Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 10 subscribers
  • Views 8609 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos MCS Client Failed with error '401'

Salwa harif

Since recently, the MCS client is not able to communicate with sophos central. And the endpoints cannot be found in sophos central.

Tried this KB and everything is working just fine : https://community.sophos.com/kb/en-us/125463

Here are the logs in mcsclient.log

2020-07-06T13:47:36.546Z [ 8012] INFO Found new file: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\EDR\Incoming\20200529T102201Z_2.dat
2020-07-06T13:47:36.546Z [ 8012] INFO Presigned urls have expired
2020-07-06T13:47:36.546Z [ 8012] INFO URL list expired
2020-07-06T13:48:33.078Z [ 8060] INFO [connect] trying server mcs-cloudstation-eu-central-1.prod.hydra.sophos.com/.../ep
2020-07-06T13:48:33.078Z [ 8060] INFO [connect: configured message relay] trying message relay <my_server_changed_for anonymizing>
2020-07-06T13:48:33.078Z [ 8060] INFO GET mcs-cloudstation-eu-central-1.prod.hydra.sophos.com:443/.../ep
2020-07-06T13:48:33.468Z [ 8060] INFO 200 : sent=0 rcvd=168 elapsed=389ms
2020-07-06T13:48:33.468Z [ 8060] INFO successfully connected to the message relay: <my_server_changed_for anonymizing>:8190
2020-07-06T13:48:33.468Z [ 8060] INFO [connect] using server mcs-cloudstation-eu-central-1.prod.hydra.sophos.com/.../ep via message relay <my_server_changed_for anonymizing>:8190 (peer address <my_server_changed_for anonymizing>)
2020-07-06T13:48:33.937Z [ 8060] INFO POST mcs-cloudstation-eu-central-1.prod.hydra.sophos.com:443/.../presignedurls
2020-07-06T13:48:35.062Z [ 8060] INFO 401 : sent=95 rcvd=0 elapsed=1120ms
2020-07-06T13:48:35.062Z [ 8060] INFO Dropping connection after error
2020-07-06T13:48:35.062Z [ 8060] ERROR Presigned url request failed, code: 401, message:
2020-07-06T13:48:35.062Z [ 8060] ERROR Failed to get URLs for channel TrickleFeedData, status: 401

 

I hope someone could help



This thread was automatically locked due to age.
  • 0

    A 401 error usually indicates that the computer has been deleted from Sophos Central and Sophos Central is rejecting the computer's communications.  I suspect the design is intentional as if a work computer was stolen, you wouldn't want to keep paying for that license if the machine keeps reimporting itself back into Sophos Central anytime it connects back to the internet.

    If the computers were deleted you should be able to see this event under Audit Logs in Sophos Central.  The computers will have to have Tamper Protection disabled and the software reinstalled to repopulate them into Sophos Central.  Tamper Protection passwords can be found under Logs & Reports > Recover Tamper Protection passwords.

  • 0

    Have you tried re-registering the endpoint?

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML