Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 2 subscribers
  • Views 19589 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Replacing SUM server in SEC

Ian Withers

 Hi. Would appreciate any advice on the following.

We have a setup with a SEC server and approx 6 remote SUM servers. As one of these SUM servers was a 2008 server and we are migrating to 2012 we decided to replace it. This was done by creating a new 2012 server and giving it a temp name and IP. We then renamed and re-IP's the old 2008 server and gave the original name and IP to the new 2012 server. This seems to have worked OK and the clients seem to be taking their updates OK from the new 2012 server. However i think I still have an issue with the messaging service. I have noticed a large build up of messages in the envelopes folder on the SEC. Messages still seem to be moving through the folder (possible form the existing SUM servers) but there is still an increase in size. I think a lot of these could be messages for either the old 2008 physical box or the new 20112 server temporary name neither of which exists anymore (if this makes sense!). I have tried rebooting both the SEC and the SUM with no effect. I have also tried stopping and staring the Update manager service on the SEC as well as the Message Router service with no effect. Finally I have tried renaming the Envelopes folder but the size builds up again. I was going to delete the servers from the SEC and add in the correct one again but having read other posts on this forum have held off from doing this. I am confident this is not an actual updating issue and more of a messaging issue. Grateful if you could confirm I am right in my assumptions and also of a course of action.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Ian Withers,

    do I understand correctly that your SUMs are also Message Relays?
    Please take one of the "stuck" messages (it should have [Originator] Router$yourSECserver.EM in it) and check the [Destination], a relayed message looks like this: Router$relay:number1.Router$endpoint:number2.Agent. Guess it's obvious what relay should be. The next steps depend on what you find.

    Christian

  • 0 in reply to QC

    Hi Christian.

    You are indeed right in that the SUM servers are also message relay servers. I have checked the config an the new SUM server and it shows as a Message Relay OK. In the stuck message on the SEC server I can see in the [Destination] Router$<servername>:123456.Router$<clientname>:123456.Agent.

    I notice when checking the Sophos Network Communications reports on the SUM server it gives the new server name but the RMS Router name is the temporary one we 'christened' the server with originally. I read in one of your other articles that this probably is not an issue but I can't help wondering if the messaging system is confused. The RMS>3>Router>message logs on the SEC all show messages going to all the SUM servers and in the case of this particular SUM server the name is the old original one it was created with and not the current name.

     

    Thanks again for your help.

    With best wishes,

    Ian

  • 0 in reply to Ian Withers

    Hello Ian,

    show messages going to all the SUM servers
    you mean the Routing to Router$<servername>:123456, id=0123ABCD, ...., dest=Router$<servername>:123456.Router$<clientname>:987654.Agent? Please note that only a subsequent Supplying message (id=0123ABCD) to Router$<servername>:123456  indicates that the message has been sent, otherwise you'll find the corresponding .msg in the \Envelopes folder (in it the     MessageID is the decimal representation of the id=).

    the RMS Router name is the temporary one
    correct, it shouldn't matter.     When an endpoint (I prefer the term endpoint to client) logs on to them management server (EM) through a relay the relay prepends its router name to the endpoint's address, subsequently when EM sends a message to the endpoint it uses the prepended name to choose the appropriate the relay.
    You say that messages build up. Normally EM doesn't send many messages to, especially disconnected, endpoints unless you perform some action (e.g. updating/assigning policies, requesting a scan) in the console. Are the destinations in the messages endpoints (specifically endpoints behind this MR), is the relay address the new SUM/MR, and what's the [Type] of these messages? What's the Policy compliance and Up to date status of these endpoints?
    Even if the old server is still online, configured as an MR, and chosen by some endpoints this shouldn't cause problems as the path is updated when the connection is initiated by the endpoints and the backward path should subsequently be available. Only when EM sends a message to a disconnected endpoint (see above) it uses the last-known path which might not be available when the endpoint later connects again.

    Christian   

  • 0 in reply to QC

    Hi Christian,

    Thanks for this. Sorry about the delay but we had a separate issue last night with messages sending which give us a big backlog of messages to send. This appears to be resolved now so I have been able to look at your latest.

    Most of the stuck messages are endpoints behind the SUM in question but there are a minority which are direct to endpoints. Some messages are to an endpoint behind two SUM i.e <SUM1>:123456>SUM2>.123456<RouterENDPOINT>.Agent. The types of message is EM-SetConfiguration. There are over 20,000 messages in the envelope so I have only looked at a selection. However the above seems to apply to all the stuck message.

     

    Hope this helps.

  • 0 in reply to Ian Withers

    Hello Ian,

    if the SUM in question isn't one of the chained SUMs I'll disregard this for the moment.

    So it seems to be and issue with this SUM, IIRC EM-SetConfiguration are policy messages. How many endpoints behind this relay?

    • is the SUM (in the Endpoints view) connected and its Last message time recent? Same question for the endpoints behind it
      or search the Router log on the SEC server for relayed messages (using origin=Router$SUM:123456.Router$)
    • does netstat -n| find "<MR-IP>"  show the expected two connections

    on the SUM/MR

    • does the Router log on the SUM/MR show traffic
    • does netstat -n|find ":8194" show connected endpoints

    If there are no endpoint connections it might be a missing firewall rule

    Christian

  • 0 in reply to Ian Withers

    Hi Christian,

    Just double checking everything again and i notice the mrinit.conf that I put in the RMS folder for each CID is missing. However the endpoints do seem to be pointing at the SUM OK.

    I'll re-do the mrinit files for each CID and run Confcid.exe again and let you know how it goes.

     

    With thanks,

Reply
  • 0 in reply to Ian Withers

    Hi Christian,

    Just double checking everything again and i notice the mrinit.conf that I put in the RMS folder for each CID is missing. However the endpoints do seem to be pointing at the SUM OK.

    I'll re-do the mrinit files for each CID and run Confcid.exe again and let you know how it goes.

     

    With thanks,

Children
No Data
Unfiltered HTML