Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 63 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 118017 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Most Clients Shown As 'Disconnected' in SEC 5.5.0

isoffice

Hi folks,

We are running Sophos Enterprise Console (SEC) 5.5.0 on a Windows 2008 R2 Enterprise (64-bit) Server.

I have recently noticed that more than 50% of our client PCs to which Sophos Endpoint Security & Control has been deployed are shown as 'disconnected' in SEC. I have carried out a ping-sweep of the network and can confirm that most, if not all, of these PCs are actually powered on, connected to the network and working fine.

Only after I restart the Sophos Message Router Service on the client PCs do they then change their status to 'connected' in SEC. I have no wish to carry this task out on several hundred client PCs individually as you can imagine, so I'm hoping someone can possibly shed some light on what may be happening here and suggest a solution to this issue?

Many thanks,

John P



This thread was automatically locked due to age.
Parents
  • 0

    I'm sure there will be others offering advice, but from my experience, it's most likely that the Remote Management System (RMS) that cannot communicate on the required ports.  You can try with the telnet command from the server to the endpoint and vice versa on the required ports.

    You may like to watch the video below on setting up a GPO to allow the required ports (this means you don't have to go round to each computer).  Watch from the 9 minute mark...

    There is also the deployment guide which mentions the ports. http://www.sophos.com/deployment - click the 'Allowing computers to report' link on the right-hand rail.

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to ruckus

    Hi guys,

    Thank you for your prompt and helpful replies.

    Christian, I have to admit that I may be a bit lax in checking my SEC installation. Unfortunately, my duties dictate that I cannot spend as much time as I'd like (or indeed, need) to monitor our SEC installation. Wearing too many hats at times methinks!!

    Fullscreen Before and After Service ReStart.txt Download 
    19.09.2017 08:28:19 0B28 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20170919-072819.log
19.09.2017 08:28:19 0B28 I Sophos Messaging Router 4.1.1.127 starting...
19.09.2017 08:28:19 0B28 I Setting ACE_FD_SETSIZE to 138
19.09.2017 08:28:19 0B28 I Initializing CORBA...
19.09.2017 08:28:19 0B28 I Connection cache limit is 10
19.09.2017 08:28:20 0B28 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
19.09.2017 08:28:20 0B28 I Creating ORB runner with 4 threads
19.09.2017 08:28:20 0B28 I Compliant certificate hashing algorithm.
19.09.2017 08:28:20 0B28 I This computer is part of the domain SECRAT
19.09.2017 08:28:20 0B28 I This router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000a0000003132372e302e302e310001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001000e01004f4154010000001800000001000e01010001000100000001000105090101000000000014000000080000000100a60086000220
19.09.2017 08:28:20 0B28 E Localhost address (e.g. 127/8) found in the IOR
19.09.2017 08:28:20 0B28 E This router's IOR is invalid
19.09.2017 08:28:20 0B28 I This computer is part of the domain ****
19.09.2017 08:28:20 0B28 I Reading router table file
19.09.2017 08:28:20 0B28 I Host name: DNIA16807
19.09.2017 08:28:20 0B28 I Local IP addresses: 10.63.14.118 
19.09.2017 08:28:20 0B28 I Resolved name: DNIA16807.****.****.****
19.09.2017 08:28:20 0B28 I Resolved alias/es: 
19.09.2017 08:28:20 0B28 I Resolved IP addresses: 127.0.0.1 
19.09.2017 08:28:20 0B28 I Resolved reverse names/aliases: DNIA16807.****.****.**** 
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01AE532F, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01AE8D1F, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01AFA2D6, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01AFDE91, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0B28 I Waiting for messages...
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B0F5D5, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B13019, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B245FF, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B28197, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B63A35, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B67608, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B78F73, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B7C79E, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B8DE7B, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01B91916, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BA3121, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BA6A99, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BB8324, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BBBBFE, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BF7130, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-GetStatus-Reply
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BF7254, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BF726D, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-GetStatus-Reply
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BF9C9C, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-GetStatus-Reply
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BFB08B, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:28:20 0CB8 I Routing to parent: id=01BFC6D0, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-GetStatus-Reply
19.09.2017 08:28:20 0CCC W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$DNIA16807:450391.Agent
19.09.2017 08:28:20 0CCC W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$DNIA16807:450391.Agent
19.09.2017 08:28:20 0CCC W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$DNIA16807:450391.Agent
19.09.2017 08:28:20 0B28 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 3, max number of user ports 15360
19.09.2017 08:28:20 0CCC W Delivery failed(Timeout) for message type EM-GetStatus-Reply, originator Router$DNIA16807:450391.Agent
19.09.2017 08:28:22 0C94 I Client::LogonPushPush() successfully called back to client
19.09.2017 08:28:22 0C94 I Logged on Agent as a client
19.09.2017 08:28:22 0CB8 I Routing to Agent: id=03C0C716, origin=Router$DNIA16807:450391, dest=Router$DNIA16807:450391.Agent, type=EM-ClientLogon
19.09.2017 08:28:22 0CAC I Sent message (id=03C0C716) to Agent
19.09.2017 08:28:22 0CB8 I Received message for this router
19.09.2017 08:28:22 0CB8 I EM-NotifyClientUpdates originator Router$DNIA16807:450391.Agent
19.09.2017 08:28:22 0CB8 I Routing to Agent: id=07C0C716, origin=Router$DNIA16807:450391, dest=Router$DNIA16807:450391.Agent, type=EM-NotifyClientUpdates-Reply
19.09.2017 08:28:22 0CB0 I Sent message (id=07C0C716) to Agent
19.09.2017 08:28:57 0CB8 I Routing to parent: id=01C0C739, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-GetStatus-Reply
19.09.2017 08:33:48 0CB8 I Routing to parent: id=01C0C85C, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 08:34:10 0CCC W Delivery failed(Timeout) for message type EM-EntityEvent, originator Router$DNIA16807:450391.Agent
19.09.2017 08:34:14 0CB8 I Routing to parent: id=01C0C876, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-GetStatus-Reply
19.09.2017 09:28:20 0B28 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 5, max number of user ports 15360
19.09.2017 10:28:20 0B28 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 5, max number of user ports 15360
19.09.2017 11:28:21 0B28 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 5, max number of user ports 15360
19.09.2017 12:28:21 0B28 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 5, max number of user ports 15360
19.09.2017 12:40:21 0CCC W Delivery failed(Timeout) for message type EM-EntityEvent, originator Router$DNIA16807:450391.Agent
19.09.2017 12:40:50 0CB8 I Routing to parent: id=01C10242, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:28:21 0B28 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 5, max number of user ports 15360



19.09.2017 13:36:47 1AA4 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20170919-123647.log
19.09.2017 13:36:47 1AA4 I Sophos Messaging Router 4.1.1.127 starting...
19.09.2017 13:36:47 1AA4 I Setting ACE_FD_SETSIZE to 138
19.09.2017 13:36:47 1AA4 I Initializing CORBA...
19.09.2017 13:36:47 1AA4 I Connection cache limit is 10
19.09.2017 13:36:48 1AA4 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
19.09.2017 13:36:48 1AA4 I Creating ORB runner with 4 threads
19.09.2017 13:36:48 1AA4 I Compliant certificate hashing algorithm.
19.09.2017 13:36:48 1AA4 I This computer is part of the domain ****
19.09.2017 13:36:48 1AA4 I This router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000d00000031302e36332e31342e313138000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001001d01004f4154010000001800000001001d01010001000100000001000105090101000000000014000000080000000100a60086000220
19.09.2017 13:36:48 1AA4 I Successfully validated this router's IOR
19.09.2017 13:36:48 1AA4 I Reading router table file
19.09.2017 13:36:48 1AA4 I Host name: DNIA16807
19.09.2017 13:36:48 1AA4 I Local IP addresses: 10.63.14.118 
19.09.2017 13:36:48 1AA4 I Resolved name: DNIA16807.****.****.****
19.09.2017 13:36:48 1AA4 I Resolved alias/es: 
19.09.2017 13:36:48 1AA4 I Resolved IP addresses: 10.63.14.118 
19.09.2017 13:36:48 1AA4 I Resolved reverse names/aliases: DNIA16807.****.****.**** 
19.09.2017 13:36:48 1AA4 I Waiting for messages...
19.09.2017 13:36:48 1988 I Routing to parent: id=01AFA2D6, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1AA4 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 4, max number of user ports 15360
19.09.2017 13:36:48 1988 I Routing to parent: id=01AFDE91, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B0F5D5, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B13019, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B245FF, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B28197, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1B2C I Getting parent router IOR from 10.63.20.72:8192
19.09.2017 13:36:48 1988 I Routing to parent: id=01B63A35, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B67608, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B78F73, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B7C79E, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B8DE7B, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01B91916, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01BA3121, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01BA6A99, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01BB8324, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01BBBBFE, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01BF7254, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01BFB08B, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01C0C739, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-GetStatus-Reply
19.09.2017 13:36:48 1988 I Routing to parent: id=01C0C85C, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1988 I Routing to parent: id=01C0C876, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-GetStatus-Reply
19.09.2017 13:36:48 1988 I Routing to parent: id=01C10242, origin=Router$DNIA16807:450391.Agent, dest=EM, type=EM-EntityEvent
19.09.2017 13:36:48 1B2C I Received parent router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000c00000031302e36332e32302e3732004fc000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100b700004f415401000000180000000100b700010001000100000001000105090101000000000014000000080000000100a60086000220
19.09.2017 13:36:48 1B2C I Successfully validated parent router's IOR
19.09.2017 13:36:48 1B2C I Accessing parent
19.09.2017 13:36:48 1B2C I SSL handshake done, local IP address = 10.63.14.118
19.09.2017 13:36:48 1B2C I Parent is Router$SV-AV-01
19.09.2017 13:36:48 1B2C I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
19.09.2017 13:36:48 1B0C I SSL handshake done, local IP address = 10.63.14.118
19.09.2017 13:36:48 1B2C I RouterTableEntry state (router, logging on): Router$SV-AV-01 is passive consumer, passive supplier
19.09.2017 13:36:48 1B2C I Logged on to parent router as Router$DNIA16807:450391
19.09.2017 13:36:48 1B2C I This computer is part of the domain SECRAT
19.09.2017 13:36:48 1C14 I Sent message (id=01AFA2D6) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01AFDE91) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B0F5D5) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B13019) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B245FF) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B28197) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B63A35) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B67608) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B78F73) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B7C79E) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B8DE7B) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01B91916) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01BA3121) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01BA6A99) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01BB8324) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01BBBBFE) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01BF7254) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01BFB08B) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01C0C739) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01C0C85C) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01C0C876) to Router$SV-AV-01
19.09.2017 13:36:48 1C14 I Sent message (id=01C10242) to Router$SV-AV-01

    Anyway, attached (I hope) is a copy of the client message router logs showing the situation before and after the Sophos Message Router service restart.

    Hope this helps.

    Ruckus, many thanks for your input. I will review the material you suggested and will keep you posted of any developments.

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0 in reply to isoffice

    Hello John P,

    this part near the start doesn't look right:

    19.09.2017 08:28:20 0B28 E Localhost address (e.g. 127/8) found in the IOR
    19.09.2017 08:28:20 0B28 E This router's IOR is invalid
    19.09.2017 08:28:20 0B28 I This computer is part of the domain ****
    19.09.2017 08:28:20 0B28 I Reading router table file
    19.09.2017 08:28:20 0B28 I Host name: DNIA16807
    19.09.2017 08:28:20 0B28 I Local IP addresses: 10.63.14.118
    19.09.2017 08:28:20 0B28 I Resolved name: DNIA16807.****.****.****
    19.09.2017 08:28:20 0B28 I Resolved alias/es:
    19.09.2017 08:28:20 0B28 I Resolved IP addresses: 127.0.0.1
    19.09.2017 08:28:20 0B28 I Resolved reverse names/aliases: DNIA16807.****.****.****

    Looks like it subsequently doesn't even try to contact the parent. Dunno where the resolution to localhost (127.0.0.1) comes from. If I disable the adapter or unplug the cable RouterNT correctly recognizes this when it starts, periodically checks connectivity, and restarts if it detects it is connected.

    Christian

  • 0 in reply to QC

    Hello JohnP,

    No offence intended Ruckus, but I remain to be convinced that the proposed answer is the correct one.  This would only be true if more than 50% of JohnP's computers were incorrectly configured in the first place and that the firewall of these computers were blocking TCP ports 8192/4.  Based on our recent experience I think it is fair to assume this is unlikely to be the case, but easily checked out by reviewing this thread: https://community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/79261/connection

    We are also running Enterprise console v5.5.0, investigating the same problem and have logged a call with Sophos support who are looking into the issue.  All of our computers are configured correctly which allow them to contact the console.  The console is reporting that some of these computers are disconnected (not the case) and all affected systems are laptops.  Like you we identified the localhost resolved IP address in the remote management system router log and have made Sophos aware of our findings.  When reviewing the logs after restarting the Sophos Message Router service, the resolved IP address is the same as the local IP address and the console reports that the computer is online.  After a reboot your are back to square one, unless that is you change the Sophos Message Router service startup type from Automatic to Automatic (Delayed Start).

    We noticed the issue following the Microsoft September 2017 security update release which we rolled out on Wednesday 13th and wondered and have been looking into whether this was a contributing factor. In the meantime Sophos are analysing SDU logs taken from initially the server and today both the server and an affected workstation.

    Ian.

  • 0 in reply to WorEen

    Np Ian! [:)]  JohnP can check and use one of the options on my reply...

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to WorEen

    Hi Ian,

    Thank you very much for your input, it has proven very useful. We do not have many laptops on our network and the clients affected by this issue are all desktop PCs running Windows 10.

    Is the delayed start of the Sophos Message Router service a temporary workaround to this issue, that is, after a reboot, will SEC report the clients as still being 'connected'?

    I also have a call in with Sophos Support about this and they asked if anything had been changed on our network (no) and they then recommended that I re-protect some PCs which are currently shown as 'disconnected'. I have done this and SEC has restored connectivity to these particular clients. However, I will wait until they are re-booted again to see if this works, not confident though.

    Will keep you all posted.

     

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0 in reply to WorEen

    Hello Ian,

    kudos for this contribution.
    May I ask which Windows version(s)? You say that the affected ones are definitely all laptops (and all of them had the security updates) but not all laptops are affected? Changing the startup type seems to be a viable workaround. Naturally I can't say what the reason for the Router's current behaviour is.

    Can't say what the sequence of actions is (a verbose log might give some insight but you can't change how it works anyway). It looks like a (LAN) connection appears to be available, the Router enumerates the available addresses, and - even though it finds only localhost and flags it as error - attempts to use it to initiate a connection to its parent but subsequently get just a timeout (sorry for the winded sentence). It seems to be in the state to just retry the connection instead of either checking for changes or simply reinitializing.
    Apparently the interface is already fully up at the time of the Delayed Start. Automatic (Delayed Start) is two minutes after the start of the last Automatic service, shouldn't have an effect.

    Christian

  • 0 in reply to isoffice

    Hi JohnP,

    Firstly...  fair point ruckus and my apologies; my first post and I overlooked your feedback options. 

    We have been mooching around this issue since yesterday.  If you re-protect a PC it will appear to be connected until it reboots, at which time the console remains waiting for the reboot request to be acknowledged with the computer being reported as disconnected even though this is not the case. On the workstation Sophos updates as normal.  This is not reflected in the console.  I assume the updates are being downloaded from the application server hosting enterprise console although it may well be the secondary location we have configured in updating, in our case Sophos.

    On a separate affected workstation, having changed the Sophos Message Router service startup type from Automatic to Automatic (Delayed Start), after a reboot the computer is reported as being disconnected until the delayed service starts (after 2 minutes or so) when the console changes the status to connected.  The computer maintains contact with the console.  I'm going to check this particular workstation tomorrow, hopefully to verify that the Sophos AutoUpdate status reports that the computer has been updated successfully.

    We utilise a deployment tool which also detects the online status of clients.  This is working as usual.  Computers known to be online being reported as such, whereas the Sophos console is reporting some of these computers as being disconnected even though they are known to be online.

    Like you, nothing has changed on our network other than the Microsoft September 2017 security update release we rolled out on Wednesday 13th.

    We await Sophos to get back to us following analysis of the logs we emailed them this morning.

    Ian.

  • 0 in reply to WorEen

    Hi Ian,

    Many thanks for the update. I anticipate that sometime in the near future Sophos Support will ask me to ensure that the client PC can connect to the SEC Server on ports 8192 & 8194.

    Rather than spend the next few days running around like a headless chicken, our resident Powershell expert has given me a script which will check connectivity to these two ports from the 'disconnected' client PC, all from the comfort of my own desk!!

    PS C:\windows\system32> icm -ComputerName clientpcname -ScriptBlock {"8192","8194" | % {Test-NetConnection -ComputerName secservername -Port $_}}

    It takes a few seconds to run, but I thought it quite clever. Output looks like:

    ComputerName           : secservername
    RemoteAddress          : 10.63.20.72
    RemotePort             : 8192
    InterfaceAlias         : Ethernet
    SourceAddress          : 10.63.26.111
    PingSucceeded          : True
    PingReplyDetails (RTT) :
    TcpTestSucceeded       : True
    PSComputerName         : clientpcname

    ComputerName           : secservername
    RemoteAddress          : 10.63.20.72
    RemotePort             : 8194
    InterfaceAlias         : Ethernet
    SourceAddress          : 10.63.26.111
    PingSucceeded          : True
    PingReplyDetails (RTT) :
    TcpTestSucceeded       : True
    PSComputerName         : clientpcname

    This PC is shown as 'disconnected' from SEC. However, the output above leads me to think that it can communicate with the SEC Server on the necessary ports.

    Keep on plugging!!

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0 in reply to QC

    Hello Christian,

    Windows 10 version 1703 (OS build 15063.608) and Windows 10 version 1607 (OS build 14393.1715).

    The affected workstations are all laptops, the opposite of JohnP who advises in his case clients affected by this issue are all desktop PCs running Windows 10.

    Not all laptops are affected. All laptops are patched up to date.

    Windows 10 version 1703 (OS build 15063.608): Update for Microsoft Windows (KB4022405) and Security Update for Microsoft Windows (KB4038788).

    Windows 10 version 1607 (OS build 14393.1715): Update for Microsoft Windows (KB4035631), Security Update for Microsoft Windows (KB4033637) and Security Update for Microsoft Windows (KB4038782).

    We have noted that if you disconnect an affected laptop from the network (unplug the Ethernet connector) and reconnect, a short while later the console report the device as being online.  All good until you reboot.

    Ian.

Reply
  • 0 in reply to QC

    Hello Christian,

    Windows 10 version 1703 (OS build 15063.608) and Windows 10 version 1607 (OS build 14393.1715).

    The affected workstations are all laptops, the opposite of JohnP who advises in his case clients affected by this issue are all desktop PCs running Windows 10.

    Not all laptops are affected. All laptops are patched up to date.

    Windows 10 version 1703 (OS build 15063.608): Update for Microsoft Windows (KB4022405) and Security Update for Microsoft Windows (KB4038788).

    Windows 10 version 1607 (OS build 14393.1715): Update for Microsoft Windows (KB4035631), Security Update for Microsoft Windows (KB4033637) and Security Update for Microsoft Windows (KB4038782).

    We have noted that if you disconnect an affected laptop from the network (unplug the Ethernet connector) and reconnect, a short while later the console report the device as being online.  All good until you reboot.

    Ian.

Children
No Data
Unfiltered HTML