Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 14370 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy not applied / computer deployed but cannot connect

Pierre

Dear readers and helpers,

We have a double issue with our Sophos Enterprise console 5.

1. I see only 5 computer connected instead of around 120.

2. Computers do not receive policies for Anti-virus and HIPS but receive for Firewall policies.

Where should i start investigating?

Thanks in advance,

:20839


This thread was automatically locked due to age.
  • 0

    Shortly after the snippet you posted there should be again the message about the logon (Logged on to parent router as Router$mitmngd01 ) and the subsequent failure when sending a message to the parent (E Failed to send message (id= ...)) - or rather, should not, but is. Can't say if there is a meaningful corresponding entry in the server's Router log but you should have a look. 

    Christian

    :20895
  • 0

    The server is showing me this in the router logs :

    16.01.2012 17:31:21 079C I Sent message (id=011426A9) to EM

    16.01.2012 15:45:14 07B0 I Routing to Router$mitmngd01:9078: id=01140DCA, origin=Router$SOPHOS.EM, dest=Router$mitmngd01:9078.Agent, type=EM-SetConfiguration

    16.01.2012 15:45:14 07B0 I Routing to Router$mitmngd01:9078: id=03140DCA, origin=Router$SOPHOS.EM, dest=Router$mitmngd01:9078.Agent, type=EM-SetConfiguration

    16.01.2012 15:45:14 07B0 I Routing to Router$mitmngd01:9078: id=05140DCA, origin=Router$SOPHOS.EM, dest=Router$mitmngd01:9078.Agent, type=EM-SetConfiguration

    16.01.2012 15:45:14 07B0 I Routing to Router$mitmngd01:9078: id=07140DCA, origin=Router$SOPHOS.EM, dest=Router$mitmngd01:9078.Agent, type=EM-SetConfiguration

    16.01.2012 15:45:14 07B0 I Routing to Router$mitmngd01:9078: id=09140DCA, origin=Router$SOPHOS.EM, dest=Router$mitmngd01:9078.Agent, type=EM-SetConfiguration

    16.01.2012 15:45:14 07B0 I Routing to Router$mitmngd01:9078: id=0B140DCA, origin=Router$SOPHOS.EM, dest=Router$mitmngd01:9078.Agent, type=EM-SetConfiguration

    16.01.2012 15:45:14 07B0 I Routing to Router$mitmngd01:9078: id=0D140DCA, origin=Router$SOPHOS.EM, dest=Router$mitmngd01:9078.Agent, type=EM-SetConfiguration

    16.01.2012 15:45:41 07B0 I Routing to EM: id=01140DE5, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 15:45:41 079C I Sent message (id=01140DE5) to EM

    16.01.2012 15:45:47 07B0 I Routing to EM: id=01140DEB, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 15:45:47 0798 I Sent message (id=01140DEB) to EM

    16.01.2012 15:45:51 07B0 I Routing to EM: id=01140DEF, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 15:45:51 07A4 I Sent message (id=01140DEF) to EM

    16.01.2012 15:46:11 07B0 I Routing to EM: id=01140E03, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    16.01.2012 15:46:11 07A0 I Sent message (id=01140E03) to EM

    16.01.2012 15:51:37 06A4 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 9, max number of user ports 15360

    16.01.2012 16:00:41 07B0 I Routing to EM: id=01141169, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:00:41 07A8 I Sent message (id=01141169) to EM

    16.01.2012 16:00:46 07B0 I Routing to EM: id=0114116E, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:00:46 0790 I Sent message (id=0114116E) to EM

    16.01.2012 16:00:50 07B0 I Routing to EM: id=01141172, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:00:50 078C I Sent message (id=01141172) to EM

    16.01.2012 16:01:10 07B0 I Routing to EM: id=01141186, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    16.01.2012 16:01:10 0794 I Sent message (id=01141186) to EM

    16.01.2012 16:15:41 07B0 I Routing to EM: id=011414ED, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:15:41 079C I Sent message (id=011414ED) to EM

    16.01.2012 16:15:46 07B0 I Routing to EM: id=011414F2, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:15:46 0798 I Sent message (id=011414F2) to EM

    16.01.2012 16:15:50 07B0 I Routing to EM: id=011414F6, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:15:50 07A4 I Sent message (id=011414F6) to EM

    16.01.2012 16:16:10 07B0 I Routing to EM: id=0114150A, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    16.01.2012 16:16:10 07A0 I Sent message (id=0114150A) to EM

    16.01.2012 16:30:41 07B0 I Routing to EM: id=01141871, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:30:41 07A8 I Sent message (id=01141871) to EM

    16.01.2012 16:30:47 07B0 I Routing to EM: id=01141877, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:30:47 0790 I Sent message (id=01141877) to EM

    16.01.2012 16:30:54 07B0 I Routing to EM: id=0114187E, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:30:54 078C I Sent message (id=0114187E) to EM

    16.01.2012 16:31:14 07B0 I Routing to EM: id=01141892, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    16.01.2012 16:31:14 0794 I Sent message (id=01141892) to EM

    16.01.2012 16:45:41 07B0 I Routing to EM: id=01141BF5, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:45:41 079C I Sent message (id=01141BF5) to EM

    16.01.2012 16:45:50 07B0 I Routing to EM: id=01141BFE, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:45:50 0798 I Sent message (id=01141BFE) to EM

    16.01.2012 16:45:54 07B0 I Routing to EM: id=01141C02, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 16:45:54 07A4 I Sent message (id=01141C02) to EM

    16.01.2012 16:46:14 07B0 I Routing to EM: id=01141C16, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    16.01.2012 16:46:14 07A0 I Sent message (id=01141C16) to EM

    16.01.2012 16:51:37 06A4 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 9, max number of user ports 15360

    16.01.2012 17:00:41 07B0 I Routing to EM: id=01141F79, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:00:41 07A8 I Sent message (id=01141F79) to EM

    16.01.2012 17:00:48 07B0 I Routing to EM: id=01141F80, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:00:48 0790 I Sent message (id=01141F80) to EM

    16.01.2012 17:01:08 07B0 I Routing to EM: id=01141F94, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    16.01.2012 17:01:08 078C I Sent message (id=01141F94) to EM

    16.01.2012 17:01:14 07B0 I Routing to EM: id=01141F9A, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:01:14 0794 I Sent message (id=01141F9A) to EM

    16.01.2012 17:01:34 07B0 I Routing to EM: id=01141FAE, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    16.01.2012 17:01:34 079C I Sent message (id=01141FAE) to EM

    16.01.2012 17:15:41 07B0 I Routing to EM: id=011422FD, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:15:41 0798 I Sent message (id=011422FD) to EM

    16.01.2012 17:15:49 07B0 I Routing to EM: id=01142305, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:15:49 07A4 I Sent message (id=01142305) to EM

    16.01.2012 17:15:53 07B0 I Routing to EM: id=01142309, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:15:53 07A0 I Sent message (id=01142309) to EM

    16.01.2012 17:16:13 07B0 I Routing to EM: id=0114231D, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    16.01.2012 17:16:13 07A8 I Sent message (id=0114231D) to EM

    16.01.2012 17:30:41 07B0 I Routing to EM: id=01142681, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:30:41 0790 I Sent message (id=01142681) to EM

    16.01.2012 17:30:50 07B0 I Routing to EM: id=0114268A, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:30:50 078C I Sent message (id=0114268A) to EM

    16.01.2012 17:31:01 07B0 I Routing to EM: id=01142695, origin=Router$SOPHOS.Agent, dest=EM, type=EM-EntityEvent

    16.01.2012 17:31:01 0794 I Sent message (id=01142695) to EM

    16.01.2012 17:31:21 07B0 I Routing to EM: id=011426A9, origin=Router$SOPHOS.Agent, dest=EM, type=EM-GetStatus-Reply

    :20897
  • 0

    Hello Pierre,

    this is somewhat strange (at least it looks so to me):  Around 15:45 some policies are enqueued for the client but (unless you deleted many lines) never seem to get delivered (the corresponding lines would be like: Supplying message (id=01140DCA ) to Router$ .mitmngd01:9078 . The rest is just the server talking to itself. 

    From the snippets it looks like the client's RMS is able to log on but then the communication stalls. What of the other clients BTW? Are still just a few connected (and actually communicating - you can check this by the Last message time in SEC/Computr details)? I'm still thinking about which change could cause such an issue. Can you see any TCP connections to port 8194 (from client to server and v.v.)?

    Christian

    :20913
  • 0

    Hello Christian,

    Nope i did not deleted lines in the previous log.

    Using netstat -a i do not see any connection on the clients to the server on 8194.

    From the server i see a lot of ESTABLISHED connection on the server IP XX.XX.XX.XX:8194.

    Yes, i still have 4 machines showed as connected on a total of 130...

    Last message time differs on all disconnected computers in SEC.

    I may need a remote assistance on this one. Is it possible ?

    :20929
  • 0

    Hello Pierre,

    I did not assume you deleted any.

    As the connections seem to work partially (and have worked in the past) I only briefly mentioned the Network Communications Report. Guess before calling Support (who might give you remote assistance, I can't tell) you should try the basic tests, i.e. telnetting from the client to the server on ports 8192 (this should respond with the IOR seen in the logs) and 8194 as well (if it works in principle you just get a connection without any data sent back which closes when you send some data). For completeness do the same in the other direction.

    One thing I forgot to mention - if the Last Message Time for the disconnected clients is recent (i.e. less than a day in the past) it won't help in determining when this "something" happened. But I think that the Up to date column in the Update Details tab should give a hint to the last time the majority of clients successfully reported back. Maybe this approximate time can help in finding the cause.

    If none of this gives any insight you should give Support a call. Please prepare some SDU logs (server and one or two clients). Sorry for wasting your time - I first thought this should be easier to sort out.     

    Christian

    :20931
  • 0

    Christian,

    You will laugh and me cry ... It was simply windows firewall that have been activated by a tech...

    Thanks for your help.

    Kind regards,

    :20937
  • 0

    Thanks for reporting back, Pierre.

    Could you give the details what has been blocked and what hasn't? It looked like 8192 was open. 

    It was simply windows firewall

    [shameless plug] that's why you should use SCF [shameless plug]  :smileywink: (and no, I don't get a commission).

    Christian

    :20939