Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 14597 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unexplained Network Traffic to Parent Router

agvonline

Hi

I have a 2012R2 Server with Sophos Enterprise Console 5.2.1R2 installed.

The server has two NICs, one on the 'default VLAN' and one on a 'SAN VLAN'.

On the server...

I have removed the 'SAN VLAN' IP address/interface from the MRINIT.CONF file.

In the registry I have also modified the -ORBListenEndpoints for the RMS and Server Agent so that only the 'default VLAN' IP address is used.

On the client(s), In the Remote Management logs I can see the IOR being received from the server, and using an online checker I have been able to see that the IOR contains only the 'default VLAN' address (<default VLAN IP Address:8193>

So all looks ok.

But, our network is being flooded with TCP traffic from all the clients trying to send data to the 'SAN VLAN' on port 8194.

How can this be? The IOR doesn't include that address, so how could the clients possibly know about it? On the clients I can't find any reference to the 'SAN VLAN' address in the registry and the MRINIT.CONF file is correct.

I'm really confused. Please help.

Thanks

Andrew

:46501


This thread was automatically locked due to age.
  • 0

    Hello Andrew,

    all the clients trying to send data to the 'SAN VLAN' on port 8194

    How (and where) did you find out? Just thinking out loud - these are TCP connections and there's only one from a client to the server. Does trying mean there are SYN requests to the (unreachable) SAN VLAN address and they then establish the connection with the correct adapter (but the incorrect traffic should eventually subside)? Or are the connections actually established (if so, this should be shown in the clients' Sophos Network Communications Report)?

    I'm confused as well :smileyhappy:

    Christian

    :46503
  • 0

    Thanks for the reply.

    Please don't be confused :-) I didn't want to over complicate the initial post.

    I found out via our firewall, which is logging blocked traffic. The many entries look like the following:

    Source: 172.21.4.182, port 49842  -- Destination: 10.113.0.4, port 8194

    The 'Destination' being the IP address of the NIC card the server uses to access a SAN.

    The 'Source' is a client on the Default VLAN.

    No connection to 10.113.0.4 is possible from the client. What doesn't make sense is how the clients even know about this interface.

    :46505
  • 0

    Hello Andrew,

    how the clients even know

    well, unless I'm missing something, it should come from the IOR either directly as address or, if the IOR contains the hostname, via DNS. Is the blocked traffic only to port 8194? 

    If the incorrect connection attempt is reproducible for a client I'd turn on verbose logging for the message router - if the client is aware of the 10.x.x.x address it should be recorded somewhere.

    Christian

    :46507
  • 0

    On a typical client that the firewall identifies as sending to traffic to 10.113.0.4, looking at the logs here:

    c:\ProgramData\Sophos\Remote Management System\3\Router\Logs

    I have the entry:

    Received parent router's IOR:

    IOR: <string of numbers>

    Using the IOR parser (http://www2.parc.com/istl/projects/ILU/parseIOR/), the IOR string contains a link to 172.21.1.22:8193, NOT to 10.113.0.4.

    The above is working as I understand it to, so it's strange the firewall is seeing this traffic.

    I'll try and take a look at verbose logging to see I can see what's happening here...

    :46511
  • 0

    Hello Andrew,

    on more thing - might sound crazy but I'd check with Wireshark what (if at all) the client is sending to 10.113.0.4 (should be only SYN packets).

    Christian

    :46513
  • 0

    Ok, the verbose logging has proved useful.

    The log now reads:

    Received parent router's IOR:
    IOR:<string>

    MessageRouter::validateIOR called
    Endpoint found: 10.113.0.4:8193
    Endpoint found: 172.21.1.22:8193

    So there is the problem! - two endpoints are found in the IOR. (The IOR parser was not too useful then...)

    Still, next question, how do I remove this?

    I thought I'd done this server side. Do you know the exact procedure?

    Thanks again for your help.

    :46515
  • 0

    Hello Andrew,

    please see article 111862 - there are two keys to set (but I guess the Services key is the one that controls the IOR response). The rest of the article you've already done. After you've started the message router service on the server restart it on the client - you should see the change in the IOR response.

    Christian

    :46517
  • 0

    Thanks.

    I've think I've fixed it. 

    In the registry on the server, HKLM\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath,

    I had left an ':' in the ORBListenEndpoints address by mistake. I've taken that out and restarted the services on both the server and a test client and now the log only returns 1 (and the correct) endpoint in the IOR.

    My mistake, but I'd probably not noticed if you'd not mentioned the verbose logging.

    Thanks very much for your help.

    :46519