Windows issues following Core Agent 2.7.6 and Intercept X 2.0.17 update. See KBA 135504 for more information.
We'd love to hear about it! Click here to go to the product suggestion community
Hello, using SEC 5.5.2. Update Manager does nothing when I right click on the Server and select update now. It was last updated on 18/03/2020.
Also, all endpoints are showing disconnected (red cross).
When I try to telnet to the Server on port 8192 it fails (could not open a connection to the host) – this happens both from a client and the Server itself (which means it can’t be a firewall issue).
The Sophos Network Communications Report from a client says:
State of name resolution (DNS)
Problem description :
There is a problem communicating with the server.
Failed to determine the IP address of the computer from its name. Communication cannot start until this problem is resolved.
Possible cause :
DNS is misconfigured or the information is missing or incorrect.
Action to repair :
Verify that the client can resolve the name of the server. Alternatively, use a static IP address on the server (this is the configuration recommended by Sophos).
State of Sophos security framework
No problems detected.
State of incoming communications from server
State of outgoing communications to server
Failed to communicate with the server.
"Sophos Message Router" service may be stopped on the server, or the server may be disconnected from the network, or a firewall may be blocking communications from the client to the server.
Verify that the Sophos Message Router ports (by default 8192 and 8194) on the server are accessible by the computer with the problem. Also check networking and services on the server.
Report generation time ( local time )
08 April 2020 21:21:14
Report generation time ( GMT )
08 April 2020 20:21:14
Computer name :
Windows domain :
RMS router name :
IOR port number :
SSLIOP port number :
Parent addresses :
Current parent address :
RMS router type :
I can ping the Server from the client. I have checked there is no firewall blocking communication. Also Telnet from the Server itself to port 8192 fails as well. So it seems there is a problem with port 8192 on the Server itself.
I have tried re-installing SEC with no joy. I have also followed all the steps in this link but still no joy : https://community.sophos.com/kb/en-us/117412
Could someone please help with the next steps?
Hi Inderpal Lotey,
Great job narrowing down the issue to RMS on the SEC itself.
Is the Sophos Message Router service running on SEC? If not it might be worth checking Event Viewer Application and System logs to see if anything comes up there. Regardless of whether it is running or not I would check C:\ProgramData\Sophos\RMS\3\Router\Logs\ to see if any errors stick out there. Check to see if there are any applications stealing port 8192 from message router by running "netstat -abno > C:\Windows\Temp\netstat.txt" and viewing the file. Any additional log details will help us narrow down what's causing this.
In reply to MEric:
So the Sophos services are all running on the Server. However, I ran netstat and it doesn't show anything listening on 8192, but shows the following instead: TCP 0.0.0.0:8193 0.0.0.0:0 LISTENING 4428 [RouterNT.exe] TCP 0.0.0.0:8194 0.0.0.0:0 LISTENING 4428 [RouterNT.exe]So i guess Sophos Message Router is using 8193 instead of 8192?
In reply to Inderpal Lotey:
In fact Telneting on 8193 and 8194 from a client to the Server are both successful as well ...
8193/8194 should be open normally and does not indicate that port 8193 is replacing port 8192. Are you not seeing any entry for 8192 in the netstat? Did you find any errors in the Router.log file?
Here's what my netstat looks like:TCP 0.0.0.0:8192 0.0.0.0:0 LISTENING 4456 [RouterNT.exe] TCP 0.0.0.0:8193 0.0.0.0:0 LISTENING 4456 [RouterNT.exe] TCP 0.0.0.0:8194 0.0.0.0:0 LISTENING 4456 [RouterNT.exe]
No errors in the router log file. 8192 is definitely missing in the netstat - I can only see 8193 and 8194 ...
Thanks for all the help
Are you able to restart the Sophos Message Router service and share us a snippet of the newly generated Router log in C:\ProgramData\Sophos\RMS\3\Router\Logs\ after a minute? I'd like to see what state Message Router is at. Something similar to this:
08.04.2020 16:03:48 2678 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20200408-230348.log08.04.2020 16:03:48 2678 I Sophos Messaging Router 126.96.36.199 starting...08.04.2020 16:03:48 2678 I Setting ACE_FD_SETSIZE to 2064008.04.2020 16:03:48 2678 I Initializing CORBA...08.04.2020 16:03:48 2678 I Connection cache limit is 2051208.04.2020 16:03:48 2678 I Creating ORB runner with 16 threads08.04.2020 16:03:48 2678 I Compliant certificate hashing algorithm.08.04.2020 16:03:49 2678 I This computer is part of the domain *08.04.2020 16:03:49 2678 I This router's IOR:IOR:010000002*08.04.2020 16:03:49 2678 I Successfully validated this router's IOR08.04.2020 16:03:49 2678 I Reading router table file08.04.2020 16:03:49 2678 I Host name: SophosSEC08.04.2020 16:03:49 2678 I Local IP addresses: *08.04.2020 16:03:49 2678 I Resolved name: SophosSEC.*08.04.2020 16:03:49 2678 I Resolved alias/es: 08.04.2020 16:03:49 2678 I Resolved IP addresses: * 08.04.2020 16:03:49 2678 I Resolved reverse names/aliases: SophosSEC.* 08.04.2020 16:03:49 2678 I Waiting for messages...08.04.2020 16:03:49 2678 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 548, max number of user ports 15360
The log file only goes as far as the Reading router table file entry - there is nothing after that!
09.04.2020 13:09:58 0604 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20200409-120958.log09.04.2020 13:09:58 0604 I Sophos Messaging Router 188.8.131.52 starting...09.04.2020 13:09:58 0604 I Setting ACE_FD_SETSIZE to 2064009.04.2020 13:09:58 0604 I Initializing CORBA...09.04.2020 13:09:58 0604 I Connection cache limit is 2051209.04.2020 13:09:58 0604 I Creating ORB runner with 16 threads09.04.2020 13:09:59 0604 I Compliant certificate hashing algorithm.09.04.2020 13:09:59 0604 I This computer is part of the domain *09.04.2020 13:09:59 0604 I This router's IOR:IOR:010000002*09.04.2020 13:09:59 0604 I Successfully validated this router's IOR09.04.2020 13:09:59 0604 I Reading router table file
Could the router table file be corrupt?
I would suspect so if it stops there. Try stopping the message router service, renaming and recreating a blank table_router.txt file in C:\ProgramData\Sophos\RMS\3\Router\ and then starting the service back up.
That seems to have worked MEric. The endpoints are showing as connected now, and the SUM is updating ok. Hope this helps other people out as well. Just to clarify, the fix was to stop the Sophos Message Router service, rename the table_router.txt file, create a new empty table_router.txt file and then start up the Sophos Message router service again. Wait a couple of hours or so for all the endpoints to start showing as connected again.
Thanks again for all your help.