This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to disable UTM Manager on UTM 9.605

We are (mostly) replicating a UTM config for a client moving locations. For a time, both sites will have a UTM in place. I restored the config from the current site UTM to the new, and am working on the minor changes required. However, I cannot disable Sophos UTM Manager under Management > Central Management as it says "Licensing Info - Deactivation of Central Management, changing of SUM host and features are disabled as MSP Licensing is activated!".

I changed the hostname, rebooted, connected to the internet and can access the new UTM on the external address.

The new UTM never appears in the SUM for activation/Licensing.

To remove any issues of duplicate UTMs reporting to the SUM, I Reset the config on the new UTM and started again, even using a new fqhn for the hostname. The result was the same as if the SUM is now not able to accept new UTMs.

The Device Agent Log on the UTM shows:

device-agent[5371]:   1 is not connected. Trying to connect
device-agent[5371]:   Updating SUM IP address for path: acc/server1/server
device-agent[5371]:   [1] Connecting to SUM (ip=<SUM IP>, port=4433).
device-agent[5371]:   [1] Using SUM SSL connection.
device-agent[5371]:   [1] We are now connected (ip=<SUM IP>, port=4433).
device-agent[5371]:   SUM ehlo notification from [1]
device-agent[5371]:   Found SUM version 4.309009. Treating it as release 4.3.
device-agent[5371]:   Full SUM support is granted as the current SUM version isn't lower than the minimal required SUM version of: 4.2
device-agent[5371]:   [1] Received 0 bytes (eof).
device-agent[5371]:   timer2 -> module 1 not executing: denied by role
device-agent[5371]:   timer2 -> module 2 not executing: denied by role
device-agent[5371]:   timer2 -> module 3 not executing: denied by role
device-agent[5371]:   timer2 -> module 4 not executing: denied by role
device-agent[5371]:   timer2 -> module 5 not executing: denied by role
device-agent[5371]:   timer2 -> module 6 not executing: denied by role
device-agent[5371]:   timer2 -> module 7 not executing: denied by role
device-agent[5371]:   timer2 -> module 1 not executing: denied by role
device-agent[5371]:   timer2 -> module 2 not executing: denied by role
device-agent[5371]:   timer2 -> module 3 not executing: denied by role
device-agent[5371]:   timer2 -> module 4 not executing: denied by role
device-agent[5371]:   timer2 -> module 5 not executing: denied by role
device-agent[5371]:   timer2 -> module 6 not executing: denied by role
device-agent[5371]:   timer2 -> module 7 not executing: denied by role
device-agent[5371]:   1 is not connected. Trying to connect

Which then just repeats.

For a short time, the UTM showed connected to the SUM, in the "SUM Health" pane, but that changed to not connected (red circle/cross).

Any thoughts or suggestions on how to get this UTM connected, or how to further diagnose the issue?

Thanks

Bob E.



This thread was automatically locked due to age.
Parents
  • Hi Bob and welcome to the UTM Community!

    The issue could be that the same license is in use on both UTMs.  If you're not the reseller, ask them for a demo license to get the new UTM fully configured before you shut down the original site.  Was that it?

    Cheers - Bob
    PS That looks like a log from the UTM Manager.  Should one of us mods move this thread to that forum?

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Bob and welcome to the UTM Community!

    The issue could be that the same license is in use on both UTMs.  If you're not the reseller, ask them for a demo license to get the new UTM fully configured before you shut down the original site.  Was that it?

    Cheers - Bob
    PS That looks like a log from the UTM Manager.  Should one of us mods move this thread to that forum?

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thanks Bob

    I reset the UTM and manually recreated the configuration (which is what I was trying to avoid), so it's running on the new-installation-default trial license now. It's still not being seen by the SUM though, so I'm wondering if the SUM records something more specific about the hardware and is "rejecting" the UTM because it's seen that device before. Maybe?!

    We are a Sophos partner/reseller and I've some experience with UTM (only to Architect level). The log is the Device Agent log from the UTM. I'm not sure whether the issue is with the UTM config or the SUM, but you're probably right - it may be better posted there. Thanks!

    I see you all over the forums, so thanks for taking an interest in this one. Any thoughts?

    Cheers

    Bob E.

  • I've alerted a Sophos employee that participates here, Bob.

    You have a PM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi  


    If a backup from an existing (and joined to the same SUM) UTM is restored to a new or replacement device, it will fail to join the SUM. This is due to the backup containing the same unique system ID that the SUM uses to identify the devices. You will see logs like " device is already connected"  in the SUM log. The way around this is to reset the system ID and write those changes in a specific file. After that, you will be able to join into SUM.

    Is it possible for you to SSH into SUM and check the logs there? Do you get the error as I mentioned above?

    Regards

    Jaydeep

  • Hi Jaydeep

    I checked the SUM Core Daemon log and, yes, it shows repeating "... WARN  server.device.DeviceCache null - DeviceCache::login() device is already connected ..."

    Can I change the ID on the UTM?

    It seemed like such a good idea at the time!

    Many thanks!

    Bob E.

  • Hi  

    Those changes are only to be made by Support Engineers. I'd recommend creating a case for that. Feel free to DM me the case number or for any questions. 

    Regards

    Jaydeep