Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 1390 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Inconsistent policy updating from SGN 5.40 server

Robert_McGinley

I'm seeing an issue in our SGN 5.40 environment where clients are not reliably receiving policy updates, keyring additions or certificates. It seems to take approximately 1 day for changes to migrate out to the agents. Our policy uses the default 90 minute (of course taking into account +/- 50%) update timing.

This extends the time it takes our field agents to decrypt machines, "slave" encrypted drives and users to regenerate certificates (Possibly being the root cause of certificate syncing/user credentials not updating issues we're also seeing).

Data replication attempts seem to be working fine as the timestamp returned by SGNState.exe /L updates correctly but the policy timestamp does not, even when a new policy is available on the server. I have not verified if new client logs have been uploaded to the backend servers. I have tried forcing an update in the following three ways:

  • %WINDIR%\system32\SGMCmdIntn.exe -s
  • Restart the "SafeGuard(R) Transport Service"
  • Rebooting the client (To restart the Transport service)

I'm thinking it's not an issue with the client, but an issue with the application server receiving these requests.

The IIS server (Win 2k3) seems to be running fine with 2 worker processes recycling at 1740 minutes or when they hit 700mb of vmem used.

Has anyone seen this before and possibly have a resolution? What troubleshooting steps should we be taking?

Thanks!

:864


This thread was automatically locked due to age.
  • 0

    Hi Robert,

    Reading through your post a few things came to mind.

    1. Did you apply the patch for SGN 5.40?

    2. There was an issue like this with Vista on versions before SGN 5.40 but since have been resolved (almost?).

    3. If the Vista SP1 client is getting the update, but it's taking 1 day or more, are there any signs of dropped connections to IIS ?

    4. Are you using the default SGN Client encryption to the SGN Server?

    5. How many clients are connecting to the SGN Server in total throughout the day?

    6. If you are using "Utimaco" encryption for client communication, have you considered switching to SSL for better performance?

    Please let us know if you have any questions. After reviewing these questions and taking action where appropriate, if client communication is still in need of improvement, please contact Sophos Global Support so they may escalate this back to Product Engineering.

    :913
  • 0

    Hi Rob

    Did you ever get to the bottom of this issue?  We have logged a call for similar problme and have been told to look at activating the "Autorestart option" in IIS (were forwarded a doc on how to do this).

    Not tried this yet, but wondering if it might have fixed  using the same approach?

    Cheers

    Matt

    :1469
Unfiltered HTML