am kindly asking for some assistance with Sophos Endpoint Security and control v10.7 and Sophos Enterprise Console v5.5.0. at first it was working properly with no issues. but after a month, i found it had stopped working and shows no managed endpoints including server itself as connected. what could be the problem? and its just stuck on downloading binaries.
Hello Jeremiah Sakala,
if the server itself is also disconnected then its likely a communications error.
Guess you have checked that the Sophos services are running. Please see Update Manager stuck at Downloading Binaries for a potential cause and the solution.
Christian
I checked the services are running, but from task manager, the SophosUpdateMgr.exe is showing as not using the CPU, its just a constant "00". but i can also see that the Let me try the link and will update Manager folder in Program Files(x86)\Sophos is showing last modified with today's date.
Let me try the link and I will update
i started with the first suggestion which is "First check for me is if SUM can report status into the management server." and it didn't reflect the change( didn't report the status), but still went ahead and tried the suggestions in those posts but to no avail. So am still stuck.
Hello Jeremiah Sakala,
has your management server one or more than one address?
One the management server - did you telnet <address> 8192 (successively using the values/names from mrinit.conf for <address>), did this return an address in the IIOP in at least one of the cases and were you able to connect to port 8194 using this address? It's not clear what you mean by tried to no avail.
Christian
Hello Christian,
Sorry couldn't respond in time, was held up.
My management Server has only 1 IP address. Telnet with port 8192 brings lots of numbers then it says "connection lost", with port 8193 no connection, only connects with port 8194.
Hello Jeremiah Sakala,
lots of numbers then it says "connection lost"
this is normal and correct, the lots of numbers are an IOR, you can parse its information for example at parc.com. You should find the server's IP on the reachable with line. No connection on 8193 is also correct, port 8194 connects and after some time disconnects.
So if the IP returned in the IOR is the correct one there's some other issue. Please stop the Sophos Message Router and Sophos Agent services, start them and check the Router and Agent logs (%ProgramData%\Sophos\Remote Management System\3\...) - post them here if necessary.
Christian
Hello Jeremiah Sakala,
thanks. You can drag the log into the editor window, or copy/paste text.
The Agent log doesn't show an anomaly as far as I can tell, communication with SUM and the Router is up.
The Router log tells that the server has 4 IPs, one 192.x.x.x and three 169.254.x.x - are the latter "intentional"? Could you attach the whole log here - if it's already too large then please restart the Router, wait about 2 minutes, restart again and take the 2-minute log. Looks like it's not talking to the Management Service.
Christian
Hello Jeremiah Sakala,
thanks. You can drag the log into the editor window, or copy/paste text.
The Agent log doesn't show an anomaly as far as I can tell, communication with SUM and the Router is up.
The Router log tells that the server has 4 IPs, one 192.x.x.x and three 169.254.x.x - are the latter "intentional"? Could you attach the whole log here - if it's already too large then please restart the Router, wait about 2 minutes, restart again and take the 2-minute log. Looks like it's not talking to the Management Service.
Christian
I was also checking the Network Report, the parent address and current parent address are not available, is this OK?
Hello Jeremiah Sakala,
it's the Router log which should give more insight, please drag it into the editor window so that it gets attached to the post.
The Not available in the Network Report is ok if it says server for the RMS router type.
Christian
Hello Jeremiah Sakala,
first of all, as already mentioned your server returns 4 profiles in the IOR with 169.254.128.169 as the first one. The 169.254.x.x addresses are perhaps not the best choice, you might consider using only one. BTW: Could you show your mrinit.conf (make sure it doesn't reveal anysensitive data).
You have apparently quite a number of messages queued in the Envelopes folder, at the moment the Router can't forward them to the management service (EM) and the messages about them clutter the log. You could move the temporarily to some other place (but this is not compulsory).
If I've counted correctly nine endpoints have successfully contacted the server and are trying to set up communication. The Router though seems to be unable to communicate internally (E Attempt to get client interface from non-local caller). Please check the last lines in the latest CertManager log in %ProgramData%\Sophos\Remote Management System\3\CertificationManager\Logs\ and the Msgn log in \%ProgramData%\Sophos\Sophos Endpoint Management\log\.
You probably can't remember what could have been changed at the time you've noticed that it had stopped working, do you?
Christian
Hi Christian,
Sorry i wasn't working from office yesterday. Any ideas how to get rid of the unwanted profiles in the IOR? I cant remember what happened or any changes that were made onto the server for it to stop working, I was on short leave from work and when i returned i just found that it was not showing any connected endpoints.
On Wednesday i tried to push installer on a PC on Network, it was able to install remotely, surprisingly. though still showing no connected endpoints. let me edit the mrinit.config and send. am working remotely today.
The mrinit details, i will just tell this, let me know if u need other details:
"NotifyRouterUpdate"="EM"
"ClitentIIOPPort"=dword:00002001
"ClientSSLPort"=dword:00002002
"ClientIORPort"=dword:00002000
"IORSenderPort"=dword:00002000
........
...........
........
"ServiceArgs"="
"MRParentAddress"="ServerIP, ServerMAC,<unknown>,ServerName"
"ParentRouterAddress"="ServerIP,ServerMAC,<unknown>,ServerName"
