Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 45 subscribers
  • Views 17919 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DCOM errors in the thousands

April Beachy

Have had Sophos XG310 firewall up and running for a year and a half.  Yesterday after installing Windows updates and a server reboot we started getting thousands of DCOM errors.

DCOM was unable to communicate with the computer X.X.X.X using any of the configured protocols; requested by PID      6bc (C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite\stas.exe).

Some of the errors are on devices such as printers within the monitored network, but others such as above are not in the monitored network and they are not in any way attempting to authenticate with the domain as they are VoIP phones.

Anyone have any idea why this would suddenly start occurring AND how to get it to stop?

 



This thread was automatically locked due to age.
Parents
  • +1

    Hi April,

    DCOM errors happen during one of two events:

    1. You are doing WMI logoff detection and during one of the checks, WMI cannot connect to the host in question. Make sure that STAS is running as admin and WMI is allowed through windows firewall/other networking equipment. You will still see errors for PC's that shutdown for example, there is no avoiding that. 

    2. The XG by default will ask the app on the DC to do a WMI query on any traffic it sees that is not authenticated (attempt at logon type 1).

    You can lower the frequency of number 2 by contacting support about this KB (https://community.sophos.com/kb/en-us/125468). Note this will be reverted after firmware upgrades but can be persistent through reboots. 

    Another workaround for devices that are not domain joined or cannot respond to WMI due to its operating system is to create a Clientless User (a permanent live user) object for them (make sure they have a static IP /DHCP reservation beforehand though). https://community.sophos.com/kb/en-us/123039

     

  • 0 in reply to MasterRoshi

    MasterRoshi said:

     

    2. The XG by default will ask the app on the DC to do a WMI query on any traffic it sees that is not authenticated (attempt at logon type 1).

     

    So this answered the question for me; I was never able to figure out why STAS was trying to WMI query IP's of computers/phones/printers that weren't in its live users list.  You provided the missing piece of the puzzle in that XG is asking the STAS app to do a query on its behalf.  Now it makes sense. 

Reply
  • 0 in reply to MasterRoshi

    MasterRoshi said:

     

    2. The XG by default will ask the app on the DC to do a WMI query on any traffic it sees that is not authenticated (attempt at logon type 1).

     

    So this answered the question for me; I was never able to figure out why STAS was trying to WMI query IP's of computers/phones/printers that weren't in its live users list.  You provided the missing piece of the puzzle in that XG is asking the STAS app to do a query on its behalf.  Now it makes sense. 

Children
No Data
Unfiltered HTML