This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoints are out-of-date in SEC but are up-to-date

Hello,

We have a Sophos Enterprise Console (SEC) v.5.2 on a Windows server 2003. The DB is a MS SQL 2008 on a Windows server 2008 R2 Standard. All the endpoints are at version 9.7.

I have been having a problem for a will with SEC. Once in a will, 40% to 60% of the endpoints shows as if they are out-of-date. As for an example, the computer details of endpoint CS1234 shows that the last successful update is 10/7/2013 12:19:41 PM. In its alc.log, I see 7 other successful updates since that date. Here is the latest one:

Time: 10/8/2013 9:19:42

Message: AutoUpdate finished

Module: ALUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:41

Message: Installation of Sophos AutoUpdate skipped

Module: ALUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:41

Message: Installation of SAVXP skipped

Module: ALUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:41

Message: Installation of RMSNT skipped

Module: ALUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:41

Message: Downloading phase completed

Module: ALUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:41

Message: Product cache update from primary server successfully finished

Module: CIDUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:41

Message: Downloading product Sophos AutoUpdate from server \\SophosServer\SophosUpdate\CIDs\S330\SAVSCFXP\

Module: CIDUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:40

Message: Product cache update from primary server successfully finished

Module: CIDUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:40

Message: Downloading product SAVXP from server \\SophosServer\SophosUpdate\CIDs\S330\SAVSCFXP\

Module: CIDUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:39

Message: Product cache update from primary server successfully finished

Module: CIDUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:39

Message: Downloading product RMSNT from server \\SophosServer\SophosUpdate\CIDs\S330\SAVSCFXP\

Module: CIDUpdate

Process ID: 1068

Thread ID: 4524

Time: 10/8/2013 9:19:39

Message: *************** Sophos AutoUpdate started ***************

Module: ALUpdate

Process ID: 1068

Thread ID: 4524

I don't see any error messages. To me, everything seems fine.

I also looked into the ALUpdate****.log file. Here is the latest update in the file:

Trace(2013-Oct-08 09:19:39): ALUpdate started: -ScheduledUpdate -NoGUI -RootPath "C:\Program Files\Sophos\AutoUpdate"
Trace(2013-Oct-08 09:19:39): Product iProductData.{390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92} has been added.
Trace(2013-Oct-08 09:19:39): Product iProductData.{390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92} is not available from Sophos.
Trace(2013-Oct-08 09:19:39): Product iProductData.{390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92} is not the Spam Rules package.
Trace(2013-Oct-08 09:19:39): Product iProductData.{D752FAB9-5883-4b36-8740-61565B6BAD29} has not been added.
Trace(2013-Oct-08 09:19:39): Product iProductData.{E17FE03B-0501-4aaa-BC69-0129D965F311} has been added.
Trace(2013-Oct-08 09:19:39): Product iProductData.{E17FE03B-0501-4aaa-BC69-0129D965F311} is available from Sophos.
Trace(2013-Oct-08 09:19:39): Product iProductData.{E17FE03B-0501-4aaa-BC69-0129D965F311} is not the Spam Rules package.
Trace(2013-Oct-08 09:19:39): Product subscription is disabled: iProductData.{7998C326-2CA5-4830-B7D2-B792D2460975} action value is:0
Trace(2013-Oct-08 09:19:39): Product iProductData.{7998C326-2CA5-4830-B7D2-B792D2460975} has not been added.
Trace(2013-Oct-08 09:19:39): Product iProductData.{3B758ED7-87C1-4e89-BDE1-F49DFF1249F6} has not been added.
Trace(2013-Oct-08 09:19:39): Product iProductData.{B5E7E2A7-3B64-437D-801F-21CC9D67CC6D} has been added.
Trace(2013-Oct-08 09:19:39): Product iProductData.{B5E7E2A7-3B64-437D-801F-21CC9D67CC6D} is available from Sophos.
Trace(2013-Oct-08 09:19:39): Product iProductData.{B5E7E2A7-3B64-437D-801F-21CC9D67CC6D} is the Spam Rules package.
Trace(2013-Oct-08 09:19:39): ConfigurationImpl, considering PMSR 2.6: PureMessage not installed, PMSR package will not be updated without a subscription
Trace(2013-Oct-08 09:19:39): Considering subscribed products.
Trace(2013-Oct-08 09:19:39): Considering product {9BF40A4E-23AE-48be-9974-5A1F261DBEE8}
Trace(2013-Oct-08 09:19:39): Product {9BF40A4E-23AE-48be-9974-5A1F261DBEE8} is not already subscribed.
Trace(2013-Oct-08 09:19:39): Product {9BF40A4E-23AE-48be-9974-5A1F261DBEE8} was added to the list.
Trace(2013-Oct-08 09:19:39): Could not read registry entry containing Sophos address - using hardcoded value.
Trace(2013-Oct-08 09:19:39): Could not read registry entry containing Sophos address - using hardcoded value.
Trace(2013-Oct-08 09:19:39): GenerateCustomerID: complete
Trace(2013-Oct-08 09:19:39): IPCBase::IPCBase: Connected to shared memory A32951C539924a12B3C8F2FDA5A268E4
Trace(2013-Oct-08 09:19:39): IPCSender::ProcessSend started
Trace(2013-Oct-08 09:19:39): IPCSender::ProcessSend: No messages in queue, starting to wait
Trace(2013-Oct-08 09:19:39): RMSMessageHandler: ALUpdateStart
Trace(2013-Oct-08 09:19:39): IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
Trace(2013-Oct-08 09:19:39): IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
Trace(2013-Oct-08 09:19:39): IPCSender::ProcessSend: No messages in queue, starting to wait
Trace(2013-Oct-08 09:19:39): ALUpdate(AutoUpdate.Started):
Trace(2013-Oct-08 09:19:39): UpdateCoordinator::UpdateNow: Entering
Trace(2013-Oct-08 09:19:39): PopulateCache: Entering
Trace(2013-Oct-08 09:19:39): UpdateCoordinator::UpdateNow: About to Sync list of products
Trace(2013-Oct-08 09:19:39): UpdateLocationFacade::SyncProduct: Last Update Mechanism = CID
Trace(2013-Oct-08 09:19:39): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Started:
Trace(2013-Oct-08 09:19:39): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, creating update location
Trace(2013-Oct-08 09:19:39): Calling package_source_init
Trace(2013-Oct-08 09:19:39): TrySyncProduct, Calling BeginSync
Trace(2013-Oct-08 09:19:39): Logging on network access user
Trace(2013-Oct-08 09:19:39): Attempting to make a connection to remote machine \\SophosServer\SophosUpdate\CIDs\S330\SAVSCFXP\
Trace(2013-Oct-08 09:19:39): Connection to remote machine \\SophosServer\SophosUpdate\CIDs\S330\SAVSCFXP\ successful
Trace(2013-Oct-08 09:19:39): ParseCustomerIDFile: completed: 0
Trace(2013-Oct-08 09:19:39): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Calling SyncProduct with {390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92}
Trace(2013-Oct-08 09:19:39): CIDUpdateLocation::SyncProduct - Updating Product: RMSNT
Trace(2013-Oct-08 09:19:39): CIDUpdate(SyncProduct.Start): RMSNT, \\SophosServer\SophosUpdate\CIDs\S330\SAVSCFXP\
Trace(2013-Oct-08 09:19:39): Checksum found in master.upd matches cached cidsync.upd : 31251f3f. Skipping download
Trace(2013-Oct-08 09:19:39): CIDUpdate(PrimarySuccess):
Trace(2013-Oct-08 09:19:40): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, SyncProduct returned - 1
Trace(2013-Oct-08 09:19:40): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Ended - 1
Trace(2013-Oct-08 09:19:40): UpdateLocationFacade::SyncProduct: Last Update Mechanism = CID
Trace(2013-Oct-08 09:19:40): CIDUpdateLocation::SyncProduct - Updating Product: SAVXP
Trace(2013-Oct-08 09:19:40): CIDUpdate(SyncProduct.Start): SAVXP, \\SophosServer\SophosUpdate\CIDs\S330\SAVSCFXP\
Trace(2013-Oct-08 09:19:40): Checksum found in master.upd matches cached cidsync.upd : 360bb829. Skipping download
Trace(2013-Oct-08 09:19:40): CIDUpdate(PrimarySuccess):
Trace(2013-Oct-08 09:19:41): UpdateLocationFacade::SyncProduct: Last Update Mechanism = CID
Trace(2013-Oct-08 09:19:41): CIDUpdateLocation::SyncProduct - Updating Product: Sophos AutoUpdate
Trace(2013-Oct-08 09:19:41): CIDUpdate(SyncProduct.Start): Sophos AutoUpdate, \\SophosServer\SophosUpdate\CIDs\S330\SAVSCFXP\
Trace(2013-Oct-08 09:19:41): Checksum found in master.upd matches cached cidsync.upd : 4e8b8359. Skipping download
Trace(2013-Oct-08 09:19:41): CIDUpdate(PrimarySuccess):
Trace(2013-Oct-08 09:19:41): ALUpdate(DownloadEnded):
Trace(2013-Oct-08 09:19:41): UpdateCoordinator::UpdateNow: About to Action list of products
Trace(2013-Oct-08 09:19:41): ALUpdate(Action.Skipped): RMSNT
Trace(2013-Oct-08 09:19:41): ALUpdate(Action.Skipped): SAVXP
Trace(2013-Oct-08 09:19:41): ALUpdate(Action.Skipped): Sophos AutoUpdate
Trace(2013-Oct-08 09:19:42): RMSMessageHandler: ALUpdateEnd
Trace(2013-Oct-08 09:19:42): Sending message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate" />
Trace(2013-Oct-08 09:19:42): IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate" />
Trace(2013-Oct-08 09:19:42): IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate" />
Trace(2013-Oct-08 09:19:42): IPCSender::ProcessSend: No messages in queue, starting to wait
Trace(2013-Oct-08 09:19:43): IPCSender::ProcessSend exiting

Is there something in that log that I don't see which could explain why SEC is not accurate?

On the server side, I don't see anything stock into the Envelopes folder related to that endpoint. In the Router-****.log file, the latest entry regarding that endpoint is the following:

07.10.2013 21:20:08 0A2C I Routing to EM: id=00535DC8, origin=Router$CS1234:720111.Agent, dest=EM, type=EM-GetStatus-Reply
07.10.2013 21:20:08 0A1C I Sent message (id=00535DC8) to EM

On the client side, in the Router-****.log file, I see weird things after 10/7/2013 12:19:41 PM:

07.10.2013 12:19:41 0AA0 I Routing to parent: id=0052DF1D, origin=Router$CS1234:720111.Agent, dest=EM, type=EM-EntityEvent
07.10.2013 12:19:41 0A98 I Sent message (id=0052DF1D) to Router$SophosServer
07.10.2013 13:14:35 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 14:14:36 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 15:14:36 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 15:20:14 0AA0 I Routing to parent: id=0053096E, origin=Router$CS1234:720111.Agent, dest=EM, type=EM-GetStatus-Reply
07.10.2013 15:20:14 0A9C I Sent message (id=0053096E) to Router$SophosServer
07.10.2013 16:14:36 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 17:14:36 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 17:22:21 0AA0 I Routing to parent: id=0053260D, origin=Router$CD1234:720111.Agent, dest=EM, type=EM-GetStatus-Reply
07.10.2013 17:22:21 0A94 I Sent message (id=0053260D) to Router$SophosServer
07.10.2013 18:14:36 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 19:14:36 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 20:14:36 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 21:14:36 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 21:20:08 0AA0 I Routing to parent: id=00535DC8, origin=Router$CS1234:720111.Agent, dest=EM, type=EM-GetStatus-Reply
07.10.2013 21:20:08 0A98 I Sent message (id=00535DC8) to Router$SophosServer
07.10.2013 22:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
07.10.2013 23:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 00:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 00:20:09 0AA0 I Routing to parent: id=005387F9, origin=Router$CS1234:720111.Agent, dest=EM, type=EM-GetStatus-Reply
08.10.2013 00:20:09 0A9C I Sent message (id=005387F9) to Router$SophosServer
08.10.2013 01:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 02:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 03:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 03:20:09 0AA0 I Routing to parent: id=0053B229, origin=Router$CS1234:720111.Agent, dest=EM, type=EM-GetStatus-Reply
08.10.2013 03:20:09 0A94 I Sent message (id=0053B229) to Router$SophosServer
08.10.2013 04:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 05:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 06:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 06:20:09 0AA0 I Routing to parent: id=0053DC59, origin=Router$CS1234:720111.Agent, dest=EM, type=EM-GetStatus-Reply
08.10.2013 06:20:09 0A98 I Sent message (id=0053DC59) to Router$SophosServer
08.10.2013 07:14:37 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 08:14:38 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 09:14:38 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360
08.10.2013 10:14:38 0A54 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 6, max number of user ports 15360

I have been having this problem for the last 2 months. I rebooted the SophosServer and the SQLserver on September 25, which helped for 2 weeks. But now the problem is coming back.

At first, I was restarting the Sophos Message Router service on the endpoints, which seemed to help for a day or 2. I don't think that this workaround is viable considering the amount of endpoints. Can someone help me with that issue?

Thank you for your help!

Cherze

This thread was automatically locked due to age.

0 QC over 11 years ago

Hello Cherze,
the Update logs shows just an idle check (i.e. the client found its cache equal to the CID and therefore no action was necessary), likewise the snippet from the ALUpdate log. Furthermore the Router log shows that it has informed SEC of some EM-EntityEvent (obviously the update on 10/7/2013 12:19:41 PM) but since then only sent the EM-GetStatus-Replies.
shows as if they are out-of-date
what is as if? Do you mean they display Not since ... in the Up to date column?
computer details of endpoint CS1234 shows that the last successful update is 10/7/2013 12:19:41 PM
This seems to be correct as far as the logs tell.
First I thought you see Unknown in the Up to date column - but then there should have been an actual update on the client. This usually occurs when SUM has many CIDs to write and the clients update from one of the already deployed CIDs but before SUM has deployed them all. But that's just an aside. BTW: I see S330 as subscription tag - how come?
Please could you perhaps describe the out-of-date in detail or provide a screenshot? And is your setup straight forward - i.e. only one SUM - updating from Sophos - on the management server, all CIDs (how many?) local on the server, Recommended subscription(s)?
Christian
:44037
Cancel
Vote Up 0 Vote Down

Cancel
0 Cherze over 11 years ago
Hi Christian,
Do you mean they display Not since ... in the Up to date column?
Yes, they are displayed in Not since ... in the Up to date column. I have 40% of my endpoints that have Not since 10/8/2013 7:20:48 AM in that column.
Computer details of endpoint CS1234 shows that the last successful update is 10/7/2013 12:19:41 PM
This seems to be correct as far as the logs tell.
Am I misinterpreting the alc.log file? In the snippet of the alc.log, I thought that this was a successful update. So I was expecting to see DATE:10/8/2013 9:19:42 AM as for the last successful update date in the CS1234 Computer details. What is that file then?
BTW: I see S330 as subscription tag - how come?
The endpoints are still at version 9.7.
And is your setup straight forward - i.e. only one SUM - updating from Sophos - on the management server?
Yes, we have only one SUM.
all CIDs (how many?) local on the server?
We have 5 CIDs
Recommended subscription(s)?
We have:
Linux v7 Extended Maintenance Recommended
Linux v9 Recommended
MAC OS X 10.4+ v8 Recommended
Windows 2000 and above v10.2 Recommended
Windows 2000 and above v9.7 Extended Maintenance Recommended
Linux v9 and Windows v10.2 are not deployed yet.
Most of the endpoints have the problem have Windows v9.7 and a few have Linux v7.
Thanks,
Cherze
:44049
Cancel
Vote Up 0 Vote Down

Cancel
0 Cherze over 11 years ago

New information
I just rebooted our SEC server. The number of out-of-date computers is still between 30% and 40%, but the number of connected computers increased of 164
:44063
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 11 years ago

Hello Cherze,
thanks for the additional info. I have still no good idea though about the cause. So this is more thinking out loud. But first some explanation.
Am I misinterpreting the alc.log file?
To be blunt, yes :smileyhappy:. AutoUpdate first goes through the list of products (usually in the order RMS, SAV, SCF and AU) comparing its local cache to the CID (basically it does this by comparing the cached and remote catalogs - master.upd and cidsync.upd, the latter for each of the product folders). If they match there's nothing to download, otherwise the delta is downloaded. Details are in the ALUpdate log, if all goes well ALC shows only the sequence Downloading product ... followed by Product cache update ... successfully finished. When all products have been checked Downloading phase completed is issued. If no new files have been downloaded you see Installation of ... skipped, otherwise Installing product ... and (hopefully) Product has been successfully installed. The cycle is ended with AutoUpdate finished. For failed downloads or installs an alert is sent.
Note that the History in the client details does neither reflect all updates not those where something has been installed. The client doesn't send an unsolicited message on each update (whether without or with install). It does so for failed updates and the next successful update after a failure; otherwise every 48 hours if "always-on". In addition it sends its status periodically.
The Not since timestamp in the Up to date column is not related to the AutoUpdate times reported by the client though. Instead it is derived from the package date (i.e. the time SUM has deployed certain updates to the CID) and version and number of IDEs last reported by the client. The client data is used to identify the package, this is looked up by SEC and the according (adjusted - see next sentence) timestamp is inserted into the Up to date status column. When flagged a client as not up-to-date SEC allows for some latency - by default 60 minutes so the timestamp is adjusted by this amount. Search this forum board for UpToDateLatencyMins to get a little bit more information if you are interested.
As CS1234 is checking for updates it should see a newer package (with the above you can search the logs if it has installed one after 10/7/2013 11:19:41 AM - this time is adjusted. And the local GUI shows the last update under View product information - Anti-virus and HIPS - Software). The RMS log suggests the client does successfully send its status upstream. So you should check the Computer details/Last message time of these allegedly out-of-date computers. It should be fairly recent (for CS1234, if you've found it has performed an actual update shortly after that). If this is not the case then the messages are stuck somewhere. Did you check the Envelopes folder (should have thought of this on my first reply)?
Christian
:44083
Cancel
Vote Up 0 Vote Down

Cancel
0 Cherze over 11 years ago
Hi Christian,
Thank you so much for all this information. It's really helpful!
And sorry for the late reply. I took the time to read on UpToDateLatencyMins and applied some changes. This parameter was set at 480 min (8 hours). I changed it at 60 min. Also, even if we have only one SUM, I forced it to be authoritative. Yesterday, will doing these changes, I noticed that in SEC dashboard, our SUM was not up to date. The last successful update was on October 11.
Our SUM is updating from Sophos, then it's pushing it on 3 different shares where one of them is off site. Is it possible that this process is taking to long? Can this be the reason why we are also having error messages such as:
ERROR: Could not find a source for updated packages
Download of SAVXP failed from server \\SophosServer\SophosUpdate\CIDs\S330\SACSCFXP\
Do you think that by installing an other SUM to push on the shares would help??
As for the Computer details/Last message time, you are absolutely right, it was recent. I can not say if it was the case for all of the endpoints that were tagged as out of date, but I remember noticing it on a couple of them.
Yes, I did check the Envelopes folder, there was about 10 files in there.
Thanks,
Cherze
:44225
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 11 years ago

Hello Cherze,
UpToDateLatencyMins
setting it back to the default 60 minutes should actually have the converse effect, i.e. more clients should be flagged as being out of date. To rephrase, SEC waits UpToDateLatency in minutes before considering a client as out of date. So the problem must be something else.
Envelopes folder
RMS is obviously passing the messages to the management service, so it is not a communications issue.
our SUM was not up to date ... 3 different shares
This could be caused by it constantly failing to update the off site share, e.g. because of network issues or because the share is corrupt (don't worry, it is not permanently damaged - normally deleting its contents will cause it to be successfully rebuilt) or one of the other shares is corrupt. Is SophosServer your management server or is this just a pseudonym for the update location. I see that at least one share is off-site-remote, one is likely the default on the server, what about the third - is it "LAN-remote" (i.e. SUM is writing to a share hosted by another server on the LAN)? It might not be the off-site share which is causing problems though - if you view the update manager details the status of the shares and potential errors are listed under Software subscription status (if possible please provide a screenshot or copy/paste the text here).
If the off-site link is significantly slower than LAN speed using a secondary SUM is probably expedient. Deployment to a local share likely performs better than writing of a remote share (especially over a slow or less reliable link). It's not rocket science to set one up (and you could use different intervals or - for software updates - a schedule to allow for the link's properties).
Christian
:44241
Cancel
Vote Up 0 Vote Down

Cancel
0 Cherze over 11 years ago

Hi Christian,
The problem didn't came back since October 17th. I rebooted the server on that date, but the problem normally comes back after 2 weeks, so I'm expecting it to crash before the end of the week!
Is SophosServer your management server or is this just a pseudonym for the update location?
It's a pseudonym.
I see that at least one share is off-site-remote, one is likely the default on the server, what about the third - is it "LAN-remote"?
I made a mistake by saying that we have 3 shares. In fact we have 2 shares. One on the SEC server and one off-site-remote. I said 3 because the endpoints are updating from the Off-site share, from the default share using a UNC address and from the default share using a HTTP address.
if you view the update manager details the status of the shares and potential errors are listed under Software subscription status
I don't see any errors. Here a copy of the SUM details:
SOPHOSSERVER update manager details
Computer name                                 SOPHOSSERVER
Computer description
Operating system                             Windows xxxx
Service pack                                       xxxxxxxx
Domain/workgroup                             xxxxxxxx
IP address                                          xxxxxxxx
Time of last binary update                 10/26/2013 11:59:21 PM
Time of last protection data update   10/29/2013 8:25:41 AM
Software subscriptions status
Software subscription          Maintained in                                      Last successful download Error code Error description
Linux - v7 Extended Recom.       \\SOPHOSSERVER\SophosUpdate    10/29/2013 8:16:55 AM
Linux - v9 Recom.                        \\SOPHOSSERVER\SophosUpdate    10/29/2013 8:17:30 AM
MAC - v8 Recom.                         \\SOPHOSSERVER\SophosUpdate    10/29/2013 8:17:40 AM
Windows - v10.2 Recom.              \\SOPHOSSERVER\SophosUpdate   10/29/2013 8:21:45 AM
Windows - v10.2 Recom.              \\OffSiteServer\SophosUpdate            10/29/2013 8:25:39 AM
Windows - v9.7 extended recom. \\SOPHOSSERVER\SophosUpdate   10/29/2013 8:17:57 AM
Windows - v9.7 extended recom. \\OffSiteServer\SophosUpdate            10/29/2013 8:21:16 AM
Outstanding alerts and errors
Update manager alerts
Date/time                        Code          Description
10/16/2013 3:56:47 PM   80040421   Software subscription 'Windows - v10.2 Recommended' contained version 10.2 Recom. of
                                                           platform Windows 2000 and above. This version is not available, either because the product
                                                           has been retired or your license has changed. Your subscription has been automatically
                                                           updated.
History
Update manager status
Date/time                          Code           Description
10/19/2013 2:15:10 AM   80040404    Threat detection data update failed.
10/19/2013 2:15:09 AM    80040406    Delivery failed for software subscription 'Linux - v7 Extended Recom.'. Access to the
                                                             source update location is denied or the location is otherwise unavailable.
10/18/2013 11:15:09 PM 80040404    Threat detection data update failed.
10/18/2013 11:15:08 PM 80040406    Delivery failed for software subscription 'Linux - v7 Extended Recom.'. Access to the
                                                             source update location is denied or the location is otherwise unavailable.
10/18/2013 5:15:09 PM   80040404   Threat detection data update failed.
10/18/2013 5:15:08 PM   80040406    Delivery failed for software subscription 'Linux - v7 Extended Recom.'. Access to the
                                                              source update location is denied or the location is otherwise unavailable.
10/16/2013 5:13:00 PM   80040401    Software update failed.
10/16/2013 3:56:51 PM   80040401     Software update failed.
10/16/2013 1:21:23 PM   80040404     Threat detection data update failed.
10/16/2013 1:21:21 PM   80040408     Unable to write to distribution location \\SOPHOSSERVER\SophosUpdate for software
                                                              subscription 'Windows - v10.2 Recom.'.
10/16/2013 10:26:17 AM 80040404     Threat detection data update failed.
10/16/2013 10:22:33 AM 80040408     Unable to write to distribution location \\SOPHOSSERVER\SophosUpdate for software
                                                             subscription 'Windows - v10.2 Recom.'.
10/15/2013 11:47:21 PM 80040401     Software update failed.
Thank again for your help!
Cherze
:44577
Cancel
Vote Up 0 Vote Down

Cancel