All endpoints showing disconnected (red cross) and Update Manager not updating

Hello, using SEC 5.5.2.  Update Manager does nothing when I right click on the Server and select update now.  It was last updated on 18/03/2020.

 

Also, all endpoints are showing disconnected (red cross).

 

When I try to telnet to the Server on port 8192 it fails (could not open a connection to the host) – this happens both from a client and the Server itself (which means it can’t be a firewall issue).

 

The Sophos Network Communications Report from a client says:

State of name resolution (DNS)

Problem description :

There is a problem communicating with the server.

Overview :

Failed to determine the IP address of the computer from its name. Communication cannot start until this problem is resolved.

Possible cause :

DNS is misconfigured or the information is missing or incorrect.

Action to repair :

Verify that the client can resolve the name of the server. Alternatively, use a static IP address on the server (this is the configuration recommended by Sophos).

 

 

State of Sophos security framework

No problems detected.

 

State of incoming communications from server

No problems detected.

 

State of outgoing communications to server

Problem description :

Communication failure.

Overview :

Failed to communicate with the server.

Possible cause :

"Sophos Message Router" service may be stopped on the server, or the server may be disconnected from the network, or a firewall may be blocking communications from the client to the server.

Action to repair :

Verify that the Sophos Message Router ports (by default 8192 and 8194) on the server are accessible by the computer with the problem. Also check networking and services on the server.

 

 

Computer details

Report generation time ( local time )

08 April 2020 21:21:14

Report generation time ( GMT )

08 April 2020 20:21:14

Computer name :

XXXXX

Windows domain :

XXXXX

RMS router name :

Not available

IOR port number :

8192

SSLIOP port number :

Not available

Parent addresses :

10.0.0.6,fe80::10f2:44b6:95db:3ee5,XXXXX.local,XXXXX

Current parent address :

Not available

RMS router type :

endpoint

 

I can ping the Server from the client.  I have checked there is no firewall blocking communication.  Also Telnet from the Server itself to port 8192 fails as well.  So it seems there is a problem with port 8192 on the Server itself. 

 

I have tried re-installing SEC with no joy.  I have also followed all the steps in this link but still no joy : https://community.sophos.com/kb/en-us/117412

 

Could someone please help with the next steps?

 

Thanks

  • Hi Inderpal Lotey,

    Great job narrowing down the issue to RMS on the SEC itself.

    Is the Sophos Message Router service running on SEC?  If not it might be worth checking Event Viewer Application and System logs to see if anything comes up there.  Regardless of whether it is running or not I would check C:\ProgramData\Sophos\RMS\3\Router\Logs\ to see if any errors stick out there.  Check to see if there are any applications stealing port 8192 from message router by running "netstat -abno > C:\Windows\Temp\netstat.txt" and viewing the file.  Any additional log details will help us narrow down what's causing this.

  • In reply to MEric:

    Hi MEric,

     

    So the Sophos services are all running on the Server.  However, I ran netstat and it doesn't show anything listening on 8192, but shows the following instead:

    TCP 0.0.0.0:8193 0.0.0.0:0 LISTENING 4428
    [RouterNT.exe]
    TCP 0.0.0.0:8194 0.0.0.0:0 LISTENING 4428
    [RouterNT.exe]

    So i guess Sophos Message Router is using 8193 instead of 8192?

     

    Thanks

     

    Indi

  • In reply to Inderpal Lotey:


    In fact Telneting on 8193 and 8194 from a client to the Server are both successful as well ...

  • In reply to Inderpal Lotey:

    8193/8194 should be open normally and does not indicate that port 8193 is replacing port 8192. Are you not seeing any entry for 8192 in the netstat?  Did you find any errors in the Router.log file?

    Here's what my netstat looks like:
    TCP 0.0.0.0:8192 0.0.0.0:0 LISTENING 4456
    [RouterNT.exe]
    TCP 0.0.0.0:8193 0.0.0.0:0 LISTENING 4456
    [RouterNT.exe]
    TCP 0.0.0.0:8194 0.0.0.0:0 LISTENING 4456
    [RouterNT.exe]

  • In reply to MEric:

    No errors in the router log file.  8192 is definitely missing in the netstat - I can only see 8193 and 8194 ...

     

    Thanks for all the help

     

    Indi

  • In reply to Inderpal Lotey:

    Are you able to restart the Sophos Message Router service and share us a snippet of the newly generated Router log in C:\ProgramData\Sophos\RMS\3\Router\Logs\ after a minute?  I'd like to see what state Message Router is at.  Something similar to this:

    08.04.2020 16:03:48 2678 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20200408-230348.log
    08.04.2020 16:03:48 2678 I Sophos Messaging Router 4.1.1.127 starting...
    08.04.2020 16:03:48 2678 I Setting ACE_FD_SETSIZE to 20640
    08.04.2020 16:03:48 2678 I Initializing CORBA...
    08.04.2020 16:03:48 2678 I Connection cache limit is 20512
    08.04.2020 16:03:48 2678 I Creating ORB runner with 16 threads
    08.04.2020 16:03:48 2678 I Compliant certificate hashing algorithm.
    08.04.2020 16:03:49 2678 I This computer is part of the domain *
    08.04.2020 16:03:49 2678 I This router's IOR:
    IOR:010000002*
    08.04.2020 16:03:49 2678 I Successfully validated this router's IOR
    08.04.2020 16:03:49 2678 I Reading router table file
    08.04.2020 16:03:49 2678 I Host name: SophosSEC
    08.04.2020 16:03:49 2678 I Local IP addresses: *
    08.04.2020 16:03:49 2678 I Resolved name: SophosSEC.*
    08.04.2020 16:03:49 2678 I Resolved alias/es:
    08.04.2020 16:03:49 2678 I Resolved IP addresses: * 
    08.04.2020 16:03:49 2678 I Resolved reverse names/aliases: SophosSEC.* 
    08.04.2020 16:03:49 2678 I Waiting for messages...
    08.04.2020 16:03:49 2678 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 548, max number of user ports 15360

  • In reply to MEric:

    Hello,

     

    The log file only goes as far as the Reading router table file entry - there is nothing after that!

     

    09.04.2020 13:09:58 0604 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20200409-120958.log
    09.04.2020 13:09:58 0604 I Sophos Messaging Router 4.1.1.127 starting...
    09.04.2020 13:09:58 0604 I Setting ACE_FD_SETSIZE to 20640
    09.04.2020 13:09:58 0604 I Initializing CORBA...
    09.04.2020 13:09:58 0604 I Connection cache limit is 20512
    09.04.2020 13:09:58 0604 I Creating ORB runner with 16 threads
    09.04.2020 13:09:59 0604 I Compliant certificate hashing algorithm.
    09.04.2020 13:09:59 0604 I This computer is part of the domain *
    09.04.2020 13:09:59 0604 I This router's IOR:
    IOR:010000002*
    09.04.2020 13:09:59 0604 I Successfully validated this router's IOR
    09.04.2020 13:09:59 0604 I Reading router table file

     

    Could the router table file be corrupt?

  • In reply to Inderpal Lotey:

    I would suspect so if it stops there.  Try stopping the message router service, renaming and recreating a blank table_router.txt file in C:\ProgramData\Sophos\RMS\3\Router\ and then starting the service back up.

  • In reply to MEric:

    That seems to have worked MEric.  The endpoints are showing as connected now, and the SUM is updating ok.  Hope this helps other people out as well.  Just to clarify, the fix was to stop the Sophos Message Router service, rename the table_router.txt file, create a new empty table_router.txt file and then start up the Sophos Message router service again.  Wait a couple of hours or so for all the endpoints to start showing as connected again.

     

    Thanks again for all your help.

     

    Indi