016 09:08:21 105C I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000400000000000000a8000000010102000f0000003139322e3136382e31312e3234300000012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a4000000010102000e0000003139322e3136382e312e3234300001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657275746503000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a8000000010102000f0000003139322e3136382e31322e3234300020012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a00000000101020009000000312e302e302e3937000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a60086000220
    08.04.2016 09:08:21 105C I Successfully validated parent router's IOR
    08.04.2016 09:08:21 105C I Accessing parent
    08.04.2016 09:24:23 105C W SSL connection alert, peer address 1.0.0.xx
    08.04.2016 09:24:23 105C W Cannot verify peer's SSL certificate, unknown CA
    08.04.2016 09:24:23 105C E ACE_SSL (2556|4188) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    08.04.2016 09:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360
    08.04.2016 09:40:24 105C W SSL connection alert, peer address 1.0.0.xx
    08.04.2016 09:40:24 105C W Cannot verify peer's SSL certificate, unknown CA
    08.04.2016 09:40:24 105C E ACE_SSL (2556|4188) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    08.04.2016 09:40:24 105C E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO
     
    08.04.2016 09:40:54 105C I Getting parent router IOR from 169.254.73.250:8192
    08.04.2016 09:46:15 105C I This computer is part of the workgroup WORKGROUPNAME
    08.04.2016 09:46:15 105C I Getting parent router IOR from 1.0.0.xx:8192
    08.04.2016 09:46:15 105C I This computer is part of the workgroup WORKGROUPNAME
    08.04.2016 09:46:15 105C I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000400000000000000a8000000010102000f0000003139322e3136382e31312e3234300000012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a4000000010102000e0000003139322e3136382e312e3234300001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657275746503000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a8000000010102000f0000003139322e3136382e31322e3234300020012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a6008600022000000000a00000000101020009000000312e302e302e3937000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009800004f4154010000001800000001009800010001000100000001000105090101000000000014000000080000000100a60086000220
    08.04.2016 09:46:15 105C I Successfully validated parent router's IOR
    08.04.2016 09:46:15 105C I Accessing parent
    08.04.2016 10:02:16 105C W SSL connection alert, peer address 1.0.0.xx
    08.04.2016 10:02:16 105C W Cannot verify peer's SSL certificate, unknown CA
    08.04.2016 10:02:16 105C E ACE_SSL (2556|4188) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    08.04.2016 10:18:17 105C W SSL connection alert, peer address 1.0.0.xx
    08.04.2016 10:18:17 105C W Cannot verify peer's SSL certificate, unknown CA
    08.04.2016 10:18:17 105C E The certificate of this router is incompatible with the server, please reinstall RMS
    08.04.2016 10:18:19 105C I This computer is part of the workgroup WORKGROUPNAME
    08.04.2016 10:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360
    08.04.2016 11:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360
    08.04.2016 12:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360
    08.04.2016 13:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360
    08.04.2016 14:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360
    08.04.2016 15:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360
    08.04.2016 16:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360
    08.04.2016 17:25:09 0D78 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 7, max number of user ports 15360

  • 0 in reply to HaridimosManoussakis

    Hello Hmantech,

    thanks. Now, the server advertises four addresses (three 192.168.x.x and one 1.0.0.x) in the IOR, connection to the latter fails due to a certificate mismatch.

    Did you use the correct cac.pem and mrinit.conf? Apart from the certificate mismatch I'm surprised about the 169.254.x.x address which seems to be in the mrinit.conf used by the endpoint, but apparently the server doesn't listen on it.
    Please check if the SophosReinit.txt and ClientMRInit logs show indeed no errors and list the correct addresses.

    NB: You should perhaps reassess the use of the multiple IPs 

    Christian 

Unfiltered HTML