Unexplained Network Traffic to Parent Router

Question

Hi

I have a 2012R2 Server with Sophos Enterprise Console 5.2.1R2 installed.

The server has two NICs, one on the 'default VLAN' and one on a 'SAN VLAN'.

On the server...

I have removed the 'SAN VLAN' IP address/interface from the MRINIT.CONF file.

In the registry I have also modified the -ORBListenEndpoints for the RMS and Server Agent so that only the 'default VLAN' IP address is used.

On the client(s), In the Remote Management logs I can see the IOR being received from the server, and using an online checker I have been able to see that the IOR contains only the 'default VLAN' address (<default VLAN IP Address:8193>

So all looks ok.

But, our network is being flooded with TCP traffic from all the clients trying to send data to the 'SAN VLAN' on port 8194.

How can this be? The IOR doesn't include that address, so how could the clients possibly know about it? On the clients I can't find any reference to the 'SAN VLAN' address in the registry and the MRINIT.CONF file is correct.

I'm really confused. Please help.

Thanks

Andrew

This thread was automatically locked due to age.

agvonline · Accepted Answer

Thanks. I've think I've fixed it.  In the registry on the server, HKLM\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath, I had left an ':' in the ORBListenEndpoints address by mistake. I've taken that out and restarted the services on both the server and a test client and now the log only returns 1 (and the correct) endpoint in the IOR. My mistake, but I'd probably not noticed if you'd not mentioned the verbose logging. Thanks very much for your help. :46519