Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 22 replies
  • Subscribers 1 subscriber
  • Views 49651 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

80040404 Threat detection data update failed.

tomerb

We have a central update manager that's providing updates for several local servers via http. The whole system worked fine until just a few weeks ago. I think the cause of the problem was the release of SEC 10.0.4, but I'm not sure about that.

The central update manager has the following subscriptions:

9.5 - recommended

9.7 - recommended

10.0 - recommended

The local severs have a full installation of SEC 5.0 and are subscribed to either 9.5 and 10.0 or 9.7 and 10.0.

A few weeks ago seemingly all local servers started issuing 80040404/80040401/80040406 error messages. I've tried the procedure described here

http://www.sophos.com/en-us/support/knowledgebase/66176.aspx

on central as well as local servers - no success.

I've "split" the subscription on the central server into 10.0.3 and 10.0.4 and tried either subscription on one of the local servers - no success.

Finally, I did a complete re-install on a test server (local server) and even that didn't help. Looking at the files I found out, though, that the Sxxx directories are completely missing on the local server whereas the Warehouse seems to be filled normally (~250MB).

Any suggestions?

:24987


This thread was automatically locked due to age.
  • 0

    Hello tomerb,

    The children that aren't working have recently been updated to SEC 5.1

    no surprise, all SUMs should be on the same level and you should always start with the parent (the children will upgrade automatically by the way).

    Christian

    :25579
  • 0

    This hasn't been an issue in version 4.x, so I wasn't aware of that. In fact, the version of Update Manager (1.3.1.168) didn't even change. I set Update Manager to always install the newest version so I expected an upgrade from SEC 5.0 to 5.1 to leave Update Manager untouched. On the parent I don't really care about the SEC version as no clients are managed there...

    Thanks

    Thomas

    :25583
  • 0

    Hello Thomas,

    haven't upgraded to 5.1 yet but I see that the Beta has also SUM version 1.3.1.168. 

    I must admit I have been dense - I've missed that you said: The local severs have a full installation of SEC 5.0. I do think that updating from a Warehouse provided by a "downlevel" SEC (even if the SUMs have the same version) might cause problems.

    2DE69C24 -....  is, BTW, a folder in the warehouse and belongs to Patch. It should contain an XML file (70d5a8cb97e2...) - that's what your SUMs are looking for. Obviously the 5.0 servers can find what they are looking for. If there is an XML file (and only one) but with a different name ... 

    Can't say in which way the Warehouse depends on the SEC/SUM downloading it - but it is not the "complete" Warehouse you'll find at the Sophos server. If the XML file in the 2DE69C24 - folder has a different name and you don't care digging a little try the following: Look at sdds.local.xml in the \Warehouse\catalogue folder on a 5.0 and a 5.1 child.  The <md5> hex-char string in <file> names an XML file you'll find in the Warehouse base. This file in turn has an entry with rigidName 2DE69C24 - ... and its <md5> names the file (which fails synchronization on the 5.1 servers). If all 5.0 servers have the same name here but the 5.1 ones another this suggests that they expect a different Warehouse content.

    Most of this is just guesswork though

    Christian

    :25591
  • 0

    Yes, parent and children both have a full installation of SEC. From my understanding of the documentation, an installation of Update Manager should suffice, but someone on the phone support told me that it'd be "easier" to make a full installation on the parent so I did. Since the parent is a dedicated server I didn't really care.

    Now, I upgraded the parent to 5.1 and once again got the original file system permission issue, which I currently try to solve with a re-population of the warehouse on the parent. It worked once - it'll hopefully work again. We shall see.

    Talking about Sophos Patch... I remember that some time after the introduction of Sophos Patch all the children did contact Sophos - not the parent - for the download of Sophos Patch Data. (As some 80 servers did this simultaneously we had an awful lot of traffic one night...) Now, this is just speculation and I honestly haven't thought about it very long, but is it possible, that Sophos Patch Data is now also being distributed via Warehouse? This would explain, why an SEC 5.1 is looking for something which SEC 5.0 is getting somewhere else...

    :25595
  • 0

    Hi,

    I've looked into this and SEC 5.0 and SEC 5.1 use a different version of the Patch package as used by SEC.  If you look under the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\EE\Products\SophosPA

    The Line value GUID is the same but the version is different.  For SEC 5.0 = version 1 and SEC 5.1 = version 2.

    SEC 5.0 can't use the version 2 patch package, and SEC 5.1 can't use the version 1 version.  So the "Warehouse" directory the SUM updates from needs to contain the version specific files.  As the "Warehouse" can't contain both (as they are the same package, just differnet versions), a SEC 5.1 server has to update from a Warehouse created on a SEC 5.1 install and the same for version 5.0. 

    If you're only using the top level SEC+SUM to create a "Warehouse" directory to be moved/shared out for child sites, you could install SEC 5.0 and SEC 5.1 in parallel (2 comptuers) in order to create 2 different "Warehouse" directories to be made available to different versions below.

    In the case of an air-gap setup, where Patch is not supported you could just remove the key: SophosPA
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\EE\Products\SophosPA

    on the "clients" and  this would change the config of SUM not to subscribe to Patch, this will result in the SUM being able to continue working as it won't look for the files.

    Hope this helps explains what you saw but the easisest solution is to get the versions in-line where possible.

    Regards,

    Jak

    :26391
  • 0

    Once again I got the same issue, but this time versions of SEC were identical from the very beginning. The parent is subscribed to various versions of SAV including 10.0 and 10.2. No errors are shown there.

    A newly created child worked fine as long as it subscribed only to SAV 10.0. Adding 10.2 causes the above mentioned errors, once again. The SUMTrace shows:

    Sync failure: Cannot create stream 5cc588fa44503ff64d05968ba7514c45x000.xml

     The file does not seem to exist in the Warehouse of the parent.

    I've already tried re-populating the Warehouse on parent and child without success.

    Thanks in advance

    Thomas

    :34993
  • 0

    Hello Thomas,

    the file describes the AutoUpdate components for 10.2. Does the file b108ac48e04234f58d2c896164cd312bx000.dat (which is TopLevelCatalogue.dat for 10.2) exist in the Warehouse? If not - obvious question: Are other child SUMs subscribed to 10.2 and successfully updating from this parent (View -> Bootstrap locations ... should show where 10.2 used)?

    Christian

    :34995
  • 0

    Hi Christian,

    the file describes the AutoUpdate components for 10.2. Does the file b108ac48e04234f58d2c896164cd312bx000.dat (which is TopLevelCatalogue.dat for 10.2) exist in the Warehouse?

    No.

    If not - obvious question: Are other child SUMs subscribed to 10.2 and successfully updating from this parent (View -> Bootstrap locations ... should show where 10.2 used)?

    No, at the moment there are no other children subscribed to 10.2 - this is the first one. :)

    :34997
  • 0

    Hello Thomas,

    so - has the parent actually subscribed to 10.2? (tab Subscriptions und Configure update manager)?

    Christian

    :34999
  • 0

    Oops! Shame on me! I think that was the problem - I'll know for sure tomorrow. :)

    I thought since the child said that 10.2 is indeed available, then everything should be fine. Well, guess, that was wrong.

    Thanks a lot!

    Thomas

    :35007