This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.213-4 - Sophos LiveConnect for EndPoint - no computers are showing online

I am using UTM 9.213-4 on an SG210 and have deployed the Sophos EndPoint Protection client on my devices - however, about 12 days ago, the clients stopped showing as "online" in the UTM WebAdmin control panel. If I open the live log, I can see that it appears that my UTM is failing to connect with Sophos:

2016:01:05-11:13:01 sophos epsecd[5965]: |=========================================================================
2016:01:05-11:13:01 sophos epsecd[5965]: W main::_log:432() => severity="warn" sys="System" sub="eplog" name="Listing [https://689932ef-025c-305a-b799-fda65d57d723-wdx-025c.broker.sophos.com//689932ef-025c-305a-b799-fda65d57d723/] failed with return code 35: SSL connect error Unknown SSL protocol error in connection to 689932ef-025c-305a-b799-fda65d57d723-wdx-025c.broker.sophos.com:443
2016:01:05-11:13:01 sophos epsecd[5965]: "
2016:01:05-11:14:11 sophos epsecd[5965]: |=========================================================================
2016:01:05-11:14:11 sophos epsecd[5965]: W main::_log:432() => severity="warn" sys="System" sub="eplog" name="Listing [https://689932ef-025c-305a-b799-fda65d57d723-wdx-025c.broker.sophos.com//689932ef-025c-305a-b799-fda65d57d723/] failed with return code 28: Timeout was reached SSL connection timeout
2016:01:05-11:14:11 sophos epsecd[5965]: "
 
Does anyone have any ideas how to remedy this? I know there are two further 9.2 updates to install (but live connect has been working well up until 12 days ago), and I have not tried a reboot yet.
thanks for any inspiration!
 


This thread was automatically locked due to age.
  • Now there is a new error appearing (mixed with the timeout error).

    2016:03:10-17:11:36 fw epsecd[5037]: W main::_log:435() => severity="warn" sys="System" sub="eplog"
    name="Listing [https://c87e5467-f30d-3cb0-893d-25f6c86d208a-wdx-f30d.broker.sophos.com//c87e5467-f30d-3cb0-893d-25f6c86d208a/]
    failed with return code 35: SSL connect error Unknown SSL protocol error in connection to c87e5467-f30d-3cb0-893d-25f6c86d208a-wdx-f30d.broker.sophos.com:443

    I also get tons of DNS errors in the Web-Filter, because of the IPv6 hostnames used that of course do not resolve on my network (IPv6 is disabled in my configuration).

    2016:03:10-09:49:35 fw httpproxy[5128]: id="0003" severity="info" sys="SecureWeb" sub="http"
    request="(nil)" function="parse_address" file="util.c" line="464" message="getaddrinfo:
    2016:03:10-09:49:35 fw httpproxy[5128]: id="0003" severity="info" sys="SecureWeb" sub="http"
    request="(nil)" function="parse_address" file="util.c" line="464" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:03:10-09:49:35 fw httpproxy[5128]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3616" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080": Name or service not known" 2016:03:10-09:49:35 fw httpproxy[5128]: id="0003" severity="info" sys="SecureWeb" sub="http"
    request="(nil)" function="confd_config_filter" file="confd-client.c" line="3616"
    message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"

    These are clearly bugs and not configuration or setup issues. None of the web-filter policies currently work.It seems that this bug is only triggered under special circumstances as the forum would be full of complains if that happened to everybody.

    I think I will have to downgrade the system, this firmware seems to be a dead end for me.


    Martin

  • Hi, Martin and Rick, and welcome to the UTM Community!

    I think the UTM is "chatty" when it comes to the logs, so I wouldn't worry about  the IPv6 errors.

    What happens if you disable 'Web Control' in Endpoint for one of the missing computers - does it show as green about 10 seconds later?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob!

    actually all the endpoints are (mostly) green, only sometimes they are grey even if they are online, but I could not confirm that this related to all these error events. If it 's like you say and the UTM is chatty then it may be unrelated. For the IPv6 events I would agree that this does not sound like a big issue, but what about all these SSL errors?

    I tried to switch web control on and off several times but it does not make a difference.

    My actual issue is that the webfilter policies do not work any more, i.e. web access is completely open and the clients can surf wherever they like although the endpoint agent app says that web control is enabled.

    Cheers

    Martin

  • I have the same issue. In the log I am getting failed with response code 403: No error SSL connection timeout

    If I try to go to the web address it says cert error.

  • Hi, Mark, and welcome to the UTM Community!

    At least two different problems were discussed above.  Please show a copy of the log line.  What web address?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    i have still the same issues with utm version 9.4xxxx.

    My endpoints ar getting new policys like tamper protection password changes,... but my changes in the web control will be not published to the broker server. When i set warning for gaming sites in the webfilter policy for my endpoint, the utm warns me when my endpoint is behind the utm, but when my endpoint is not behind the utm i can surf without warnings on the gaming sites.

    In the endpoint log of my utm the following error appears:

    2016:05:01-22:32:11 utm epsecd[5964]: |=========================================================================

    2016:05:01-22:32:11 utm epsecd[5964]: W main::_log:435() => severity="warn" sys="System" sub="eplog" name="Listing [https://c636cd28-76a6-390e-bad1-bb85fe90686f-wdx-76a6.broker.sophos.com//c636cd28-76a6-390e-bad1-bb85fe90686f/] failed with return code 28: Timeout was reached Operation timed out after 10000 milliseconds with 0 bytes received
    2016:05:01-22:32:11 utm epsecd[5964]: "
    2016:05:01-22:32:33 utm epsecd[17544]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
    2016:05:01-22:32:33 utm epsecd[17544]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1,-1"
    2016:05:01-22:33:21 utm epsecd[5964]: |=========================================================================
    2016:05:01-22:33:21 utm epsecd[5964]: W main::_log:435() => severity="warn" sys="System" sub="eplog" name="Listing [https://c636cd28-76a6-390e-bad1-bb85fe90686f-wdx-76a6.broker.sophos.com//c636cd28-76a6-390e-bad1-bb85fe90686f/] failed with return code 28: Timeout was reached SSL connection timeout
    2016:05:01-22:33:21 utm epsecd[5964]: "
    2016:05:01-22:34:21 utm epsecd[17544]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
    2016:05:01-22:34:21 utm epsecd[17544]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
    I think sophos has an problem with the live connect broker servers in their cloud.

    Cheers Andreas

     

    UTM SCE/SCA | Endpoint SCE

  • Just to give you an update:

    I could not solve the issue with the non working web control policy and I finally gave up (i.e. I left the configuration unchanged and accepted that this does not work).

    After some weeks, suddenly and out of the blue, the policy started working again and blocked the google.com domain because I had used this URL for testing purposes before I gave up. And I really mean *no* config changes whatsoever on my side that could have triggered this.

    My google test policy turned out to be a very bad idea, because I could not switch it off again (the change was not propagated back to the clients - at least not within several hours that I tried to fix the issue). So I ended up with having to uninstall all endpoint clients to get google working again. Sorry guys, but whatever the problem was, it is not an acceptable behaviour that policies are propagated at random.

    Martin