Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 20 replies
  • Subscribers 2 subscribers
  • Views 21441 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ENTERPRISE CONSOLE - REMOTE CLIENT NOT CONNECTED

emanuele fumagalli 
Good morning, our securty enterprise console from a couple of months is no longer able to communicate with customers' computers, even update managers have not been updated for months; client-side updates instead work correctly.
I tried with the following solutions:
- correct communication of  server-side ports and telnet tests from clients
- control of services started
- community.sophos.com/.../time-of-last-binary-update-is-a-long-time-ago
- https: //community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/96059/most-clients-shown-as-disconnected-in-sec-5-5-0

I have not solved
thank you

Emanuele


This thread was automatically locked due to age.
  • 0

    Hello Emanuele,

    are you an MSP?

    client side updates [...] work correctly
    did you also check the Network Communication Report? You say that telnet yourSECserver 8192 works - you did get an IOR: in response= If so, you can parse it here (you have to remove the CRLFs so that the IOR: is a single line).

    Christian

  • 0 in reply to QC

    Yes i am a partner.

     

    Network report says it's everything ok, 

     

    telet result internal network:

     

    _IIOP_ParseCDR:  byte order LittleEndian, repository id <IDL:SophosMessaging/MessageRouter:1.0>, 1 profile
_IIOP_ParseCDR:  profile 1 is 164 bytes, tag 0 (INTERNET), LittleEndian byte order
(iiop.c:parse_IIOP_Profile):  bo=LittleEndian, version=1.2, hostname=10.234.0.53, port=8193, object_key=<....NUP...!........RootPOA.RouterPersistent.........MessageRouter>
(iiop.c:parse_IIOP_Profile):  encoded object key is <%14%01%0F%00NUP%00%00%00%21%00%00%00%00%01%00%00%00RootPOA%00RouterPersistent%00%03%00%00%00%01%00%00%00MessageRouter>
(iiop.c:parse_IIOP_Profile):  non-native cinfo is <iiop_1_2_1_%2514%2501%250F%2500NUP%2500%2500%2500%2521%2500%2500%2500%2500%2501%2500%2500%2500RootPOA%2500RouterPersistent%2500%2503%2500%2500%2500%2501%2500%2500%2500MessageRouter@tcp_10.234.0.53_8193>
object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
 no trustworthy most-specific-type info; unrecognized ORB type;
 reachable with IIOP 1.2 at host "10.234.0.53", port 8193

    object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
 no trustworthy most-specific-type info; unrecognized ORB type;
 reachable with IIOP 1.2 at host "10.234.0.53", port 8193



    telnet from remote client:

    _IIOP_ParseCDR:  byte order LittleEndian, repository id <IDL:SophosMessaging/MessageRouter:1.0>, 1 profile
_IIOP_ParseCDR:  profile 1 is 164 bytes, tag 0 (INTERNET), LittleEndian byte order
(iiop.c:parse_IIOP_Profile):  bo=LittleEndian, version=1.2, hostname=10.234.0.54, port=8193, object_key=<....NUP...!........RootPOA.RouterPersistent.........MessageRouter>
(iiop.c:parse_IIOP_Profile):  encoded object key is <%14%01%0F%00NUP%00%00%00%21%00%00%00%00%01%00%00%00RootPOA%00RouterPersistent%00%03%00%00%00%01%00%00%00MessageRouter>
(iiop.c:parse_IIOP_Profile):  non-native cinfo is <iiop_1_2_1_%2514%2501%250F%2500NUP%2500%2500%2500%2521%2500%2500%2500%2500%2501%2500%2500%2500RootPOA%2500RouterPersistent%2500%2503%2500%2500%2500%2501%2500%2500%2500MessageRouter@tcp_10.234.0.54_8193>
object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
 no trustworthy most-specific-type info; unrecognized ORB type;
 reachable with IIOP 1.2 at host "10.234.0.54", port 8193

    object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
 no trustworthy most-specific-type info; unrecognized ORB type;
 reachable with IIOP 1.2 at host "10.234.0.54", port 8193


     

  • 0 in reply to emanuele fumagalli

    Hello Emanuele,

    only this customer's computers are out of date (are they also disconnected )?
    Next thing I'd check is the Router log (%ProgramData%\Sophos\Remote Management System\3\Router\Logs\ on one of the remote endpoints.

    Christian

  • 0 in reply to QC

    Yes, our computers are ok, so i thought it was a n outgoing connection problem and test telnet to ports.

    Customer's computer are updated ( they reach name.domain.xxx :8181) , i only see them disconnected from the console

    I forgot to tell that i've also updated sec to 5.5.1.

     

    Router log on remote endpoint ( also update manager )

     

    Last entries: 

     

    04.07.2018 10:22:44 06DC I Getting parent router IOR from update.xx.xxx:8192
    04.07.2018 10:22:44 06DC I Received parent router's IOR:
    IOR:54765897890.......
    04.07.2018 10:22:44 06DC I Successfully validated parent router's IOR
    04.07.2018 10:22:44 06DC I Accessing parent
    04.07.2018 10:25:17 0D10 I RouterTableEntry state (router, logging on): Router$workstation:153099 is active consumer (will try to notify), active supplier
    04.07.2018 10:25:17 0D10 I Writing router table file
    04.07.2018 10:25:17 0D10 W Notification threshold calls will not be attempted, because the number of notification threshold threads is 0
    04.07.2018 10:25:17 0D10 I Logged on Router$WRK575HP:153099 as a router
    04.07.2018 10:25:17 0640 I Routing to parent: id=013C846D, origin=Router$upmang:144026, dest=EM, type=EM-RouterLogon
    04.07.2018 10:25:31 0D10 I RouterTableEntry state (router, logging on): Router$WRK569bis:153103 is active consumer (will try to notify), active supplier
    04.07.2018 10:25:31 0D10 W Notification threshold calls will not be attempted, because the number of notification threshold threads is 0
    04.07.2018 10:25:31 0D10 I Logged on Router$WRK569bis:153103 as a router
    04.07.2018 10:25:31 0640 I Routing to parent: id=013C847B, origin=Router$upmang:144026, dest=EM, type=EM-RouterLogon
    04.07.2018 10:25:49 0E7C I RouterTableEntry state (router, logging on): Router$WRK569HP:153071 is active consumer (will try to notify), active supplier
    04.07.2018 10:25:49 0E7C W Notification threshold calls will not be attempted, because the number of notification threshold threads is 0
    04.07.2018 10:25:49 0E7C I Logged on Router$WRK569HP:153071 as a router
    04.07.2018 10:25:49 0640 I Routing to parent: id=013C848D, origin=Router$upmang:144026, dest=EM, type=EM-RouterLogon
    04.07.2018 10:26:01 0D10 I RouterTableEntry state (router, logging on): Router$WRK556HPZ:153234 is active consumer (will try to notify), active supplier
    04.07.2018 10:26:01 0D10 W Notification threshold calls will not be attempted, because the number of notification threshold threads is 0
    04.07.2018 10:26:01 0D10 I Logged on Router$WRK556HPZ:153234 as a router
    04.07.2018 10:26:01 0640 I Routing to parent: id=013C8499, origin=Router$upmang:144026, dest=EM, type=EM-RouterLogon
    04.07.2018 10:26:44 13D4 W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$ELSUM01:144026.Agent
    04.07.2018 10:28:27 0640 I Routing to parent: id=013C852B, origin=Router$upmang:144026.Agent, dest=EM, type=EM-GetStatus-Reply
    04.07.2018 10:30:53 0640 I Routing to parent: id=013C85BD, origin=Router$upmang:144026.Router$WRK568Z:0, dest=CM, type=Certification.UniqueTokenRequest
    04.07.2018 10:31:24 13D4 W Delivery failed(Timeout) for message type Certification.UniqueTokenRequest, originator Router$ELSUM01:144026.Router$WRK568Z:0
    04.07.2018 10:32:07 0640 I Routing to parent: id=013C8607, origin=Router$upmang:144026.Agent, dest=EM, type=EM-EntityEvent
    04.07.2018 10:32:08 0640 I Routing to parent: id=013C8608, origin=Router$upmang:144026.Agent, dest=EM, type=EM-EntityEvent
    04.07.2018 10:32:12 0640 I Routing to parent: id=013C860C, origin=Router$upmang:144026.Agent, dest=EM, type=EM-EntityEvent
    04.07.2018 10:32:32 0640 I Routing to parent: id=013C8620, origin=Router$upmang:144026.Agent, dest=EM, type=EM-GetStatus-Reply
    04.07.2018 10:33:24 06DC E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

     

     


    04.07.2018 11:07:24 06DC I Getting parent router IOR from name.domain.com:8192
    04.07.2018 11:07:24 06DC I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312ecc...
    04.07.2018 11:07:24 06DC I Successfully validated parent router's IOR
    04.07.2018 11:07:24 06DC I Accessing parent
    04.07.2018 11:07:34 13D4 W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$updatemang:144026.Agent

  • 0 in reply to emanuele fumagalli

    Hello Emanuele,

    as far as I can see this SUM/relay is communicating with its clients, it can also connect to the management server but when it tries to actually send a message it encounters a timeout. What's missing are the lines after Accessing parent:
    Accessing parent
    SSL handshake done, local IP address = xxx.xxx.xxx.xxx
    Parent is Router$UpstreamServer

    It looks like establishing the connection to port 8194 fails with a timeout.

    Christian

  • 0 in reply to QC

    Hello, if i telnet 8194 i receive no error, after some second the connection drops.

    Same behavior from internal and external

     

    Other test i can do?

  • 0 in reply to emanuele fumagalli

    Hello Emanuele,

    ran out of simple tests. As telnet can connect the Router should also be able to do so. I'd monitor (on the remote machine) the TCP activity on port 8194 with Wireshark.

    Christian

  • 0 in reply to QC

    i see only this error:

     

    132 37.677772 192.x.x.x 10.x.x.x TCP 62 [TCP Retransmission] 61573 → 8194 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1132 37.677772 192.x.x.x 10..x.x.x TCP 62 [TCP Retransmission] 61573 → 8194 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

     

    10.x.x.x is the internal ip of my message relay

     

     so it's  tcp / ip connection syn ack problem... but nothing is changed on my network or firewall

     

  • 0 in reply to emanuele fumagalli

    Hello Emanuele,

    clearly no connection established. And if you telnet 10.x.x.x 8194, what does it show then?

    Christian

  • 0 in reply to QC

    no error but the command is empty, after some second the connection is dropped. but it's the same from a local machine

Unfiltered HTML