This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM - Sophos LiveConnect is disabled

Since 7 January 2016 my Sophos LiveConnect is disabled on the UTM. Before this everything working fine?

The PCs can are working fine, but if the UTM cannot connect to the LiveConnect changes cant be done.

2016:01:07-20:05:31 myfirewall epsecd[5258]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2016:01:07-20:05:31 myfirewall epsecd[5258]:  2. Epsec::Logic::Client::on_error:1461() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2016:01:07-20:05:31 myfirewall epsecd[5258]:  3. Epsec::Logic::Base::run:60() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2016:01:07-20:05:31 myfirewall epsecd[5258]:  4. main::top-level:63() client.pl
2016:01:07-20:05:31 myfirewall epsecd[5258]: <=========================================================================
2016:01:07-20:05:31 myfirewall epsecd[5258]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 180 seconds"
2016:01:07-20:08:33 myfirewall epsecd[5258]: W id="424200" severity="warn" sys="System" sub="epsecd" name="Socket connect to sss1-c1f5.broker.sophos.com:443 error: Connection refused"
2016:01:07-20:08:33 myfirewall epsecd[5258]: W id="424200" severity="warn" sys="System" sub="epsecd" name="Error creating socket. " syscall_error="Connection refused"
2016:01:07-20:08:33 myfirewall epsecd[5258]: >=========================================================================
2016:01:07-20:08:33 myfirewall epsecd[5258]: E id="4281" severity="crit" sys="System" sub="epsecd" name="Unexpected error: Unknown error at /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm line 151." effect="Can't talk to Sophos LiveConnect"
2016:01:07-20:08:33 myfirewall epsecd[5258]:
2016:01:07-20:08:33 myfirewall epsecd[5258]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2016:01:07-20:08:33 myfirewall epsecd[5258]:  2. Epsec::Logic::Client::on_error:1461() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2016:01:07-20:08:33 myfirewall epsecd[5258]:  3. Epsec::Logic::Base::run:60() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2016:01:07-20:08:33 myfirewall epsecd[5258]:  4. main::top-level:63() client.pl
2016:01:07-20:08:33 myfirewall epsecd[5258]: <=========================================================================
2016:01:07-20:08:33 myfirewall epsecd[5258]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 240 seconds"
2016:01:07-20:12:40 myfirewall epsecd[5258]: I id="4232" severity="info" sys="System" sub="epsecd" name="Not syncing web policy resources as web control is disabled"
2016:01:07-20:12:44 myfirewall epsecd[5258]: I id="4231" severity="info" sys="System" sub="epsecd" name="Syncing SWC with web control global status "
2016:01:07-22:02:26 myfirewall epsecd[5258]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2016:01:07-23:02:02 myfirewall epsecd[5258]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"



This thread was automatically locked due to age.
Parents
  • I'm having a similar issue.  Can't deploy agents or enable LiveConnect.

    Firmware version: 9.403-4
    Pattern version: 102803

    1. The Endpoint Protection Status states LiveConnect is Disabled.
    Looking at the Endpoint Protection Live Log, there's a protocol error when connecting.
    W main::_log:435() => severity="warn" sys="System" sub="eplog" name="Listing [https://a03ea04a-1b1c-3de9-a4fe-10c7171e7db5-wdx-1b1c.broker.sophos.com//a03ea04a-1b1c-3de9-a4fe-10c7171e7db5/] failed with return code 35: SSL connect error Unknown SSL protocol error in connection to a03ea04a-1b1c-3de9-a4fe-10c7171e7db5-wdx-1b1c.broker.sophos.com:443
    2. I can't download the agent using the link:
    The above website Responds with a HTTP 404 error

    Not Found

    The requested URL /agent/ was not found on this server.

    Testing the LiveConnect address using openssl from the firewall produces this result.
    uriel:/home/login # openssl s_client -connect a03ea04a-1b1c-3de9-a4fe-10c7171e7db5-wdx-1b1c.broker.sophos.com:443                 CONNECTED(00000003)
    1435629192:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 290 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---
    uriel:/home/login #
    Clear text connection (p80) initiates a Reset from the server.
    uriel:/home/login # telnet a03ea04a-1b1c-3de9-a4fe-10c7171e7db5-wdx-1b1c.broker.sophos.com 80
    Trying 52.18.238.151...
    Connected to a03ea04a-1b1c-3de9-a4fe-10c7171e7db5-wdx-1b1c.broker.sophos.com.
    Escape character is '^]'.
    Connection closed by foreign host.
    Also Failed OpenSSL Connection to mcs1-1b1c.broker.sophos.com:443  Certificate not trusted???  Ah it's using an insecure TLSv1.0/SSL3.0 cert.  How do we get this connection to use the more secure TLS1.1+ protocols?

    uriel:/home/login # openssl s_client -connect mcs1-1b1c.broker.sophos.com:443
    CONNECTED(00000003)
    depth=0 C = GB, ST = Oxfordshire, O = Sophos Ltd, CN = *.broker.sophos.com, emailAddress = mlh@sophos.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, O = Sophos Ltd, CN = *.broker.sophos.com, emailAddress = mlh@sophos.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, O = Sophos Ltd, CN = *.broker.sophos.com, emailAddress = mlh@sophos.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/C=GB/ST=Oxfordshire/O=Sophos Ltd/CN=*.broker.sophos.com/emailAddress=mlh@sophos.com
    i:/C=GB/ST=Oxfordshire/L=Abingdon/O=Sophos Ltd/CN=SophosCA1/emailAddress=mlh@sophos.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIID6TCCAtGgAwIBAgIBBTANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJHQjEU
    MBIGA1UECBMLT3hmb3Jkc2hpcmUxETAPBgNVBAcTCEFiaW5nZG9uMRMwEQYDVQQK
    EwpTb3Bob3MgTHRkMRIwEAYDVQQDEwlTb3Bob3NDQTExHTAbBgkqhkiG9w0BCQEW
    Dm1saEBzb3Bob3MuY29tMB4XDTE0MTEyODE1MTczN1oXDTE2MTEyNzE1MTczN1ow
    dTELMAkGA1UEBhMCR0IxFDASBgNVBAgTC094Zm9yZHNoaXJlMRMwEQYDVQQKEwpT
    b3Bob3MgTHRkMRwwGgYDVQQDDBMqLmJyb2tlci5zb3Bob3MuY29tMR0wGwYJKoZI
    hvcNAQkBFg5tbGhAc29waG9zLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
    AQoCggEBALUF4EYRJP1vXVhAze0xH8V8hs3Yenyqr7C3zC3dJyZlKwAbtMaEIU8e
    cqOTB1prip7iRuN9pmfXfPx/1Vob6yWrc2mJ+QKGOz7L/KNuWNY/erbh4SMn5SSj
    3He+X3VWMPim9ULK2Ah8OX58i7lMUFYFRduPk6bpY4+22IfuGr9QRcLJZ7isQ71N
    lMkZPbklngKfQNofHQYr36XWPi3g9U9J0u4ztRDoO1s7yo8HiyVwEOlEpPraosjV
    jE0ftGsv10KT7lmRJ89fF0VN3lzPfIYuRwrLJhFvENWCxk7UP/mbHV3rP8T/fmAR
    wD40Hsmtti+WqCePZCytAfcuDd3qbGMCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglg
    hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
    BBYEFARfO8bYa+V1MqC2FQ97JBYMT1MgMB8GA1UdIwQYMBaAFPG3+fNX+L2wsf4k
    5+td3zLzjzRlMA0GCSqGSIb3DQEBBQUAA4IBAQBlrUOyPF8pvCoEhb36mrh3+vXS
    lGJcaVDg504DmAePvY86SF44eWp+BlMJ2Uxo5Xq97X+Fh2h1SkinkSUfu86yED4b
    dXPiEv32H1chi/llYT765Rs61zJu2jfywV+ugKzlAC2n6IhA2iXP2iwSYLr4YFSF
    oUxINz/9nwHKYy1qx9aIlzdo/ocmOrtuHNPq1DmKuYNGqbQqqsj3gQcVeYC3gXYY
    RNPtOSelCfNIk/fa0uubViIgE6/RcRg19TLg/li5Uoc981O1AD30AX7taIJyqqHr
    v0tCkivN41C7OcTpeDuRYnqqE48KcxAXYbsfEbl3yQHi/cLZW5mt59SWEac5
    -----END CERTIFICATE-----
    subject=/C=GB/ST=Oxfordshire/O=Sophos Ltd/CN=*.broker.sophos.com/emailAddress=mlh@sophos.com
    issuer=/C=GB/ST=Oxfordshire/L=Abingdon/O=Sophos Ltd/CN=SophosCA1/emailAddress=mlh@sophos.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1702 bytes and written 424 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : ECDHE-RSA-AES256-SHA
    Session-ID: 40901717C547ED2818D95585AE065E9F65C2AB1CE3E045AC36116FE4912C9F00
    Session-ID-ctx:
    Master-Key: 2C04D2EB110CC6D98FF11037BD1DCE95EC7EC82C5A59409FC4CB9E647AD50AABC9B129072AA09C421C21A34709234C0F
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4e e5 6a e5 14 41 27 4e-b9 8a 05 cf 17 04 5b aa N.j..A'N......[.
    0010 - 53 49 54 ce 28 e2 0e e2-eb 3e 2e aa 12 1d 87 37 SIT.(....>.....7
    0020 - 32 c5 c2 13 68 fc d1 41-39 81 2e 70 c2 02 2e fb 2...h..A9..p....
    0030 - 2f 41 a6 44 6b 44 ca dc-81 f2 b2 4d 91 f6 74 5e /A.DkD.....M..t^
    0040 - f7 f8 3d ee c8 ad f8 9b-28 b9 34 e2 27 c9 0b 9f ..=.....(.4.'...
    0050 - 3e 1a ea 17 7f 5a dd 59-72 ab 40 c0 92 72 0d 25 >....Z.Yr.@..r.%
    0060 - 3c e3 37 58 fa f6 90 85-7a 04 d8 2d 02 b1 d8 fa <.7X....z..-....
    0070 - 3c 58 ec 86 4a 5d 07 ef-c5 6f d2 bd 31 96 15 b3 <X..J]...o..1...
    0080 - 46 26 7c 3d 32 45 9f 0e-fd 51 9c c7 f4 ba 09 aa F&|=2E...Q......
    0090 - 94 9f dd 91 d2 aa 45 45-94 a9 a4 77 5a 81 34 7e ......EE...wZ.4~
    00a0 - 09 40 67 5b 91 ed 79 cf-b3 ee 06 b1 ec 68 dd fe .@g[..y......h..
    00b0 - 6f 6b e0 a5 51 62 41 57-ff 6d 39 96 58 52 47 dd ok..QbAW.m9.XRG.

    Start Time: 1465753545
    Timeout : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

  • Hi, Jack, and welcome to the UTM Community!

    I don't remember seeing this before.  I would try [Reset Registration Token] on the 'Advanced' tab and then try the new installation link that results.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for the response BAlfson.  Unfortunately, I have tried resetting the registration token.  Because of the protocol error in the logs, I'm leaning toward an incompatibility between Sophos Cloud service & TLS1.1+.  I've setup my firewall not to accept anything less than TLS1.1 due to vulnerabilities in SSL3/TLS1.  Ultimately, I don't know the real root cause though. 

Reply
  • Thank you for the response BAlfson.  Unfortunately, I have tried resetting the registration token.  Because of the protocol error in the logs, I'm leaning toward an incompatibility between Sophos Cloud service & TLS1.1+.  I've setup my firewall not to accept anything less than TLS1.1 due to vulnerabilities in SSL3/TLS1.  Ultimately, I don't know the real root cause though. 

Children
No Data