DCOM errors in the thousands

Have had Sophos XG310 firewall up and running for a year and a half.  Yesterday after installing Windows updates and a server reboot we started getting thousands of DCOM errors.

DCOM was unable to communicate with the computer X.X.X.X using any of the configured protocols; requested by PID      6bc (C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite\stas.exe).

Some of the errors are on devices such as printers within the monitored network, but others such as above are not in the monitored network and they are not in any way attempting to authenticate with the domain as they are VoIP phones.

Anyone have any idea why this would suddenly start occurring AND how to get it to stop?

 

  • Hi April,

    DCOM errors happen during one of two events:

    1. You are doing WMI logoff detection and during one of the checks, WMI cannot connect to the host in question. Make sure that STAS is running as admin and WMI is allowed through windows firewall/other networking equipment. You will still see errors for PC's that shutdown for example, there is no avoiding that. 

    2. The XG by default will ask the app on the DC to do a WMI query on any traffic it sees that is not authenticated (attempt at logon type 1).

    You can lower the frequency of number 2 by contacting support about this KB (https://community.sophos.com/kb/en-us/125468). Note this will be reverted after firmware upgrades but can be persistent through reboots. 

    Another workaround for devices that are not domain joined or cannot respond to WMI due to its operating system is to create a Clientless User (a permanent live user) object for them (make sure they have a static IP /DHCP reservation beforehand though). https://community.sophos.com/kb/en-us/123039

     

  • In reply to Dane Seelen:

    I did a TCP dump and none of the traffic that DCOM errors are being logged for are appearing in the XG dumps.  Which they shouldn't be because they are do not access the Internet.

  • In reply to MasterRoshi:

    1) These are not PCs.

    2) These are not devices that authenticate with the Domain.

     

    These are also IP phones that are not static IPs and are not in the monitored IP range nor do they access or attempt to access the Internet.

     

  • In reply to April Beachy:

    The appliance will query the app to do the check on all IP's which it sees traffic for that it does not have in its live users list. 

    It would not know it is a phone/printer or any other non domain joined device at this point. 

    You can exclude those networks/IP's with clientless user entries or make an exclusion within the app on the dc for login IP address/ Network subnet. 

  • In reply to MasterRoshi:

    Clientless user entries are for devices that you want to have Internet access that does not authenticate.  They do not have Internet access.

     

    I already have an exclusion for this subnet and it is still monitoring it.

  • In reply to April Beachy:

    Hi April,

     

    If you have the exclusion, you will see the following in the STAS log on the DC. 

     

    DEBUG [0xad0] 2/10/2019 06:48:14 : threadpool_threadproc: Executing Function 0x455b60

    dca_filter_by_ip: IP '(null)' has been filtered out

    DEBUG [0xad0] 2/10/2019 06:48:14 : wrkstpoll_workerthread_wmi: IP 192.168.2.11 found in login exclusion list, filtered out

     

    I have noticed that if you hit "apply" it does not actually validate the change until you hit "OK" and the STAS service restarts. Check the log for one of the entries in your exclusion list to see if it shows the above logs or it shows the wmi namespace failures instead. If it shows the failures and you have it in the exclusions already, just hit OK and restart the service and monitor it from there. 

  • In reply to MasterRoshi:

    MasterRoshi

     

    2. The XG by default will ask the app on the DC to do a WMI query on any traffic it sees that is not authenticated (attempt at logon type 1).

     

    So this answered the question for me; I was never able to figure out why STAS was trying to WMI query IP's of computers/phones/printers that weren't in its live users list.  You provided the missing piece of the puzzle in that XG is asking the STAS app to do a query on its behalf.  Now it makes sense.