This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.213-4 - Sophos LiveConnect for EndPoint - no computers are showing online

I am using UTM 9.213-4 on an SG210 and have deployed the Sophos EndPoint Protection client on my devices - however, about 12 days ago, the clients stopped showing as "online" in the UTM WebAdmin control panel. If I open the live log, I can see that it appears that my UTM is failing to connect with Sophos:

2016:01:05-11:13:01 sophos epsecd[5965]: |=========================================================================
2016:01:05-11:13:01 sophos epsecd[5965]: W main::_log:432() => severity="warn" sys="System" sub="eplog" name="Listing [https://689932ef-025c-305a-b799-fda65d57d723-wdx-025c.broker.sophos.com//689932ef-025c-305a-b799-fda65d57d723/] failed with return code 35: SSL connect error Unknown SSL protocol error in connection to 689932ef-025c-305a-b799-fda65d57d723-wdx-025c.broker.sophos.com:443
2016:01:05-11:13:01 sophos epsecd[5965]: "
2016:01:05-11:14:11 sophos epsecd[5965]: |=========================================================================
2016:01:05-11:14:11 sophos epsecd[5965]: W main::_log:432() => severity="warn" sys="System" sub="eplog" name="Listing [https://689932ef-025c-305a-b799-fda65d57d723-wdx-025c.broker.sophos.com//689932ef-025c-305a-b799-fda65d57d723/] failed with return code 28: Timeout was reached SSL connection timeout
2016:01:05-11:14:11 sophos epsecd[5965]: "
 
Does anyone have any ideas how to remedy this? I know there are two further 9.2 updates to install (but live connect has been working well up until 12 days ago), and I have not tried a reboot yet.
thanks for any inspiration!
 


This thread was automatically locked due to age.
Parents
  • Just to let you know, my endpoints are now showing as online. This happened sometime over the weekend.
  • Yes, I can confirm this.
    For me (Home Lic) it is also working again. Sophos seems to have done some "magic" after they got knowledge of this issue.

    Happy again...
    Markus
  • I am on 9.355-1 and still having this issue.

    The error is there for hours and then suddenly the connection works . But little later the problem reappears.

    2016:03:09-00:35:39 fw epsecd[5018]: W main::_log:435() => severity="warn" sys="System" sub="eplog" name="Listing [https://c87e5467-f30d-3cb0-893d-25f6c86d208a-wdx-f30d.broker.sophos.com//c87e5467-f30d-3cb0-893d-25f6c86d208a/] failed with return code 28: Timeout was reached SSL connection timeout
    2016:03:09-00:35:39 fw epsecd[5018]: "
    2016:03:09-00:35:46 fw epsecd[5021]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
    2016:03:09-00:35:46 fw epsecd[5021]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
    2016:03:09-00:38:29 fw epsecd[5021]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
    2016:03:09-00:38:29 fw epsecd[5021]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
    2016:03:09-00:40:17 fw epsecd[5021]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
    2016:03:09-00:40:17 fw epsecd[5021]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"

    So no magic unfortunately yet for me...

    Martin

  • I have been experiencing the exact same thing on 9.355-1.  I've even reset my subscription and have started over and am still having the same issues with the endpoints.  I've also noticed none of the Web Protection logs are coming back.  All the logging is blank at this point at this release.  I'm surprised no one else is seeing this issue?!?

    Rick

  • Now there is a new error appearing (mixed with the timeout error).

    2016:03:10-17:11:36 fw epsecd[5037]: W main::_log:435() => severity="warn" sys="System" sub="eplog"
    name="Listing [https://c87e5467-f30d-3cb0-893d-25f6c86d208a-wdx-f30d.broker.sophos.com//c87e5467-f30d-3cb0-893d-25f6c86d208a/]
    failed with return code 35: SSL connect error Unknown SSL protocol error in connection to c87e5467-f30d-3cb0-893d-25f6c86d208a-wdx-f30d.broker.sophos.com:443

    I also get tons of DNS errors in the Web-Filter, because of the IPv6 hostnames used that of course do not resolve on my network (IPv6 is disabled in my configuration).

    2016:03:10-09:49:35 fw httpproxy[5128]: id="0003" severity="info" sys="SecureWeb" sub="http"
    request="(nil)" function="parse_address" file="util.c" line="464" message="getaddrinfo:
    2016:03:10-09:49:35 fw httpproxy[5128]: id="0003" severity="info" sys="SecureWeb" sub="http"
    request="(nil)" function="parse_address" file="util.c" line="464" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:03:10-09:49:35 fw httpproxy[5128]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3616" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080": Name or service not known" 2016:03:10-09:49:35 fw httpproxy[5128]: id="0003" severity="info" sys="SecureWeb" sub="http"
    request="(nil)" function="confd_config_filter" file="confd-client.c" line="3616"
    message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"

    These are clearly bugs and not configuration or setup issues. None of the web-filter policies currently work.It seems that this bug is only triggered under special circumstances as the forum would be full of complains if that happened to everybody.

    I think I will have to downgrade the system, this firmware seems to be a dead end for me.


    Martin

  • Hi, Martin and Rick, and welcome to the UTM Community!

    I think the UTM is "chatty" when it comes to the logs, so I wouldn't worry about  the IPv6 errors.

    What happens if you disable 'Web Control' in Endpoint for one of the missing computers - does it show as green about 10 seconds later?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob!

    actually all the endpoints are (mostly) green, only sometimes they are grey even if they are online, but I could not confirm that this related to all these error events. If it 's like you say and the UTM is chatty then it may be unrelated. For the IPv6 events I would agree that this does not sound like a big issue, but what about all these SSL errors?

    I tried to switch web control on and off several times but it does not make a difference.

    My actual issue is that the webfilter policies do not work any more, i.e. web access is completely open and the clients can surf wherever they like although the endpoint agent app says that web control is enabled.

    Cheers

    Martin

  • I have the same issue. In the log I am getting failed with response code 403: No error SSL connection timeout

    If I try to go to the web address it says cert error.

  • Hi, Mark, and welcome to the UTM Community!

    At least two different problems were discussed above.  Please show a copy of the log line.  What web address?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Just to give you an update:

    I could not solve the issue with the non working web control policy and I finally gave up (i.e. I left the configuration unchanged and accepted that this does not work).

    After some weeks, suddenly and out of the blue, the policy started working again and blocked the google.com domain because I had used this URL for testing purposes before I gave up. And I really mean *no* config changes whatsoever on my side that could have triggered this.

    My google test policy turned out to be a very bad idea, because I could not switch it off again (the change was not propagated back to the clients - at least not within several hours that I tried to fix the issue). So I ended up with having to uninstall all endpoint clients to get google working again. Sorry guys, but whatever the problem was, it is not an acceptable behaviour that policies are propagated at random.

    Martin

Reply
  • Just to give you an update:

    I could not solve the issue with the non working web control policy and I finally gave up (i.e. I left the configuration unchanged and accepted that this does not work).

    After some weeks, suddenly and out of the blue, the policy started working again and blocked the google.com domain because I had used this URL for testing purposes before I gave up. And I really mean *no* config changes whatsoever on my side that could have triggered this.

    My google test policy turned out to be a very bad idea, because I could not switch it off again (the change was not propagated back to the clients - at least not within several hours that I tried to fix the issue). So I ended up with having to uninstall all endpoint clients to get google working again. Sorry guys, but whatever the problem was, it is not an acceptable behaviour that policies are propagated at random.

    Martin

Children
No Data