Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 1 subscriber
  • Views 61002 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

problem with connected computer not showing as connected

Jvuz

Hello,

I'm having a problem with one of our machines. It is connected, but doesn't show as connected in the console. The firewall isn't on and I can ping the ip-address. And it seems the machine is till doing his update, probably via the sophos server (I set it up to be the second update server) instead of our server. What could it be?

Jo

:13235


This thread was automatically locked due to age.
  • 0

    (Post edited by Mod to update port number in step 4. )

    Hi,

    The connected state is really an indication that the Sophos Message Router service (RouterNT.exe) on the client has logged on to the Sophos Message Router Service (RouterNT.exe) on the management server.  The Router initiates logon and logoff messages to do this.

    I will assume that the other machines are ok, in which case it will be a problem with the client exclusively I would think.


    As long as on the client:
    1. The Sophos Message Router has a valid certificate:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkc

    and
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkp

    Note: if you delete these 2 keys on the client (don't on the server :) ) and restart the router, the client will re-request new certificates.  You could try that, this would indicate much of RMS is working. 

    2.  Has the correct parent address:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\ParentAddress


    3. The Sophos Message Router service is started.

    4.  The client can connect to TCP 8192 and TCP 8194 of the parent Router.  Ideally the server can also connect to TCP 8194 of the client to ensure faster responsiveness of downstream messages from server to client.


    So restarting the Sophos Message Router service on the client should force a log back on and update the connected state of the machine in SEC if all the above is correct.

    The main logs to check are on the client under:
    "\ProgramData\Sophos\Remote Management System\3\Router\Logs\" (2003+ or documents and settings for older OS).

    A new file is created each time the router starts or when they get to 1MB in size. I would also check that for failure to log on. Note: The server router should have corresponding messages it its router log for the client.

    Hope this helps,

    Regards,

    Jak

    :13239
  • 0

    Hello,

    I verified everything and all seems well. After we removed the 2 registry keys, and we relaunched the router service, the 2 keys were recreated.

    I also tried a reinstall from the console, but I get an error: awaiting response from the computer. Which is strange becasue I can ping the pc from the server.

    Jo

    :13243
  • 0

    And apparantly the computer gets his updates from the server (very very strange). It just doesn't show up in the console. Is there nothing else I could do? I already tried to reinstall it (via the server and locally (using the pathh to the server)).

    Jo

    :13249
  • 0

    New update:

    i tried again to install via the console with the following error: This computer is not yet managed. It is protected but has not yet reported back its status.

    Jo

    :13253
  • 0

    Time again for a few words about the architecture and components and some common misconceptions:

    AutoUpdate (AU) and Remote Management System (RMS) are independent. The former uses NetBIOS and/or HTTP to connect to the updating source. The latter connects to ports 8192 and 8194. The updating source might be a server different from the management server. RMS in turn might be using a relay. The Sophos Agent service manages the "internal" communication on a client. It receives the status messages from the various components (AU, SAV, ...) and hands them over to RMS for passing it to the server. RMS receives requests and commands (like for setting a policy) and passes them to the Agent which delivers it to the appropriate component.

    AU gets it's update source(s) from either

    the installer (defaults, GUI or sauconf.xml)

    the GUI -or -

    the console

    Thus it doesn't need RMS to update from the correct location.

    I can/can't ping the machine - by itself this doesn't say much. A machine (its network card) might respond to a ping even though no OS is loaded. V.v. both the ICMP request and the reply might be discarded at various points and if you don't get a reply it doesn't necessarily mean the machine is offline. Even if the machine responds this has no significance re application connectivity.  

    apparently the computer gets his updates from the server [...] it just doesn't show up in the console - from the above it is clear that AU can work correctly even though RMS is in error

    it is connected, but doesn't show as connected in the console - to get any further we have to agree in the meaning of connected. As we are talking about management I prefer the definition used by SEC. Obviously the client's RMS hasn't successfully logged on to the server's message router. Regardless of the fact that it can make a NetBIOS connection to the CID and download the updates (something SEC can't/doesn't check from the server side anyway) connected is defined as having a working RMS communication established. 

    Jak has already referred to the logs in case RMS is still not working after deletion of the keys. As they are recreated "first contact" obviously succeeds but there's likely an error immediately afterwards. What it is can only be determined by taking a look at the mentioned logs.  Repeated attempts to reinstall will likely only confirm that there is a persistent error but won't make it magically go away.

    Christian

    :13259
  • 0

    Thank you very much for the explanation.

    Can someone have a look at the log? I've placed it here: http://www.2shared.com/file/1v7WCe5g/Router-20110524-044913.html

    Thanks,

    Jo

    :13287
  • 0

    Another question,  where can I find those logs on an XP machine (32-bit)?

    Jo

    :13289
  • 0

    I looked at the log myself and I found this on the net:

    http://www.sophos.com/support/knowledgebase/article/46313.html

    http://www.sophos.com/support/knowledgebase/article/14449.html

    I followed those steps, but the Sophos Message Router Service cannot be started. I also noticed that on that pc there was nothing in the registrynode: HKLM\Software\Sophos, even Sophos wasn't there.

    Jo

    :13297
  • 0

    Hello Jo,

    thanks for the log. Unfortunately I don't know what's causing the CORBA/NO_PERMISSION:1.0 error reported.

    Some observations though:

    The client first unsuccessfully searches for PC20-121.RBINS ( which is not a valid FQDN). You might want to reassess you mrinit.conf. Might be that a reverse lookup of your server's address resolves to this name among others, but it doesn't seem to be valid. Anyway the client then tries the NetBIOS name and succeeds in getting the IOR (with the expected 192.168.20.121 as first address).

    Do all your PCs have the 192.168.xxx.1 addresses and is their name also resolving to these? It looks somewhat strange. If your working PCs have a similar line (Local IP addresses: 192.168.20.xxx 192.168.56.1 192.168.226.1 192.168.253.1 ) in their router logs then this should not be the cause of the problem though.

    Could you please also post the client's ClientMRInit-yyyymmdd-hhmmsss.log from %windir%\TEMP and the MRInit.conf? Can't say it will help but it's worth a try.

    Christian

    :13301
  • 0

    registrynode: HKLM\Software\Sophos, even Sophos wasn't there

    Is this a 64bit system? If so it is: HKLM\Software\Wow6432Node \Sophos

    Christian

    :13303