This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After FW update 9.705: "urid not running - restarted"

Today I am working an a UTM 230. Immediately after updating to firmware 9.705003 on 9/24, I am getting many email with the message "urid not running - restarted". The proxy log gives me lines like this:

2020:10:18-19:28:25 lissmacutm httpproxy[5474]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x19764300" function="urid_categorize_url" file="uri_scanner.c" line="242" message="urid_query failed: (-2) "

Also getting many lines with "Categorization failed". These are not specific to any internal or external IP although MS updates are more common particularly on the weekend.

BAlfson wrote in one post that the UTM is being "chatty", but since this occurred on the day of an update and afterwards, I wonder if there's an issue with the update or did my DNS somehow get hosed?

Thanks, Tom



This thread was automatically locked due to age.
Parents
  • Hello Tom,

    Thank you for contacting the Sophos Community!

    Do you see anything related to urid under /var/storage/cores

    # ls -lh /var/storage/cores

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    Here's what I got:

    -rw-r--r-- 1 root root 75M Oct 19 16:46 urid.16785
    -rw-r--r-- 1 root root 75M Oct 19 16:47 urid.18341
    -rw-r--r-- 1 root root 75M Oct 19 16:49 urid.18624
    -rw-r--r-- 1 root root 75M Oct 19 18:38 urid.18831
    -rw-r--r-- 1 root root 74M Oct 19 19:35 urid.23056

  • Hello Tom,

    Thank yo u for the follow-up!

    hmm, that doesn't look right, it means the service is failing.

    Does the selfmon and kernel log shows any type of I/O errors?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • This output repeats in selfmon

    2020:10:20-13:45:52 lissmacutm selfmonng[4412]: W triggerAction: 'cmd'
    2020:10:20-13:45:52 lissmacutm selfmonng[4412]: W actionCmd(+):  '/var/mdw/scripts/urid restart'
    2020:10:20-13:45:53 lissmacutm selfmonng[4412]: W child returned status: exit='0' signal='0'
    2020:10:20-15:04:54 lissmacutm selfmonng[4412]: I check Failed increment urid_running counter 1 - 3
    2020:10:20-15:04:59 lissmacutm selfmonng[4412]: I check Failed increment urid_running counter 2 - 3
    2020:10:20-15:05:04 lissmacutm selfmonng[4412]: W check Failed increment urid_running counter 3 - 3
    2020:10:20-15:05:04 lissmacutm selfmonng[4412]: [INFO-188] urid not running - restarted
    2020:10:20-15:05:04 lissmacutm selfmonng[4412]: W NOTIFYEVENT Name=urid_running Level=INFO Id=188 sent
    
    And this is a sample from kernel... looks like I/O problems
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502228] Sense Key : 0x3 [current] [descriptor]
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502229] Descriptor sense data with sense descriptors (in hex):
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502230]         72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00 
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502234]         00 eb 78 81 
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502237] sd 0:0:0:0: [sda]  
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502238] ASC=0x11 ASCQ=0x4
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502239] sd 0:0:0:0: [sda] CDB: 
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502239] cdb[0]=0x28: 28 00 00 eb 78 81 00 00 08 00
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502243] end_request: I/O error, dev sda, sector 15431809
    2020:10:20-13:45:41 lissmacutm kernel: [522243.502249] ata1: EH complete
    2020:10:20-15:04:51 lissmacutm kernel: [526997.539585] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
    2020:10:20-15:04:51 lissmacutm kernel: [526997.539587] ata1.00: irq_stat 0x40000001
    2020:10:20-15:04:51 lissmacutm kernel: [526997.539590] ata1.00: failed command: READ DMA
    2020:10:20-15:04:51 lissmacutm kernel: [526997.539594] ata1.00: cmd c8/00:08:81:78:eb/00:00:00:00:00/e0 tag 19 dma 4096 in
    2020:10:20-15:04:51 lissmacutm kernel: [526997.539594]          res 51/40:08:81:78:eb/00:00:00:00:00/e0 Emask 0x9 (media error)
    2020:10:20-15:04:51 lissmacutm kernel: [526997.539595] ata1.00: status: { DRDY ERR }
    2020:10:20-15:04:51 lissmacutm kernel: [526997.539596] ata1.00: error: { UNC }
    2020:10:20-15:04:51 lissmacutm kernel: [526997.541645] ata1.00: configured for UDMA/133
    2020:10:20-15:04:51 lissmacutm kernel: [526997.541651] sd 0:0:0:0: [sda] Unhandled sense code
    2020:10:20-15:04:51 lissmacutm kernel: [526997.541652] sd 0:0:0:0: [sda]  
    2020:10:20-15:04:51 lissmacutm kernel: [526997.541653] Result: hostbyte=0x00 driverbyte=0x08
    
  • Hello Tom,

    thank you for the follow-up!

    Seems disk is damaged, if you the device is under warranty please open a case with Support and ask for an RMA, device needs to be replaced. You can send me the Case ID so I can follow-up, when submitting the Case please include the output of both logs 

    /var/log/kernel and /var/log/selfmon as well as the output of /var/storage/cores.

    You can also reference this Community Thread when opening the case. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Unfortunately, no warranty. Will discuss with client. Thanks all for the help.

  • Hello Tom,

    You could also try to re-image the device! Hopefully, if it was something that corrupted the entries this should be solved there!

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • You're referring to re-imaging with an ISO? I can try that but not until Saturday. In the mean time I'll see what Bob's suggestion does with the logs and I'll report back.

    Thanks again!

  • Hello Tom,

    Sorry yes, I should have been more clear, yes re-image using ISO. This is the URL to download the ISO.

    https://www.sophos.com/en-us/support/utm-downloads.aspx

    This is the KB that explains how to re-image the device, in case you are not familiar with the procedure.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thanks, I'm very familiar with the process. It won't be a problem.

  • The UTM was reimaged on Saturday without issue and monitored throughout the weekend. Between that and a full day of user traffic today, all logs are clean and not showing the I/O errors. The URID email have also stopped. Hopefully, the cause of this was a bad firmware update install.

    Thank you Emmanuel and Bob for your attention to this!

    Tom

Reply
  • The UTM was reimaged on Saturday without issue and monitored throughout the weekend. Between that and a full day of user traffic today, all logs are clean and not showing the I/O errors. The URID email have also stopped. Hopefully, the cause of this was a bad firmware update install.

    Thank you Emmanuel and Bob for your attention to this!

    Tom

Children
No Data