Odd Issues with Enterprise Console 4.5

Hi Longun

The issues regarding event viewer look like they need a full investigation and I would recommend contacting support about this.

Awaiting policy transfer is most likely the ports 8192, 8193 and 8194. Please add exceptions in the windows firewall for these ports if it is being used. (Control Panel -> Administrative Tools -> Windows Firewall with Advanced Security then create a new rule.)

If a rule already exists to open the ports then check that the Sophos Agent service is started and that you can do a telnet test to the machine (cmd -> Telnet <ip address> 8192), if you do not get an IOR return then the port is not open somewhere, if you do get a IOR then the port is talking, check the IOR is both directions. From the server to the client and the client to the server. If there is still no error you will need to start looking into the agent logs.

C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\Logs\

If you are having difficulty in read the logs then contact support.

A_K,

Thanks for the reply.  I've raised a support call for the first issue.

The rules exist on the server and I can telnet to the port numbers that direction ok, but they aren't open on the clients as the client starts the connection I didn't think it would be needed.  I'll give that a try.

Thanks

Ok, I've given this a go and can now telnet both directions but its still not working.  I don't think its a problem the client end as when most clients are turned off they get a little red x in the corner of the icon.  This doesn't appear either so the console isn't even displaying a client that is turned off.  I'll investigate the logs to see if I can find anything.

Thanks

Did you get any errors in the agent logs?

The only error I can find is this: Failed to connect to the SUM host: connection was refused

This appears a few times in the log on the server, I've attached a sample below.  I can't see the same error on the clients.

06.07.2010 20:45:11 0654 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Agent/Logs/Agent-20100706-194511.log
06.07.2010 20:45:11 0654 I Sophos Management Agent 3.2.0.2013 starting...
06.07.2010 20:45:11 0774 I AdapterManager::LoadAdapter, adapter ALC does not export GetAdapterVersion
06.07.2010 20:45:12 0774 I SAUAdapter - SAU Update status information read from C:\ProgramData\Sophos\AutoUpdate\data\status\AUAdapter.xml
06.07.2010 20:45:12 0774 I SAUAdapter - SAU IPCBase::IPCBase: Initialising shared memory A32951C539924a12B3C8F2FDA5A268E4
06.07.2010 20:45:12 0794 I SAUAdapter - SAU IPCListener::Wait started
06.07.2010 20:45:12 0794 I SAUAdapter - SAU IPCListener::Wait Waiting for more messages
06.07.2010 20:45:12 0774 I SAUAdapter - SAU Returning Adapter: 00BD8D20
06.07.2010 20:45:12 0774 I SAUAdapter - SAU RegisterStateObserver : 00BD8C10
06.07.2010 20:45:12 0774 I SAUAdapter - SAU RegisterConfigStateObserver : 00BD8C14
06.07.2010 20:45:12 0774 I SAUAdapter - SAU RegisterEventObserver : 00BD8C38
06.07.2010 20:45:12 0774 I ALC adapter loaded
06.07.2010 20:45:14 0774 I SAV adapter loaded
06.07.2010 20:45:14 06C4 I SAUAdapter - SAU AdapterImpl: Notifying agent of configuration change
06.07.2010 20:45:14 06C4 I ALC state observer received a configuration
06.07.2010 20:45:15 06C4 I SAUAdapter - SAU AdapterImpl: Notifying agent of status change: <?xml version="1.0" encoding="utf-8" ?><status xmlns="com.sophos\mansys\status" type="sau"><CompRes xmlns="com.sophos\msys\csc" Res="Same" RevID="{93C31B0F-D5D9-493A-8282-2124A84AA5EA}" policyType="1" /><autoUpdate xmlns="http://www.sophos.com/xml/mansys/AutoUpdateStatus.xsd"><endpoint id="18670b2a-4337-4f14-b42e-a87553459d29" /></autoUpdate></status>
06.07.2010 20:45:15 06C4 I ALC state observer notified that ALC is running
06.07.2010 20:45:15 06C4 I ALC state observer received a status: <?xml version="1.0" encoding="utf-8" ?><status xmlns="com.sophos\mansys\status" type="sau"><CompRes xmlns="com.sophos\msys\csc" Res="Same" RevID="{93C31B0F-D5D9-493A-8282-2124A84AA5EA}" policyType="1" /><autoUpdate xmlns="http://www.sophos.com/xml/mansys/AutoUpdateStatus.xsd"><endpoint id="18670b2a-4337-4f14-b42e-a87553459d29" /></autoUpdate></status>
06.07.2010 20:45:15 0774 I
06.07.2010 20:45:15 085C I SDDM:SCAPI Calling Connect...
06.07.2010 20:45:15 085C I SDDMA: An uninitialized socket was created.
06.07.2010 20:45:16 0320 W MSClient::Connect: failed to get router's IOR from supplied address and port.
06.07.2010 20:45:16 0320 E NoRouterIORException: Caught MSClient::Connect: failed to get router's IOR from supplied address and port.
 ClientConnection::Reconnect()

06.07.2010 20:45:16 085C I SDDMA: Failed to connect to the SUM host: connection was refused
06.07.2010 20:45:16 085C I SDDMA: The socket 1016 was shut down.
06.07.2010 20:45:16 085C I SDDMA: The socket 1016 was closed.
06.07.2010 20:45:16 085C E SDDM:SCAPI threw an exception: Failed to connect to the SUM host: connection was refused
06.07.2010 20:45:16 0774 I SDDM adapter loaded
06.07.2010 20:45:21 031C I SAV state observer notified that SAV is running
06.07.2010 20:45:21 031C I SAV state observer received a status: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Not sure if the logs are information overload but would appricate if they mean more to you than they do to me.

Thanks for all the help :)

I'm seeing these same errors in our RMS agent logs however we have not yet gone to EC 4.5.  We currently have 4.0 installed and we are seeing Event ID 8009 (Sending message to computer Router$PC_NAME:63156 failed, router may have stopped.) all over the place.  All PC_NAME machines are reporting back to the Enterprise Console as unknown.  Just wondering if anyone has any info.  Thanks!

Hi,

Firstly I'll clear up a couple of things, in terms of the ports require to be open for RMS to work:

In order for the management server's message router to connect to the client for immediate message delivery downstream, the client needs port 8194 TCP open.    If the server's message router is unable to connect to the client on TCP 8194 then the system relies on the client polling the server for outstanding messages.  The poll interval is defined in the registry as the GetterInterval which is 15 minutes.  The client does initiate the connection to the server and is required to be able to connect on port 8192 and 8194 (both TCP).

So on the server allow incoming TCP to 8192 and 8194.  

On the clients incoming TCP 8194 is preferred to speed up downstream messages reaching the client but RMS will work, albeit it slower, as long as the client can connect to the server.

The log shows 2 things of interest:

1.

06.07.2010 20:45:16 0320

E NoRouterIORException: Caught MSClient::Connect: failed to get router's IOR from supplied address and port.
ClientConnection::Reconnect()

This shows that the Sophos Agent service (ManagementAgentNT.exe) is unable to contact port 8192 TCP on the machine.  

The agent is trying to read the IOR string exposed by the message router (routernt.exe) on port 8192.  If it can't do this, then it can't read the IOR string which tells the agent to connect back on port 8194 TCP of the router.  Without this communication, status of the machine will not be returned as the agent gathers this information and sends it into the system via the router.

This could be a transient error and you may see this if the router is restarted for example but the first thing to check is that the router is started and then consider why another local process on the machine is unable to connect to port 8192 but I would expect this to be a transient error.

2.

The Sphos agent process needs to establish a connection to Sophos Update Manager to report on what it is doing.

To do this, the agent connects to TCP port 51234 which is exposed by the SUM process.

so again it is 2 local processes trying to communicate to each other using a socket.

So in summary:

I would check that you have the sum process listening on 51234 and that the router is listening on 8192.

I hope this offers some guidance.

Thanks,

Jak