Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Subscribers 11 subscribers
  • Views 9901 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUpdate not working through VPN

Alain Cloet

Hi,

As the title mentions, updates through a SSL VPN tunnel aren't working.  Seen from Sophos Central, some computers link to Sophos, others to the Update Server. but all mention issues in their logfiles...

The line that wonders me most, is "ERROR No network connectivity. Update cannot continue." …
It can be there is no connectivity to whatever it tries, but there is network available, as the VPN is open … also none of the logs on the Sophos firewall (packetfilter and http) mention anything about blocked content, so we have no clue what it is trying to do, or if the updater just can't find the route through the tunnel...
Any hints on what to look for?  Currently support didn't find more to say than "it must be the firewall" …

Is there an option to read the alc.log file when using Sophos Central?  Maybe this would make this more clear...

On my computer, today's attempts look like (and even then, Sophos Central currently states "Update Successful"... but the log is exactly the same as a on another computer which is seen as "Update failed")

2020-04-07T07:34:59.376Z [ 8860:15908] [v6.1.356.0] INFO  =========================
2020-04-07T07:34:59.376Z [ 8860:15908] [v6.1.356.0] INFO  SophosUpdate is starting.
2020-04-07T07:34:59.376Z [ 8860:15908] [v6.1.356.0] INFO  AutoUpdate version      : 6.1.356.0
2020-04-07T07:34:59.376Z [ 8860:15908] [v6.1.356.0] INFO  SophosUpdate version    : 6.1.356.0
2020-04-07T07:34:59.376Z [ 8860:15908] [v6.1.356.0] INFO  Build                   : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
2020-04-07T07:34:59.376Z [ 8860:15908] [v6.1.356.0] INFO  =========================
2020-04-07T07:34:59.376Z [ 8860:15908] [v6.1.356.0] INFO  Platform ID: WIN_10_X64 1909 18363.720
2020-04-07T07:34:59.377Z [ 8860:15908] [v6.1.356.0] INFO  Platform upgraded: 0
2020-04-07T07:34:59.377Z [ 8860:15908] [v6.1.356.0] INFO  Subscription: WindowsCloudNextGen RECOMMENDED 11
2020-04-07T07:34:59.377Z [ 8860:15908] [v6.1.356.0] INFO  Subscription: WindowsCloudClean RECOMMENDED 1
2020-04-07T07:34:59.377Z [ 8860:15908] [v6.1.356.0] INFO  Subscription: WindowsCloudAV RECOMMENDED 11
2020-04-07T07:34:59.377Z [ 8860:15908] [v6.1.356.0] INFO  Subscription: WindowsCloudHitmanProAlert RECOMMENDED 1
2020-04-07T07:34:59.377Z [ 8860:15908] [v6.1.356.0] INFO  Subscriptions changed: 0
2020-04-07T07:34:59.377Z [ 8860:15908] [v6.1.356.0] INFO  Features: APPCNTRL AV CLEAN CONNECT CORE DLP DVCCNTRL EFW HBT NTP SAV SDU WEBCNTRL XPD
2020-04-07T07:34:59.377Z [ 8860:15908] [v6.1.356.0] INFO  Features changed: 0
2020-04-07T07:34:59.380Z [ 8860:15908] [v6.1.356.0] INFO  Loading state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
2020-04-07T07:34:59.538Z [ 8860:15908] [v6.1.356.0] ERROR No network connectivity. Update cannot continue.
2020-04-07T07:34:59.538Z [ 8860:15908] [v6.1.356.0] INFO  Telemetry::LoadTelemetrySupplement 215: Telemetry Interval set to 86400 seconds
2020-04-07T07:34:59.538Z [ 8860:15908] [v6.1.356.0] INFO  Telemetry::LoadDocument 202: C:\ProgramData\Sophos\AutoUpdate\\Config\TelemetryConfig.json loaded
2020-04-07T07:34:59.538Z [ 8860:15908] [v6.1.356.0] INFO  Telemetry::LoadTelemetrySupplement 256: Telemetry Interval updated to 86400 seconds
2020-04-07T07:34:59.538Z [ 8860:15908] [v6.1.356.0] INFO  Telemetry::CalculateLastTelemtryTime 145: Telemetry last ran at 2020-04-06 08:04:52, Offset 4201, Offset Time 2020-04-06 09:14:53
2020-04-07T07:34:59.538Z [ 8860:15908] [v6.1.356.0] INFO  Telemetry::HasTelemetrySchedulePeriodElapsed 164: Telemetry schedule has elapsed.
2020-04-07T07:34:59.538Z [ 8860:15908] [v6.1.356.0] INFO  Telemetry::SubmitTelemetry 278: Gathering Telemetry
2020-04-07T07:35:06.409Z [ 8860:15908] [v6.1.356.0] INFO  Overwriting state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
2020-04-07T07:35:06.429Z [ 8860:15908] [v6.1.356.0] INFO  Verified state file can be loaded.
2020-04-07T07:35:06.430Z [ 8860:15908] [v6.1.356.0] INFO  SophosUpdate has completed with the result 2.
2020-04-07T07:35:06.430Z [ 8860:15908] [v6.1.356.0] INFO  SophosUpdate is exiting.

 

Thanks for any info,

Alain



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Sophos Central Endpoint is unable to communicate to a central dashboard, would you please confirm if these domains and ports required are allowed? 

  • 0 in reply to Shweta

    Hi Shweta,

    As my collegue has spent many hours on the phone with support already, I do hope they checked this … As mentioned, we don't know how could this be a problem if we don't see problems in the logs on the firewall (it's Sophos as well), or someone should point out what might not be logged…

    I rather don't check the same several times, if no-one could explain what is tested… The general remark "No Network connectivity" is not true, so I'd like to know what the update tries at that moment... or why it can't be seen…

    Is there an option to force the update to start immediatelly (I have the idea that the trigger from Sophos Central doesn't do that, but if we can check this more frequently that once every hour, maybe Wireshark could come to the rescue)

    BR,

    Alain

  • 0 in reply to Alain Cloet

    Hi  

    We can force the update on the client and can run Wireshark on that client.

    Open the Sophos client on the endpoint and go to "about" and then client on update now which will trigger the update on the endpoint immediately.

Reply Children
  • 0 in reply to Jasmin

    Thanks, I tried this, it might help (but at the moment, I didn't see anything that seemed useful.

    What I did see, is that in the "Endpoint Self Help" for the Update Configuration it writes "No proxy used", although it shows one in C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg.
    (I added the proxy in Sophos Central just yesterday, I hoped it would make a difference, but it seems it's not using this setting, or at least not at this point)

    A few weeks ago, I read that the update will use Sophos when it's not on the internal network.  How does it decide whether the computer is on the "internal network" (VPN isn't really internal, but not external either)

    BR,

    Alain

  • 0 in reply to Alain Cloet

    Hi  

    Thank you for the above note. As you said this endpoint is not using the proxy setting which you have applied on the Sophos Central as you might have installed the Sophos client on this machine before applying those changes in the Sophos Central. 

    When you add a proxy setting in the Sophos Central, it binds the proxy settings in the installer and then further installed client will use the proxy to download updates.

    Follow the below steps and see if they helps you redirect the endpoint to the proxy:

    1. Open a Command Prompt and run it as administrator.
    2. Type the following command:

      • For 32-bit: netsh winhttp import proxy source =ie then press the Enter button.
      • For 64-bit: cd C:\Windows\SysWOW64
        netsh winhttp import proxy source =ie then press the Enter button.
    3. Open Services and run it as administrator.
    4. Restart the following Sophos services:

      • Sophos AutoUpdate Service
      • Sophos MCS Agent
      • Sophos MCS Client
      • Sophos System Protection Service
  • 0 in reply to Jasmin

    Hi Jasmin,


    Unfortunatelly, this doesn't change... I modified Group Policy as well to make sure it was not caused by "bypassing local adresses"...


    Still no Proxy in the list (I had to restart computer, as the services can't be restarted, even when I open them with an admin account)

    But why doesn't it take it from the iconn-config?

    BR,

    Alain

  • 0 in reply to Alain Cloet

    Hi  

    It might be taking it from iconn-config file but when the next time policies will be synced with central, It will replace the edited file on the endpoint to make the complaint to the policies.

    As web proxy also doesn't change the result and result mentioned "No network connectivity", I suspect the traffic is not going out of the endpoint or VPN is blocking the network traffic from the machine.

    The Wireshark result can only help us here to drive us forward.

  • 0 in reply to Jasmin

    The iconn was set via Sophos Central, not manually...

    Originally (2 days ago) it looked like (users, passwords, server set to xxx):

    [PPI.WebConfig_Primary]
     AllowLocalConfig    =0
     AutoDialTimeout     =
     LocalPath           =
     DownloadGranularity =
    BandwidthLimit=1024
    UseHttps=0
    UserName=xxx
    UserPassword=xxx
    UseSophos=1
    UseDelta=1

    [PPI.ProxyConfig_Primary]
     AllowLocalConfig    =0

    ProxyType=0
    ProxyAddress=
    ProxyPortNumber=0
    ProxyUserName=
    ProxyUserPassword=

    Currently it is:

    [PPI.WebConfig_Primary]
     AllowLocalConfig    =0
     AutoDialTimeout     =
     LocalPath           =
     DownloadGranularity =
    BandwidthLimit=1024
    UseHttps=0
    UserName=xxx
    UserPassword=xxx
    UseSophos=1
    UseDelta=1

    [PPI.ProxyConfig_Primary]
     AllowLocalConfig    =0

    ProxyType=2
    ProxyAddress=xxx
    ProxyPortNumber=8080
    ProxyUserName=
    ProxyUserPassword=xxx

    I'll try to make a Wireshark trace this morning, but I will have to close as much as possible, to see what could be the relevant traffic...(and most likely, notice that there isn't traffic at all)

    To be continued…

    BR,

    Alain

  • 0 in reply to Alain Cloet

    :(

    Nothing to see via wireshark

    Nothing special to see via ProcMon

    Rules in Windows firewall are ok (and also nothing to see in those logfiles.. but they do see incomplete, but this might have to do with the fact that my collegue had to change settings for Sophos support)

  • 0 in reply to Alain Cloet

    Hi  

    Would you please PM me the case number you have already registered with Sophos Support? 

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?