This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MACs not show up to date in console

Hi

I am a relative noob (so keep any answers dumbed down). I have several MACs (running both Sierra and High Sierra) As far as I can see the clients are fine and think they are up to date (in some instances I have removed and reinstalled Sophos). But some are still showing in the console under "Up to date" as an old date (in some cases months out).

In some (but not all) cases they have a red cross next to the computer icon even though I know for a fact the MACs are switched on. The clients are running version 9.7.8 and the console is version 5.5.0

Any suggestion or advice?



This thread was automatically locked due to age.
Parents
  • Hello Mike Walker1,

    they are probably not communicating with the management server. Please check the /Library/Logs/SophosMessageRouter/NetworkReport/ReportData.xml and the Router logs (see for example here).

    Christian

  • Thanks for your reply.

    I have a look at the above logs and (to my inexperienced eye) I can see no errors. I have also had a look at the logs located at /Library/Logs/SophosManagementAgent and found the following entry repeat many times:

    01.04.2019 15:07:12 0B1F I Initializing ...

    01.04.2019 15:07:12 0B1F I Running certificate verification...

    01.04.2019 15:07:12 0B1F W Failed to obtain public key certificate.

    01.04.2019 15:07:12 0B1F I Deleting store...

    01.04.2019 15:07:12 0B1F I Getting new certificate...

    01.04.2019 15:07:12 0B1F E CORBA::Exception: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'

    OMG minor code (2), described as 'No usable profile in IOR.', completed = NO

     ClientConnection::Reconnect()

     

    Interestingly  I also have three MACs (Seirra) that are greyed out in the Sophos Console (in the Computers container in both Active Directory and the SEC) and have no entry in the Policy compliance, Up to date and On-access columns. These have exactly the same message in the same logs. I had thought these were separate issues. I am guessing the two are related?

     

  • Hello Mike Walker1,

    greyed out computers are computers that have been imported by some means and not yet established communication with the management server, likely a related issue.

    The Agent log suggests the computer could not register - I'd assume some error in the Router log as well.

    Christian

  • Hi Christian

     

    I have compared the Report Data from the Router logs of a MAC (High Sierra) that shows its month out-of-dat. Another (Sierra) that’s greyed out in SEC, and one hats reporting ok. The only difference I can see is the port number(?).

     

    Router$P8-5999:1386314        (High Sierra)

    Router$C20-6259:1386317      (Sierra)

    Router$C20-6257:756486        (Sierra – Working/reporting ok)

     

    Here is the P8 MAC log for reference.

    <?xml version='1.0' encoding='UTF-8' ?>

    <?xml-stylesheet type='text/xsl' href='transform.xslt' ?>

    <RMS_status_report>

    <string msg='explanation' />

    <sections>

    <section name='DNS'>

                <string msg='OK' />

    </section>

     

    <!-- And another -->

    <section name='Certification'>

                <string msg='OK' />

    </section>

     

    <!-- And another -->

    <section name='Incoming'>

                <string msg='OK' />

    </section>

     

    <!-- And another -->

    <section name='Outgoing'>

                <string msg='OK' />

    </section>

     

    <!-- And another -->

    </sections>

    <computer_data>

    <language>

    C

    </language>

    <local_time>

    Tue Apr  2 07:01:46 2019

    </local_time>

    <GMT>

    Tue Apr  2 06:01:46 2019

    </GMT>

    <computer_name>

    P8-GC5999

    </computer_name>

    <workgroup>

    ACADEMIC

    </workgroup>

    <router_name>

    Router$P8-GC5999:1386314

    </router_name>

    <IOR_port>8192</IOR_port>

    <SSLIOP_port>8194</SSLIOP_port>

    <parent_addresses>

    10.0.0.60,COLUMBO2.academic.greenhead.ac.uk,COLUMBO2

    </parent_addresses>

    <actual_parent>

    10.0.0.60

    </actual_parent>

    <router_type>

    endpoint

    </router_type>

    </computer_data>

    </RMS_status_report>

     

    Although nothing jumps out at me as an error, but I am not sure what I am looking for...

    Thanks for your continued help.

     

    Mike

  • Hello Mike,

    indeed this looks ok, the endpoint (that seems to belong to the academic domain) could contact the server with IP 10.0.0.60. You say it did report some time ago? And if you view all computers in the console there's only one P8-GC5999 and the correct group?

    I think it's necessary to inspect the Router and Agent logs, it's best to restart the SophosManagementAgent and SophosMessageRouter to get "clean" logs.

    Christian

  • Both MACs are bound to the same (academic) domain and are in the "Computer" OU of Active Directory and are located in the the "Computer" container in the SEC.

    Yesterday I restarted the Sophos Management Service (I have no Sophos Management Agent) and Sophos MessageRouter on the Server.

     

    This morning the P8 MAC (High Sierra) is showing in the SEC with a red cross next to it (It is on I am remoted into it)., Awaiting policy transfer, and last was in contact withe server 25/07/18. 

    The Router log looks ok (no obvious issues reported). However the Agent log is showing-

    4.04.2019 11:21:16 0BE8 I Initializing ...

    04.04.2019 11:21:16 0BE8 I Running certificate verification...

    04.04.2019 11:21:16 0BE8 W Failed to obtain public key certificate.

    04.04.2019 11:21:16 0BE8 I Deleting store...

    04.04.2019 11:21:16 0BE8 I Getting new certificate...

    04.04.2019 11:21:16 0BE8 E CORBA::Exception: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'

    OMG minor code (2), described as 'No usable profile in IOR.', completed = NO

     ClientConnection::Reconnect()

     

    The C20 MAC (Sierra) is still greyed out in the SEC. Both the Router and Agent logs show "Caught CORBA system exception" message. 

  • Hello Mike,

    first of all:
    a red cross [but] it is on
    it's a common misconception that the cross or its absence indicates turned off/on or offline/online. It refers to the communication status as perceived by the management server. If the endpoint has successfully initiated communication it appears as connected, if it has terminated communication it's disconnected. Thus disconnected doesn't indicate the machine is shut down (v.v. the status could still be connected even if the endpoint is down - this happens if it is forcibly disconnected from the network).

    the Agent has to establish an internal connection with the Router but apparently it fails. If I'm not mistaken No usable profile in IOR suggests it can connect to port 8192 (where the Router is listening) and receives an IOR but the IOR is for whatever reason invalid. You won't find a corresponding error in the Router log (the Router from its POV is listening and providing what it thinks is a valid IOR) but there should be a line containing 10CC I This router's IOR: followed by a line starting with IOR:01000000. As parc.com no longer provides the Online IOR Parser you'd need some tool to decode it (although it can be done "by hand").

    Christian       

Reply
  • Hello Mike,

    first of all:
    a red cross [but] it is on
    it's a common misconception that the cross or its absence indicates turned off/on or offline/online. It refers to the communication status as perceived by the management server. If the endpoint has successfully initiated communication it appears as connected, if it has terminated communication it's disconnected. Thus disconnected doesn't indicate the machine is shut down (v.v. the status could still be connected even if the endpoint is down - this happens if it is forcibly disconnected from the network).

    the Agent has to establish an internal connection with the Router but apparently it fails. If I'm not mistaken No usable profile in IOR suggests it can connect to port 8192 (where the Router is listening) and receives an IOR but the IOR is for whatever reason invalid. You won't find a corresponding error in the Router log (the Router from its POV is listening and providing what it thinks is a valid IOR) but there should be a line containing 10CC I This router's IOR: followed by a line starting with IOR:01000000. As parc.com no longer provides the Online IOR Parser you'd need some tool to decode it (although it can be done "by hand").

    Christian       

Children
No Data