SEC - "Awaiting Policy Transfer" randomly appearing

Hi,

You don't mention if performing a comply with policy for the policy in this state helps?  Does it?

Is it always the same policy that is in this state?  I.e. Is is SAV, AutoUpdate, SCF?

As far as I can tell this is how it should work:  Looking in the Agent log on the client....If you restart the Sophos Agent service on the client, within about 20 seconds, it will send back a status message which will detail for each of the managed components if they are compliant with policy or not.  If we take the SAV policy (PolicyType="2") as an example we see in the Agent log:

I SAV state observer received a status: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<status xmlns="http://www.sophos.com/EE/EESavStatus"><csc:CompRes xmlns:csc="com.sophos\msys\csc" Res="Same" RevID="{94E7A42F-30FD-41FD-8345-23DE0C0C9CA3}" policyType="2"/>....

So we can see that the agent is reporting "Same" (Res="Same") for policytype 2 (SAV) for the policy with ID {94E7A42F-30FD-41FD-8345-23DE0C0C9CA3}

So if my machine is in a group with a SAV policy called "Clients" I could run the following SQL:
select name, correlationid from Policies where type= 2 and name ='Clients'

and get back something like:

name                                                         correlationid                                              

Server                                                       {94E7A42F-30FD-41FD-8345-23DE0C0C9CA3}

So we can see that the "version" of the policy that the client should have is:{94E7A42F-30FD-41FD-8345-23DE0C0C9CA3}.  So this machine in this state would show as "Same as policy" for the component SAV.

If however I update the SAV policy, this will change the ID of the policy in the policies table.  Essentially it appears a new GUID is generated, so it has a new revid.

The machine then goes into a state of "Awaiting policy transfer". as the value the client has reported is for  {94E7A42F-30FD-41FD-8345-23DE0C0C9CA3} and now the policy revid is another GUID.

It will not show as Differs from policy until the client actually sends back a Res="Diff" for a given policy ID.

Could it be that the following is happening for these machines:

1. Machine complies with SAV policy (using SAV policy as the example policy that is in this state).

2. Machine goes offline - red cross.

3. Policy change is made for the policy of SAV linked to the group the machine is in.

4. Set-Config message is created for the machine but as it's not connected the message is queued on the server with a TTL of 4 days.

5. The client logs on on the 5th day, the set config message has been deleted, so it doesn't get the message, the client hasn't reported Differs yet (Res="Diff"), but it still reports the old policy id.  Therefore the system thinks it's still in the awaiting policy transfer state.

In this case a comply with the policy that is in this state to the machine, if, the machine is on, should fix it?  If the machine is not "connected" then the create message, timeout message scenario could repeat, leaving it in this state.  Does this sound plausible as a theory?

Regards,

Jak 

EDIT, looking into this a bit further I've found the following 2 registry keys that can be enabled on the management server machine:
HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\MessagingDoActionTimeout

HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\MessagingSetConfigurationTimeout

These two DWORD values are read by the management service when it attempts to create the messages but don't exist by default it seems.

They appear to override the default TTL for a message. So to change the default TTL on a set-config message you could create the above MessagingSetConfigurationTimeout  DWORD key, The value is in seconds.  The downside is that the envelopes directory is more likely to fill if you perform set configurations to machines that are unable to recieve the message as the TTL value is higher.  So this might be something to consider implementing if the above theory is correct and that clients aren't getting set config messages as they are timing out before they client can get them.

Hi,

You don't mention if performing a comply with policy for the policy in this state helps?  Does it?

Is it always the same policy that is in this state?  I.e. Is is SAV, AutoUpdate, SCF?

As far as I can tell this is how it should work:  Looking in the Agent log on the client....If you restart the Sophos Agent service on the client, within about 20 seconds, it will send back a status message which will detail for each of the managed components if they are compliant with policy or not.  If we take the SAV policy (PolicyType="2") as an example we see in the Agent log:

I SAV state observer received a status: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<status xmlns="http://www.sophos.com/EE/EESavStatus"><csc:CompRes xmlns:csc="com.sophos\msys\csc" Res="Same" RevID="{94E7A42F-30FD-41FD-8345-23DE0C0C9CA3}" policyType="2"/>....

So we can see that the agent is reporting "Same" (Res="Same") for policytype 2 (SAV) for the policy with ID {94E7A42F-30FD-41FD-8345-23DE0C0C9CA3}

So if my machine is in a group with a SAV policy called "Clients" I could run the following SQL:
select name, correlationid from Policies where type= 2 and name ='Clients'

and get back something like:

name                                                         correlationid                                              

Server                                                       {94E7A42F-30FD-41FD-8345-23DE0C0C9CA3}

So we can see that the "version" of the policy that the client should have is:{94E7A42F-30FD-41FD-8345-23DE0C0C9CA3}.  So this machine in this state would show as "Same as policy" for the component SAV.

If however I update the SAV policy, this will change the ID of the policy in the policies table.  Essentially it appears a new GUID is generated, so it has a new revid.

The machine then goes into a state of "Awaiting policy transfer". as the value the client has reported is for  {94E7A42F-30FD-41FD-8345-23DE0C0C9CA3} and now the policy revid is another GUID.

It will not show as Differs from policy until the client actually sends back a Res="Diff" for a given policy ID.

Could it be that the following is happening for these machines:

1. Machine complies with SAV policy (using SAV policy as the example policy that is in this state).

2. Machine goes offline - red cross.

3. Policy change is made for the policy of SAV linked to the group the machine is in.

4. Set-Config message is created for the machine but as it's not connected the message is queued on the server with a TTL of 4 days.

5. The client logs on on the 5th day, the set config message has been deleted, so it doesn't get the message, the client hasn't reported Differs yet (Res="Diff"), but it still reports the old policy id.  Therefore the system thinks it's still in the awaiting policy transfer state.

In this case a comply with the policy that is in this state to the machine, if, the machine is on, should fix it?  If the machine is not "connected" then the create message, timeout message scenario could repeat, leaving it in this state.  Does this sound plausible as a theory?

Regards,

Jak 

EDIT, looking into this a bit further I've found the following 2 registry keys that can be enabled on the management server machine:
HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\MessagingDoActionTimeout

HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\MessagingSetConfigurationTimeout

These two DWORD values are read by the management service when it attempts to create the messages but don't exist by default it seems.

They appear to override the default TTL for a message. So to change the default TTL on a set-config message you could create the above MessagingSetConfigurationTimeout  DWORD key, The value is in seconds.  The downside is that the envelopes directory is more likely to fill if you perform set configurations to machines that are unable to recieve the message as the TTL value is higher.  So this might be something to consider implementing if the above theory is correct and that clients aren't getting set config messages as they are timing out before they client can get them.