Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 1 subscriber
  • Views 13424 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client computers - Up to date status: unknown

toddh

Hey,

Enterprise Console: v 4.5.1

Endpoint: v 9.5

I have a problem that has quite literally come out of the blue.

I have 42 computers of about 280 total that are currently reporting that their "Update to date" status is "Unknown"

This appeared around 11:30 a.m. today.

When I had checked the Sophos Enterprise Console  this morning there were no such reports.

Each machine is reporting a status of:

Up to date: Unknown

Time installed package becamse available: Unknown

Time next package became available: Unknown

I ran across this thread:

It describes the exact same problem that I am having.

This issue though was reported way back in June and has already been corrected.

Is anyone else experiencing this same issue?

I have not made any changes to any of the policies and we have not made any changes to the network or the server.

Any ideas as to what might be causing this?

Thank you

Cheers

:7481


This thread was automatically locked due to age.
  • 0

    Hi,

    If you see my post here:  it will tell you a bit about what is going on and how it should work.  The most likely scenario is that the package information from SUM isn't making it to the packages table of the database.  The clients however are sending in status messages as they continue to get updates.  As the clients package information doesn't match anything put there by SUM it can't make a decision about the update status so it's shown as unknown.

    Do you have multiple SUMs?

    If No, I would:

    1. Close the SEC console

    2. Stop the Sophos Update Manager service

    3. Stop the Sophos Agent service.

    4. Stop the Sophos Message Router Service

    5  Stop the Sophos Management Service

    Then Start them up again in this order:

    1. Sophos Update Manager service

    2. Sophos Message Router Service

    3. Sophos Management Service

    4, Sophos Agent service.

    5, SEC console

    Wait a few minutes for the latest Status message from Sum to get to the database,  Once it does, all the machines should show as up to date I would think.

    If you have multiple SUMs I would suggest making the SUM which is on the same machine as the management server the authoritative SUM as per:

    http://www.sophos.com/support/knowledgebase/article/57638.html

    Also ensure that this SUM is subscribed to all the subscriptions you have.  Once done, the latest status message should find its way to the database and change the state of the machines to be correct.

    Thanks,

    Jak

    :7485
  • 0

    I'm experiencing the same error that toddh mentioned with several of our workstations listing as "Unknown" in the Up to date field.

    I checked on a few of the actual machines and they have been updated as recently as a few minutes ago, yet the update status still reports incorrectly.

    I tried the solution that jak posted, but the status is still being listed as "Unknown".

    Could this be a problem on Sophos' end if several people are experiencing the same issue?

    :7487
  • 0

      @ jak

    Hey,

    Thank you for the response jak.

    I have read your post in the other topic (I am sorry I didn't come across that while I was hunting earlier)..... about 4 times now.

    It is pretty indepth and I am still having a bit of a hard time wrapping my head around exactly what is going on.

    At any rate. Currently I am only running a single SUM.

    I went ahead and tried the stopping and starting of the services you suggested.

    After about 25 minutes I noticed that the number went from 43 machines reporting "Unknown" to 39.

    Not a huge drop, but a decrease nonetheless.

    I will wait a little while longer and report back what I find. Hopefully by that point it has dropped further.

    Thank you,

    Cheers

    :7491
  • 0

    Hey,

    Thank you jak , you saved me from a headache.

    It looks like your solution worked like a charm.

    After about an hour or so now, all machines that were showing "Unknown" as their "Up to date" status have all returned back to "Yes"

    Thanks a million for pointing out that little fix to try, I was thinking I might have to do a whole lot more to get it backup and running.

    Cheers

    :7493
  • 0

    Hi,

    If you were to run the SQL command:
    select 
C.name,
c.PrimaryCIDLoc,
c.SecondaryCIDLoc,
p.ProductID,
p.SAVVersion,
p.EngineVersion,
p.VirusDataVersion,
p.IDEChecksum,
p.ExpiryTime,
p.Expired,
p.RolloutNumber
from ComputersAndDeletedComputers as c with (nolock)
inner join Packages as p with (nolock)
on p.ID = c.PackageID

    Against the SOPHOS45 database.  

    Note: If you don't have the SQL tools:

    sqlcmd.exe -S .\SOPHOS -d sophos45 -s, -i C:\sql.sql -o results.csv 

    where sql.sql is a text file containing the above command will get you the output.

    I assume all the machines that show as "Unknown" have a RolloutNumber as null. I.e. not a number.  The clients should have a RolloutNumber in this query as 99999999 if they are updating from a distribution point managed by SUM and a number other that 99999999 if they are managed from a CID maintained by EMLibrary.

    To work the data through the system, you should see in the Sophos Agent logs:
    C:\programdata\Sophos\Remote Management System\3\Agent\Logs\
    the part where Agent logs on to SUM if it is restarted:
    "I SDDMA: The adapter is connected to SDDM."
    The agent should then gather a status message from SUM and send it to the management service via the router.
    "I SendStatus: Sent EM-GetStatus-Reply"
    You can see in the Snippets of XML the product information.
    Once this gets to the Sophos Management Service, if the status has come from the authoritative SUM it should be entered into the packages table as a call to the stored procedure SDDMPackageAdd is made.
    To locate the part in the management service log where this data is considered, In the file:
    C:\programdata\Sophos\Sophos Endpoint Management\4.7\log\sophos-management-services.log
    You should see reference to word "currency".
    Hopefully this will give you more to explore.
    Regards,
    Jak
    :7495
  • 0

    I agree with toddh, thanks again jak!

    After waiting awhile ours also started to return back to normal.

    Still a few left but I'm hopefully they will return to normal shortly.

    :7497
  • 0

    Hi guys, glad it's sorting itself out.

    It can be a transient state.  For example, if I have a SUM which updates 3 distribution points and 3 clients, Client1, Client2 and Client3 which update from the respective server.

    \\s1\SophosUpdate\CIDs\S000\SAVSCFXP  <-Client1

    \\s2\SophosUpdate\CIDs\S000\SAVSCFXP  <-Client2

    \\s3\SophosUpdate\CIDs\S000\SAVSCFXP  <-Client3

    SUM pulls down a new update and updates S1, it then updates S2 and finally S3.  It does them sequentially so S3 could take some time to be updated.  While SUM is still updating S3, Client 1, updating from S1 picks up the new update very quickly and sends in a new Status message to say, among other things, I have checksum xxxlatestxxx.  The management service says, I've no idea what you're talking about but I'll have to store this information so I can display the version you have in the packages table.

    Finally when S3 is updated, the status message is sent in; the management service checks if it's from the authoritative SUM and updates the row in the packages table that was put there by Client 1 and this becomes a "SUM" managed package, i.e it has a rollout number and ExpiryTime.  As Client1 is still pointing to this same package ID it switches to UpToDate.

    So there is a slight race condition that could cause this transient state.  

    Does your SUM maintain multiple CIDs?  

    Did one take longer to update than normal?

    Thanks,

    Jak

    :7503
  • 0

    @ jak

    Hey jak,

    Thank you for the additional information that you have provided. I re-read your posts this morning and it is starting to make a little more sense. I went onto one of the clients that was having the problem and I went through the agents logs. I do not see the "I SDDM.." that you mentioned. But I do see the dialog that is occurring between the SUM and the client. I am going to do some further reading of these logs to see if I can continue to gain a better understanding.

    The last example that you gave cleared things up a little bit more. I think this explains why the machines gradually began to drop off the out of date list apposed to them all dropping at the same time.

    I believe that the machines began to show a status of "Yes" gradually over about an hour and half. By which point all the ones that were originally reporting the message had returned to the normal state of "Yes".

    Because of the size of our network we have a very small deployment of sophos consisting of only one server. All of the services are maintained by one system with the SUM only updating one CID.

    For one taking longer then the other to update, I am not entirely sure what you are referring. I believe though that since the machines gradually began to drop off the list over a period of time this could mean that one was taking longer then the other to update? <---- this would be an example of what you wrote in your last response?

    Thank you again for taking the time to help out.

    Cheers

    :7511
  • 0

    The entry in the agent log regarding SUM would only be on the SUM machine, not on all the clients.

    As for "one taking longer to update" I'm referring to SUM pushing out CIDs.  If SUM is having to write a second or third CID over a slow link that could take longer and therefore increase the overall time SUM takes to update all the CIDs, this in turn would extend the period between the first CID being updated (and possibly a client updating) and the status message from the SUM regarding the package info.

    As you only have a single SUM and a single CID, this wouldn't be the case.

    Do the clients update from Sophos as a secondary location, could this have happened? Could the clients have gotten "ahead" of the local SUM and therefore reported in a package unknown to SUM until SUM caught up?

    Jak

    :7517
  • 0

    Sorry for confusing that I wasn't entirely sure.

    Currently our desktop machines do not have a secondary location.

    They have a single primary location set for updating from, so I don't think they could have gotten ahead of the local SUM by updating from another.

    If is possible that there database on the SUM was "stuck" in some way?

    Perhaps it became busy. Or there was a momentary freeze in the system that caused it to stop logging correctly.

    This might explain why it only affected a handful of machines instead of every single machine...

    Not to sure..

    Cheers

    :7519
Unfiltered HTML