Enterprise console not updating

Same here.  Just spent 2 hours on the phone with tech support with no help.  Mine started on the 26th.

Hi,

I assume that all the Sophos services on the management server came up on restart?  The main ones of interest for the problem as you describe here being the "Sophos Management Service" and "Sophos Message Router".  Are these OK?
Restart without problems?

To trace what's happening in the logs.  I would start with the router logs. I.e. "\ProgramData\Sophos\Remote Management System\3\Router\Logs\Router-[Timestamp].log"

You should see lines such as:

I Routing to EM: id=0148571F, origin=Router$[ClientName].Agent, dest=EM, type=EM-GetStatus-Reply

This is an incoming status message from an endpoint.

Messages such as this will be stored by the router in:
"\ProgramData\Sophos\Remote Management System\3\Router\Envelopes\" as .msg files until they are sent to their intended destination.

In the case of the Sophos Message Router handing off messages to the Sophos Management Service for processing into the database, following the above line in the Router logs you should see the assocaited line:

01.02.2011 18:55:27 0B54 I Sent message (id=0148571F) to EM

Here we can see that the status message (0148571F) was "Sent" to the management service, so the Router has performed its function.  The next place to look in the logging would be:

"\ProgramData\Sophos\Sophos Endpoint Management\4.5\log\sophos-management-services.log"

You should see lines like:

"Received status from Router$[ClientName]"

The other log of interest is:

"\ProgramData\Sophos\Sophos Endpoint Management\4.5\log\Msgn-[timestamp].log

Which is the logging of the messaging component in the management service.  

It's really tracing the messages up to see how far they are getting.  

Also of interest is ensuring that the management service is logging on to the router in the first place.  In the router log you should see the line:

"I Logged on EM as a client"

Where "EM" is the internal name for the Sophos Management service with out this happening the management service will not be able to send or receive messages.  Other "Clients" that log on to the router are the Certification Manager and Management Agent, the act of those logging on to the router show up as:

Regards,

Jak

My issue was resolved by changing the parent address in the registry of my relay server, HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router to reflect my primary enterprise console server. 

I guess that was presenting slightly different symptoms as having a relay pointing to anywhere other than the management server or upstream relay would only affect the status of the relay and any clients managed by it.  I would imagine that other clients including the server were reporting in fine.

I suppose you might get unknown for up to date state in SEC if the "Authoritative" SUM was configured to be a SUM server being served by the relay or the broken relay itself.

Jak

Yeah, all my clients were pointing to the relay server and it broke communication between the console and the relay server.  The weird that is concerning me is that this happened after I pushed the new 9.5 client to the relay server, obviously the policy I pushed to it updated the key to point to itself since all other machines point to it.  I'm guessing that server should have it own seperate policy?

Hi,

It depends how it was setup inititally.  To configure a machine to be a message relay you should configure a CID/Distribution point with a custom mrinit.conf file in the rms sub-directory.  As per:

http://www.sophos.com/support/knowledgebase/article/14635.htmls

This custom mrinit.conf file defines which machine is the relay such that when AutoUpdate finds this file in the CID it is pulled down, the RMS package performs an update, which in turn runs the command line exe:

"\Program Files (x86)\Sophos\Remote Management System\ClientMRInit.exe"

This reads in this custom mrinit.conf file and parses through it, when it reads in:

ParentRouterAddress

It checks to see if this is the local machine, if it is, it knows to make the machine a relay.  For the clients that donwnload and perform the same steps they are configured to point at it.  So this essentially just changes their "ParentAddress" registry key to point to the relay.

So as the RMS software is the same be it a server of client, the act of making it a relay is just to change the configuration option in terms of thread counts, connection cache, etc.. Essentially all the values at the end of the article:

http://www.sophos.com/support/knowledgebase/article/14635.html.  They should have the same values as the management server, as this is a "server" class RMS install.

So you can manually adjust the keys mentioned in the article to make it a relay and point your clients at the relay manually by adjusting the ParentAddress string but if RMS updates, these values will be reverted.  They can of course be manually reset but the only way to prevent an update to RMS reverting the settings that make it a relay is to configure it from the CID/Distribution point.

Regards,

Jak

Hi Folks,

I raised a support call with Sophos when I posted this and they responded yesterday morning with

"
Stop the "Sophos Certification Manager" service
Stop the "Sophos Message Router" service

Browse to the following locations

C:\ProgramData\Sophos\Remote Management System\3\Router\Envelopes
Delete all msg files present

C:\ProgramData\Sophos\Remote Management System\3\Router
Delete 'table_router.txt'

Start the "Sophos Certification Manager" service
Start the "Sophos Message Router" service

(this may take 30-60 mins to take effect)

This worked for me, although as mentioned in the reply it did take around an hour for it to start reporting correctly again.

Thank you for your posts above as well, may come in handy if someone else has the same problem (I really hate googling for a solution to a problem and finding unanswered threads :P )

we had the same issue.

we had 12,000 messages in 5 days, which then stopped the updating.

we thought it was our firewall, but tried what you put and worked great!!

sophos have said that when updating, the messages get read, and due to the ammount of them we had, they were not being read into the system.

by doing the fix above, you delete the messages (envelope folder), and the route table file, which then allows the update manager to run without the backlog of messages to read and process first.

Thanks DrCheese for posting your results!!! i totally agree about googling for solutions to find it has been unanswered when fixed.

Hi,

many thanks for your post, we had about 180.000 Messages in the directory. After i did your recommendation. All clients come up again.

So i can solve the problem faster than the support team.

Thanks again.

Thomas