Issue with Sophos Cloud Migration Tool

Hello All, 

When I open my CMT I get an error at the bottom indicating that there is a "Problem downloading latest cloud readiness assessment data". 

I have scoured all I can and looked through the log files, but I am admittedly naive when it comes to determining what could even be the root cause for this. We've been using the tool for over a month now to migrate clients and this issue just started on Monday. 

Thanks for the help,

-Tim

  • Hi Tim Osting,

    Can you please confirm me if you still facing the issue? We have recently completed a change over to a new CDN supplier in order to increase the reliability of our content delivery systems. This migration completed for all addresses on the 2nd May 2018 as described here.

    However, any customer who currently has to exempt by IP address will find they may have to exempt new IP ranges. Wildcards can also be used for the exemptions: *.sophosupd.com and *.sophosupd.net.

    Sophos does not recommend whitelisting CDN IP addresses as the range of IP addresses that are presented on the URLs is subject to change. With the previous CDN, there was a set range of addresses that customers could exclude. However, with the new CDN supplier, customers will need to identify IP addresses to then exempt.

    Open a web browser and enter the following three addresses into the address box. If a successful connection is made you will see the message "it works - authed", "Connection Successful" or "it works".

    • dci.sophosupd.com
    • d1.sophosupd.com
    • d2.sophosupd.com

    If the connection fails the most like cause is a firewall (including Windows 2008 server's software firewall) or a proxy blocking the connection or EnterpriseConsole.exe. 

    If you cannot connect to the address, or you are still getting the errors described above you should troubleshoot general networking connectivity to all of the addresses. For example:

    • is there a proxy blocking the address?
    • can you traceroute to the address?
    • is there a scanning firewall in the way?
    • do you need to change/update your firewall rules?
  • In reply to Gowtham Mani:

    HI Gowtham, 

    Thank you for your reply and description of the issue. Unfortunately, I can get to all of the links you listed above, but the tool is still showing that it is unable to download the latest cloud readiness assessment data. The Windows firewall is actually off on this box, so I don't think that is an issue. Lastly, there are no proxy's running on my connection. 

     

    Thanks for your continued help, 

    -Tim

  • In reply to Gowtham Mani:

    Same issue here. I am trying to migrate a small business which does not even have a business class firewall (just an ordinary plusnet technicolor router).

  • In reply to Tim Osting:

    Hi Tim Osting & Victoria Cleaton,

    Please give a try to the KBA Sophos Cloud Migration - Windows 2003 root certificate not installed. If the KBA doesn't resolve/ Apply to your environment, please collect the below logs and contact our support.

    1) Install Wirehshark from www.wireshark.org
    2) Capture the traffic of the network adapter used by the DBArchive Server to connect to the Sophos Cloud
    3) Reproduce the issue of the Sophos Migration Utility
    4) Save the wireshark log with the extension pcapng and compress it
    5) Create a new SDU Log for us to investigate.
    6) Send the SDU and the Wireshark Log to us.

  • Also having this issue now, after an initial 10 days of trouble free operation. No changes to filtering or firewall have been made here, and as per the suggestion I can access the Sophos URLs.

  • We too have this issue.

    I have managed to migrate 96 PCs and then it has stopped with the error message described. It stopped a month ago with Problem downloading latest cloud readiness assessment data  displayed at the bottom of the migration tool

     

    I have uninstalled and reinstalled the tool but have the same issue

  • In reply to rob pattison:

    Did you make any progress on this? I am seeing the same thing on a 2012R2 server which definitely is not a 2003 server and has the latest updates on and checking those three urls above see them as valid certificate chains

  • In reply to Chris Haydon:

    There is obviously an issue here, but I haven't heard any more out of Sophos on a fix. We're resorting to a GPO deployment, which was also a nightmare because there is no official sophos MSI. Good times..

    -Tim

  • In reply to Chris Haydon:

    I was also running this on Server 2012R2. After speaking to Sophos, I understand there is a version 2.0 of the Migration Tool being released soon. Maybe to fix this issue? In any case, this was enough to persuade me to cease my trial of Sophos Central and go in a different direction. Hope they find a fix for you guys soon.

  • In reply to Anton Kraus:

    Thanks both for that; that not very clever that they have updated the server but have seemingly hardcoded the fingerprints of the SSL certificates of the old servers into the tool so it is then throwing a wobbly claiming it thinks it is subject to a man-in-the-middle attack! I am not surprise it looks like the copyright dates on the current v1.0.1 tool are back in 2016.

    The stupid thing is they also look to have hardcoded the Central supported feature sets at the point of compiling it which appear to have changed in the intervening period blocking 90% of the machines in the environment I am trying to migrate from being seen in a migratable state. :-(

     

    Oh and to compound the issue in the case I'm working on Enterprise Console has stopped downloading updates as they have expired the credentials so I have the account manager trying to get some backend licensing team to set them working again!

  • Hi All

     Ok so I now have a work around from support that fixes this issue with hardcoded certificate checking in 1.0.1 Cloud Migration Tool

    Please add the following lines to

    "C:\Program Files (x86)\Sophos\Cloud Migration Tool\CloudMigration.exe.config"

    before the closing </configuration> element

        <appSettings>
            <add key="SkipNamePinning" value="true"/>
        </appSettings>


    If you save the file and then rerun the migration tool again you should find it proceeds without the error.

    This has moved us from having 5 migratable computers to having 208!!!

    Share this issue seem to have lost Sophos at least customer!

    Hope that helps

    Chris

  • In reply to Chris Haydon:

    Chris, 

    If I could shake your hand in person, I would. 

    Brilliant. 

    It's a shame that the actual support team couldn't provide this info to everyone earlier, would have saved a lot of heartache. 

    We started manually migrating machines, but now we can pivot back to this. 

     

    Bravo again. 

    Thanks, 

    -Tim