Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 23150 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 7 x64 freezing - Sophos Firewall

sob

Hello all.

All machines in discussion are domain joined, Windows 7 x64

We have had over time some random Windows 7 machines behave as if they are locked up completely. No network access at all although still respond to ping. Will also allow a remote session via powerShell. Windows explorer locks up, applications freeze as they are opened or work is saved to the network.

These machines are dead in the water until the Sophos Firewall Services is stopped. Then the machine will react almost instantly. Start the service again and the machine locks.

The fix until now was to re-protect the endpoints. Maybe 7 in total over a period of weeks.

Today we had approximately nine endpoints freeze with the only solution to stop the firewall service to allow the end user to gracefully shut down the machine. The first time this happened was mid-morning for a particular group. The second was at 5.00.pm with the bulk of our staff having left for the day.

Notably one machine I found that Sophos was indicating an update was in progress. It was the last machine I was looking at so may be a bad lead.

Also, on machine I connected to via a PowerShell Remote Session. The firewall service was turned off to allow the user to get work saved. The machine was left with the user logged in, Firewall Service NOT running for maybe an hour and a half. When I went to this machine and resumed the Firewall service everything was fine? Also logged in as another user and still fine?

I look after Active Directory and our Sophos management so can say with some certainty that nothing was pushed, altered or changed at the time. (Maybe Windows updates - will check tomorrow.)

I could see no firewall updates in the update log.

Hopefully I won't be walking into a shambles tomorrow morning when the bulk of staff return.

Any ideas?

Oh and sorry for the long post.

:45105


This thread was automatically locked due to age.
  • 0

    Hello sob,

    apparently this is not a complete lock-up, and it seems to affect the logged on user's session during a certain period. Which endpoint/SCF version? Any alerts or unusual SCF log entries (or perhaps "missing", i.e. absence of the usual, entries) or Windows Events during this time?

    Maybe Process Monitor (or perhaps Process Explorer if already launched) could help in determining what's going on - sounds like Explorer is the one getting stuck. Guess you tried Ctrl-Alt-Del at this point, is it processed?

    Christian

    :45109
  • 0

    No not a complete lockup but very close from a users perspective.

    Alerts  and Errors from console:

    Web Protection is no longer functional. The filtering driver has been bypassed or unloaded. (Maybe 15 or so all of a sudden last week but has dropped off)

    Failed to connect to database, error 4294965685.  (We see a lot of this all the time.)

    Failed to clean the log, error:4294967295. (Less of these but still regular)

    Failed to repair database, error 11.  (Less of these but still regular)

    Windows events all look fine on effected machines.

    Will try and look with some sysinternals tools today if I can get a machine that is replicatiing the problem.  Firewall log entries I have not had a chance to study but will be looking into this also.

    First job is to set up helpdesk to be able to manage the firewall service if we get a rash of this today.

    Cheers for the reply.

    :45133
  • 0

    Sorry.  Just to add to the last reply...

    Endpoint version 10.3.1 VDL4.95G

    Firewall 2.9.3

    :45135
  • 0

    Hello sob,

    Web Protection is no longer functional

    this is part of the SAV component but should nevertheless be investigated - please see Enterprise Console reports error a058000c for a start.

    Failed to ...

    While the Failed to clean the log is AFAIK not alarming if you see it only every now and then (frequent occurrences should nevertheless be investigated) the other two indicate more serious issues. There are a few threads in this forums about these errors but unfortunately none with a final solution or report. SCF uses ODBC/JET, can't say though whether a local application (or which one) might could be causing issues in this area. You should contact Support directly (the information you can collect before contacting them might speed up things though).

    In any case please follow up here.

    Christian

    :45153
  • 0

    Thanks QC.

    This morning we had two machines with this issue.  I could find no indication what may be causing the firewall to behave like this at all.  Or no concrete evidence anyway.

    As the op_data.mdb file was fresh in my mind I tried deleting it with the Firewall Service off on the first machine.  When I started the service, presto the traffic started flowing - the machine was back to normal.

    I repeated this with a second machine and got the same results.

    So just turning the SCF service off and on again does nothing.  Traffic still does not flow with SCF service running.  Stopping the SCF service, deleting op_data.mdb and restarting the service gets traffic flowing and brings the computer back to life.

    So we are going to investigate this avenue further. We will certainly be putting in a quickfix plan with our helpdesk to get users running again quickly if this continues.

    Possibly it is something to do with the op_data.mdb being locked, currupt or unresponsive in some way.  I will keep you posted with what we find.

    Jason.

    :45185
  • 0

    Hopefully someone will find this useful.

    We still see the above randomly on single machines which boils down to corrupt op_data.mdb file.  We have in place a fix for this which comprises of remotely stopping the firewall service, deleting the op_data.mdb file then restarting the service.  All done remotely using a powershell script.

    Generally these machines show up in the SEC with "Failed to connect to database" and or "Failed to repair database" errors.

    We have since seen multiple machines at one time give symptoms of locking up which also boils down to the firewall blockng traffic but this is not caused by a corrupt log file.  We have a "historic" setting of "Block IPv6 packets" turned on.  It would seem the networking chaps are testing or beginning to implement IPv6 in our environment.  Hence we would see multiple machines suddenly have issues but not all machines.  Probably to do with a single router or switch they are connected to.

    So we two different root causes creating the exact same symptoms on the client machine.

    We now do not block IPv6 packets.  So fare there are no further issues with multiple machines freezing at one time.

    :46307
  • 0

    Thanks for posting this has helped us out imensly after our Asia CO's laptop had this issue.

    :57870