SEC 4.5 Update Manager not updating

Hi,

I would suggest as a first thing to try:

1. Stop the "Sophos Update Manager" Service .

2. If exist, kill any process called "SophosUpdateMgr.exe"

3. Stop the "Sophos Message Router" service

4. Stop the "Sophos Agent" service.

5. Stop the "Sophos Management Service"

6. Start the "Sophos Message Router" service

7. Start the "Sophos Management" service

8. Start the "Sophos Update Manager" Service.

9. Start the "Sophos Agent" service

The SophosUpdateMgr.exe process should listen on TCP port 51234.

The Sophos Agent service, should connect to it and obtain the status of SUM.

The status should result in a message which is sent to the Sophos Message Router.

The Sophos Mangement Service is then sent the message by the Router.

The data ends up in the database for the management service to re-read for the Console to display.

After you've done all that, is the last message time, (a column in the computer details tab) recent?  This would at least suggest the messaging system is working?

If this is all working, I would take a look in the agent log to ensure that it is communicating with the SUM process.

"C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs \"

You should see something like:

25.01.2012 23:15:15 0FFC I SDDM:SCAPI Calling Connect...
25.01.2012 23:15:15 0FFC I SDDMA: An uninitialized socket was created.
25.01.2012 23:15:15 0FFC I SDDM:SCAPI: Connect succeeded.
25.01.2012 23:15:15 0FFC I SDDMA: Logon key written successfully.
25.01.2012 23:15:15 0FFC I SDDMA: Logon key sent.
25.01.2012 23:15:15 0FFC I SDDMA: Socket connection authenticated.
25.01.2012 23:15:15 0FF4 I SDDMA: The adapter is connected to SDDM.
25.01.2012 23:15:15 0FF4 I SDDMA: Sending a Status Report upstream (forced)...

Hope that's useful.

Regards,

Jak

Hi Jak

Thanks for the suggestion. I've followed it but got stuck with step7. the sophos management service showing Windows could not start the Sophos Management Service service on local comupter. Error 1067: The process terminated unexpectedly. all other servcies started normally.

any further suggestions?

Thanks!

Rob.

What does it say, when you try to start it in the application event log?

Log Name:      System
Source:        Service Control Manager
Date:          08/02/2012 08:35:48
Event ID:      7032
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Description:
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Sophos Management Service service, but this action failed with the following error:
An instance of the service is already running.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7032</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-02-08T08:35:48.000Z" />
    <EventRecordID>105743</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>CTCSophos1.COOPERS.INTERNAL</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">1</Data>
    <Data Name="param2">Restart the service</Data>
    <Data Name="param3">Sophos Management Service</Data>
    <Data Name="param4">%%1056</Data>
  </EventData>
</Event>

The only way to start SMS properly is to open SEC then it forces SMS to start.

checked the console again it still shows the old date and time thought the agent logs has updated activities:

08.02.2012 08:28:47 0E60 I Running SetAdapterStatusJob for adapter SAV
08.02.2012 08:29:07 0E60 I SendStatus: Sent EM-GetStatus-Reply (id=01323253) to EM
08.02.2012 08:33:22 0EC0 I SDDMA: Sending a Status Report upstream (unthrottled)...
08.02.2012 08:33:22 0EC0 I SDDM state observer notified that SDDM is running
08.02.2012 08:33:22 0EC0 I SDDM state observer received a status: <?xml version="1.0" encoding="utf-8" ?><status xmlns="com.sophos\mansys\status" xmlns:csc="com.sophos\msys\csc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" type="sddm"><csc:CompRes policyType="9" Res="Same" RevID="b41d49b3-eb72-4e10-b324-8250d0f3dbff"/><csc:CompRes policyType="10" Res="Same" RevID="3ce1f30c-296a-4eb0-8f77-9b233675ea04"/><csc:CompRes policyType="11" Res="Same" RevID="4bce4096-9245-4eaa-8d75-a92626019f2a"/><csc:CompRes policyType="12" Res="Same" RevID="9cfbccbd-a0c0-4987-a406-00a38bc1db38"/><csc:CompRes policyType="13" Res="Same" RevID="e7201c4a-7ea5-4323-bfbf-ec376518ac46"/><version number="1"/><updateManager xmlns="http://www.sophos.com/msys/sddm/common.xsd" status="OK" softwareVersion="1.3.1.168"><updateOperation id="programsUpdate" lastNonNullFinishedAt="2012-02-08T08:22:45" lastFinishedAt="2012-02-08T08:22:45" finishedResult="NonNullSuccess"/><updateOperation id="supplementsUpdate" lastNonNullFinishedAt="2012-02-07T18:46:02" lastFinishedAt="2012-02-08T08:33:22" finishedResult="NullSuccess"/><sourceSite id="75656754-db11-4fc5-b398-1b2b4a8867d8" lastReadAt="2012-02-08T08:33:21" readResult="OK"/><defaultShare user="CTCSOPHOS1\SophosUpdateMgr" password="BwgZjhnFlfhVGXm7dqxl98MwUTxf+k9j3HE="/><distributionGroup id="eb971628-87d9-4e2e-8e35-624cedf62344"><distribution subscriptionId="95fcaafe-8e01-4188-8b11-05503616b8c5" lastNonNullDeliveryAt="2012-02-08T08:22:36" lastDeliveryAt="2012-02-08T08:33:21" deliveryResult="NullSuccess"><distributionSite><unc uri="\\CTCSOPHOS1\SophosUpdate\CIDs\S000\SAVSCFXP"/></distributionSite></distribution><distribution subscriptionId="946ca5ca-1c85-44a4-aa47-14ffd1477ad2" lastNonNullDeliveryAt="2012-02-08T08:22:45" lastDeliveryAt="2012-02-08T08:33:21" deliveryResult="NullSuccess"><distributionSite><unc uri="\\CTCSOPHOS1\SophosUpdate\CIDs\S000\ESCOSX"/></distributionSite></distribution></distributionGroup><distributionGroup id="{E6845043-2E6A-48c0-A4E9-170502650531}"><distribution subscriptionId="{67EDD28A-F79F-4556-9801-D47B9C7A1817}" lastNonNullDeliveryAt="2012-02-07T11:45:53" lastDeliveryAt="2012-02-08T08:33:22" deliveryResult="NullSuccess"><distributionSite><custom uri="C:\ProgramData\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosMA\sec"/></distributionSite></distribution></distributionGroup><currency><entity line="SAVEEXP" version="9.5.5 VDL4.74G"><engineVersion>3.28.1</engineVersion><virusDataVersion>4.74G</virusDataVersion><idesChecksum>081D4182A38D7D4C1F870F0BE8511EA7</idesChecksum><rollout>2012-02-01T07:49:40</rollout></entity><entity line="SAVEEOSX" version="7.3.8"><engineVersion>3.28.1</engineVersion><virusDataVersion>4.74</virusDataVersion><idesChecksum>081D4182A38D7D4C1F870F0BE8511EA7</idesChecksum><rollout>2012-01-31T09:03:47</rollout></entity></currency></updateManager></status>
08.02.2012 08:33:22 0EC0 I SDDMA: Status report dispatched.
08.02.2012 08:33:22 0E60 I Running SetAdapterStatusJob for adapter SDDM
08.02.2012 08:33:42 0E60 I SendStatus: Sent EM-GetStatus-Reply (id=01323366) to EM
08.02.2012 08:43:22 0EC0 I SDDMA: Sending a Status Report upstream (unthrottled)...
08.02.2012 08:43:22 0EC0 I SDDM state observer notified that SDDM is running
08.02.2012 08:43:22 0EC0 I SDDM state observer received a status: <?xml version="1.0" encoding="utf-8" ?><status xmlns="com.sophos\mansys\status" xmlns:csc="com.sophos\msys\csc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" type="sddm"><csc:CompRes policyType="9" Res="Same" RevID="b41d49b3-eb72-4e10-b324-8250d0f3dbff"/><csc:CompRes policyType="10" Res="Same" RevID="3ce1f30c-296a-4eb0-8f77-9b233675ea04"/><csc:CompRes policyType="11" Res="Same" RevID="4bce4096-9245-4eaa-8d75-a92626019f2a"/><csc:CompRes policyType="12" Res="Same" RevID="9cfbccbd-a0c0-4987-a406-00a38bc1db38"/><csc:CompRes policyType="13" Res="Same" RevID="e7201c4a-7ea5-4323-bfbf-ec376518ac46"/><version number="1"/><updateManager xmlns="http://www.sophos.com/msys/sddm/common.xsd" status="OK" softwareVersion="1.3.1.168"><updateOperation id="programsUpdate" lastNonNullFinishedAt="2012-02-08T08:22:45" lastFinishedAt="2012-02-08T08:22:45" finishedResult="NonNullSuccess"/><updateOperation id="supplementsUpdate" lastNonNullFinishedAt="2012-02-07T18:46:02" lastFinishedAt="2012-02-08T08:43:22" finishedResult="NullSuccess"/><sourceSite id="75656754-db11-4fc5-b398-1b2b4a8867d8" lastReadAt="2012-02-08T08:43:21" readResult="OK"/><defaultShare user="CTCSOPHOS1\SophosUpdateMgr" password="BwgZjhnFlfhVGXm7dqxl98MwUTxf+k9j3HE="/><distributionGroup id="eb971628-87d9-4e2e-8e35-624cedf62344"><distribution subscriptionId="95fcaafe-8e01-4188-8b11-05503616b8c5" lastNonNullDeliveryAt="2012-02-08T08:22:36" lastDeliveryAt="2012-02-08T08:43:21" deliveryResult="NullSuccess"><distributionSite><unc uri="\\CTCSOPHOS1\SophosUpdate\CIDs\S000\SAVSCFXP"/></distributionSite></distribution><distribution subscriptionId="946ca5ca-1c85-44a4-aa47-14ffd1477ad2" lastNonNullDeliveryAt="2012-02-08T08:22:45" lastDeliveryAt="2012-02-08T08:43:21" deliveryResult="NullSuccess"><distributionSite><unc uri="\\CTCSOPHOS1\SophosUpdate\CIDs\S000\ESCOSX"/></distributionSite></distribution></distributionGroup><distributionGroup id="{E6845043-2E6A-48c0-A4E9-170502650531}"><distribution subscriptionId="{67EDD28A-F79F-4556-9801-D47B9C7A1817}" lastNonNullDeliveryAt="2012-02-07T11:45:53" lastDeliveryAt="2012-02-08T08:43:21" deliveryResult="NullSuccess"><distributionSite><custom uri="C:\ProgramData\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosMA\sec"/></distributionSite></distribution></distributionGroup><currency><entity line="SAVEEXP" version="9.5.5 VDL4.74G"><engineVersion>3.28.1</engineVersion><virusDataVersion>4.74G</virusDataVersion><idesChecksum>081D4182A38D7D4C1F870F0BE8511EA7</idesChecksum><rollout>2012-02-01T07:49:40</rollout></entity><entity line="SAVEEOSX" version="7.3.8"><engineVersion>3.28.1</engineVersion><virusDataVersion>4.74</virusDataVersion><idesChecksum>081D4182A38D7D4C1F870F0BE8511EA7</idesChecksum><rollout>2012-01-31T09:03:47</rollout></entity></currency></updateManager></status>
08.02.2012 08:43:22 0EC0 I SDDMA: Status report dispatched.
08.02.2012 08:43:22 0E60 I Running SetAdapterStatusJob for adapter SDDM
08.02.2012 08:43:42 0E60 I SendStatus: Sent EM-GetStatus-Reply (id=013235BE) to EM

If it fails to start with a 'hard' error, I would expect there to be an entry in the application log from the management service itself rather than from the 'Service Control Manager'.

Usually if the management service fails to start it is due to a configuration problem, i.e. database not there or wrong version etc.  The fact you haven't changed anything other than restart services since it was working suggests it's either just timing out, or in this case the process was already running?

If you ensure that there are no mgntsvc.exe processes running, the service says it's stopped and then start it, it should be fine,  there is no difference between the service being started in response to the console calling into it and you starting it from the service control manager.

Now that the service is started and you can open SEC, I guess there is no change in the console regarding the status of the SUM?

Does the agent log show the lines I mention in the other post to prove that stage is taking place?

Thanks,

Jak

Stage is taking place but the status of the SUM has no change. What options do i have before I decide to reinstall SEC?

Thanks!

Rob.

Hi,

All the timestamps in the XML show SUM is working as they are recent.  The Management Agent appears to be sending in the status message the Router or at least trying to.

EM-GetStatus-Reply (id=013235BE) to EM

I assume in the Router logs the Agent shows that it is logged on to the Router?  When the Agent starts up, it should log on to the Sophos Message router.  This action, is evident in the Router logs by the line:

"I Logged on Agent as a client " - minus the quotes.  It can take a couple of minutes to log on if it's a busy router.

As you restarted the agent and router recently, you should see this in a recent router log, just restarting the agent again you should see this entry in the router log.

The next step is to really trace one of these status messages, which contains the SUM status.  Is the message stuck in the envelopes directory?
 

"C:\ProgramData\Sophos\Remote Management System\3\Router\Envelopes \"

Is it getting as far as the management service?  The sophos-management-services.log would then be the next call.

I'm afraid, it's really just tracing the message in.  Is the Last Mesasge time (Computer details tab) for the machine with the SUM on recent?  That would prove messages are comming in from it.

If you have more than one SUM, this is worth doing:

http://www.sophos.com/support/knowledgebase/article/57638.html

just to ensure that the message is processed rather than discarded if the management service doesn't think the SUM is auhoritative.

Regards,

Jak