VPN trouble after updating to Sophos Endpoint Security and Control 9.5

Hi,

That's most odd and I can't really think why SAVService itself would be the cause, unless it has prevented other system services from starting due to extra load.  This might be worth checking.  There are a few components that sit outside of SAVService that make requests of SAVService, components such as Detours, LSP, BHO.  Typically I would consider disabling those first.  

To disable Detours open the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

and

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

if running on a 64 bit test machine and remove the entry to load the Sophos detours dll.  Please back up the keys before doing so or copy of the paths to the Sophos DLLs in both places so they can be added back later.

Reboot.  With the SAVService loaded do you have the same problem in this configuration, if not I would call support telling them that detours is causing you a problem.  If it still fails with the above keys changed do put them back.

To disable the LSP, if you turn off the "web protection" feature in SAV and then reboot, does it work?

Otherwise I would be tempted to use Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645 on the machine. I.e.. In test 1, start the machine up with savservice, wait for the OS to fully load.  Start Process Monitor capturing the attempt to connect.  As soon as it brings up the blank dialog you can stop capturing.  Save all captured events as a pml file.  I would then repeat the test without SAVService, again creating a PML.  These can then be opened up side by side and compared.  I would have thought you could narrow down the significant point in the logs to quite a small window so it wouldn't be much to compare.

Regards,

Jak

Hi,

That's most odd and I can't really think why SAVService itself would be the cause, unless it has prevented other system services from starting due to extra load.  This might be worth checking.  There are a few components that sit outside of SAVService that make requests of SAVService, components such as Detours, LSP, BHO.  Typically I would consider disabling those first.  

To disable Detours open the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

and

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

if running on a 64 bit test machine and remove the entry to load the Sophos detours dll.  Please back up the keys before doing so or copy of the paths to the Sophos DLLs in both places so they can be added back later.

Reboot.  With the SAVService loaded do you have the same problem in this configuration, if not I would call support telling them that detours is causing you a problem.  If it still fails with the above keys changed do put them back.

To disable the LSP, if you turn off the "web protection" feature in SAV and then reboot, does it work?

Otherwise I would be tempted to use Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645 on the machine. I.e.. In test 1, start the machine up with savservice, wait for the OS to fully load.  Start Process Monitor capturing the attempt to connect.  As soon as it brings up the blank dialog you can stop capturing.  Save all captured events as a pml file.  I would then repeat the test without SAVService, again creating a PML.  These can then be opened up side by side and compared.  I would have thought you could narrow down the significant point in the logs to quite a small window so it wouldn't be much to compare.

Regards,

Jak