Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 21044 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client not getting certificate via RMS "Caught CORBA system exception"

asester

Hey all,

I've got multiple clients that are getting this error in the router log.....and I used the same install package that some of my other clients are using and ARE reporting to the SEC via the message relay.  I am able to telnet to the message relay from the client using 8192 (which returns the IOR with a sequence of numbers) and 8194 (returns a blank screen with a cursor).  I am aware that the Auto Update and RMS services run separate, but I thought I should mention that all of the clients update just fine from the message relay.

I have been reading multiple cases but haven't really seen any concrete resolutions to this issue...and since my problem is sporatic I'm making a new thread.  The 'netstat -n' command I ran on the message relay shows the 8192 ports with the client IP's that I'm having issues with in TIME_WAIT status.

Here is an insert from the router log on the client I'm having issues with.

16.07.2013 15:29:13 050C I Successfully validated parent router's IOR
16.07.2013 15:29:13 050C I Accessing parent
16.07.2013 15:29:18 09A4 I Logged on Agent for certification
16.07.2013 15:29:18 0A30 I Routing to parent: id=03E5AD1E, origin=Router$rv20009056:27138.Agent, dest=CM, type=Certification.CertRequest
16.07.2013 15:30:58 050C E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO
 
16.07.2013 15:31:28 050C I Getting parent router IOR from 165.201.22.33:8192
16.07.2013 15:31:28 050C I Received parent router's IOR: (number way too long to paste...and shouldn't matter since it matches)

16.07.2013 15:31:28 050C I Successfully validated parent router's IOR
16.07.2013 15:31:28 050C I Accessing parent
16.07.2013 15:31:50 050C E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

etc etc....The log repeats those steps and never obtains the certification request.

Any suggestions?

Thanks,

Adam

:41705


This thread was automatically locked due to age.
Parents
  • 0

    Thanks for the speedy reply Jak.  I ran the SSL command and it did return the certificate without any issues.  I also added the registry entries for changing the client router log file and here are the results:

    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|MessageRouter::validateIOR called
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Endpoint found: rvhalo3.kdor.ks.gov:8193
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|>>> StatusReporting::StatusReporter::Done
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|DNS            : problem 0, changed 0, already reported 0
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Certification  : problem 0, changed 0, already reported 0
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Incoming       : problem 0, changed 0, already reported 0
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Outgoing       : problem 0, changed 0, already reported 0
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|<<< StatusReporting::StatusReporter::Done
    17.07.2013 10:05:00 0E68 I C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Successfully validated parent router's IOR
    17.07.2013 10:05:00 0E68 I C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Accessing parent
    17.07.2013 10:05:00 0E68 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) - Connector::connect, looking for SSLIOP connection.
    17.07.2013 10:05:00 0E68 E C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) Initializing SSLIOP_Endpoint
    17.07.2013 10:05:00 0E68 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO_LF_Event::state_changed to 2. No follower.
    17.07.2013 10:05:00 0E68 E C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) - Transport_Cache_Manager::find_i, unable to locate a free connection
    17.07.2013 10:05:00 0E68 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) - SSLIOP_Connector::ssliop_connect, making a new connection
    17.07.2013 10:05:00 0E68 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) - Transport_Cache_Manager::fill_set_i, current_size = 1, cache_maximum = 10
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Connection_Handler[548]::handle_input, handle = 548/548
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::handle_input
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::process_queue_head
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::handle_input, read 104 bytes
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_State::parse_message_header_i
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_State::get_version_info
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_State::get_byte_order_info
    17.07.2013 10:05:00 07A4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|1956) - ORB_Core::run, handle_events() returns 0
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_Base::dump_msg, recv GIOP v1.2 msg, 92 data bytes, my endian, Type Request[249]
    17.07.2013 10:05:00 07A4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|1956) - ORB_Core::run, calling handle_events()
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|GIOP message - HEXDUMP 104 bytes
    47 49 4f 50 01 02 01 00  5c 00 00 00 f9 00 00 00   GIOP....\...ù...
    03 00 00 00 00 00 08 28  23 00 00 00 14 01 0f 00   .......(#.......
    4e 53 54 a0 b1 e6 51 99  0d 04 00 02 00 00 00 01   NST ±æQ.........
    00 00 00 00 00 00 00 01  00 00 00 01 00 00 00 72   ...............r
    0c 00 00 00 47 65 74 45  6e 76 65 6c 6f 70 65 00   ....GetEnvelope.
    01 00 00 00 01 00 00 00  0c 00 00 00 01 8b 54 02   .............‹T.
    01 00 01 00 09 01 01 00                            .... ...       
    17.07.2013 10:05:00 0BB4 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|CertEnvelopeSupplier::GetEnvelope() called
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_Base::dump_msg, send GIOP v1.2 msg, 51 data bytes, my endian, Type Reply[249]
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|GIOP message - HEXDUMP 63 bytes
    47 49 4f 50 01 02 01 01  33 00 00 00 f9 00 00 00   GIOP....3...ù...
    01 00 00 00 00 00 00 00  23 00 00 00 49 44 4c 3a   ........#...IDL:
    53 6f 70 68 6f 73 4d 65  73 73 61 67 69 6e 67 2f   SophosMessaging/
    4e 6f 45 6e 76 65 6c 6f  70 65 3a 31 2e 30 00      NoEnvelope:1.0.
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::cleanup_queue, byte_count = 63
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO_LF_Event::state_changed to 3. No follower.
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::cleanup_queue, after transfer, bc = 0, all_sent = 1, ml = 0
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::drain_queue_helper, byte_count = 63, head_is_empty = 1
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::drain_queue_i, helper retval = 1
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Connection_Handler[548]::handle_input, handle = 548/548, retval = 0
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - ORB_Core::run, handle_events() returns 1
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - ORB_Core::run, calling handle_events()
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - Connection_Handler[548]::handle_input, handle = 548/548
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - Transport[548]::handle_input
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - Transport[548]::process_queue_head
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - Transport[548]::handle_input, read 104 bytes
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - GIOP_Message_State::parse_message_header_i
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - GIOP_Message_State::get_version_info
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - GIOP_Message_State::get_byte_order_info
    17.07.2013 10:05:01 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - ORB_Core::run, handle_events() returns 0
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - GIOP_Message_Base::dump_msg, recv GIOP v1.2 msg, 92 data bytes, my endian, Type Request[250]

    And then it begins to repeat itself. 

    Below is the wireshark log.  I applied a filter that only captured the message relay IP for the destination.

    "No.","Time","Source","Destination","Protocol","Length","Info"
    "30","21.822977000","165.201.184.232","165.201.22.33","TCP","54","vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=0"
    "31","21.852834000","165.201.184.232","165.201.22.33","TCP","1514","vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=1460"
    "32","21.852849000","165.201.184.232","165.201.22.33","TCP","882","vpjp > blp1 [PSH, ACK] Seq=1461 Ack=1778 Win=65535 Len=828"
    "34","24.493959000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=1460"
    "35","29.923646000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=1460"
    "40","31.811169000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=1460"
    "42","32.123402000","165.201.184.232","165.201.22.33","TCP","54","vpjp > blp1 [ACK] Seq=1461 Ack=1779 Win=65535 Len=0"
    "43","32.123521000","165.201.184.232","165.201.22.33","TCP","882","[TCP Retransmission] vpjp > blp1 [FIN, PSH, ACK] Seq=1461 Ack=1779 Win=65535 Len=828"
    "44","32.124359000","165.201.184.232","165.201.22.33","TCP","62","equationbuilder > blp1 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1"
    "47","32.148996000","165.201.184.232","165.201.22.33","TCP","54","equationbuilder > blp1 [ACK] Seq=1 Ack=1 Win=65535 Len=0"
    "48","32.149147000","165.201.184.232","165.201.22.33","TCP","114","equationbuilder > blp1 [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=60"
    "52","42.600399000","165.201.184.232","165.201.22.33","TCP","590","[TCP Retransmission] vpjp > blp1 [ACK] Seq=1 Ack=1779 Win=65535 Len=536"
    "57","56.807234000","165.201.184.232","165.201.22.33","TCP","54","equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=0"
    "58","56.836163000","165.201.184.232","165.201.22.33","TCP","1514","equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=1460"
    "59","56.836177000","165.201.184.232","165.201.22.33","TCP","882","equationbuilder > blp1 [PSH, ACK] Seq=1521 Ack=1778 Win=65535 Len=828"
    "67","59.392390000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=1460"
    "69","64.622850000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=1460"
    "71","66.796413000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=1460"
    "73","67.092851000","165.201.184.232","165.201.22.33","TCP","54","equationbuilder > blp1 [ACK] Seq=1521 Ack=1779 Win=65535 Len=0"
    "74","67.092958000","165.201.184.232","165.201.22.33","TCP","882","[TCP Retransmission] equationbuilder > blp1 [FIN, PSH, ACK] Seq=1521 Ack=1779 Win=65535 Len=828"
    "79","77.196087000","165.201.184.232","165.201.22.33","TCP","590","[TCP Retransmission] equationbuilder > blp1 [ACK] Seq=61 Ack=1779 Win=65535 Len=536"
    "85","97.093179000","165.201.184.232","165.201.22.33","TCP","62","lotusnote > spytechphone [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1"
    "87","97.114093000","165.201.184.232","165.201.22.33","TCP","54","lotusnote > spytechphone [ACK] Seq=1 Ack=1 Win=65535 Len=0"
    "90","97.137420000","165.201.184.232","165.201.22.33","TCP","54","lotusnote > spytechphone [ACK] Seq=1 Ack=462 Win=65075 Len=0"
    "91","97.137502000","165.201.184.232","165.201.22.33","TCP","54","lotusnote > spytechphone [FIN, ACK] Seq=1 Ack=462 Win=65075 Len=0"
    "92","97.139862000","165.201.184.232","165.201.22.33","TCP","62","relief > blp1 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1"
    "95","97.163107000","165.201.184.232","165.201.22.33","TCP","54","relief > blp1 [ACK] Seq=1 Ack=1 Win=65535 Len=0"
    "96","97.163366000","165.201.184.232","165.201.22.33","TCP","114","relief > blp1 [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=60"

    Thanks again for looking into this.

    Adam

    :41725
Reply
  • 0

    Thanks for the speedy reply Jak.  I ran the SSL command and it did return the certificate without any issues.  I also added the registry entries for changing the client router log file and here are the results:

    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|MessageRouter::validateIOR called
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Endpoint found: rvhalo3.kdor.ks.gov:8193
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|>>> StatusReporting::StatusReporter::Done
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|DNS            : problem 0, changed 0, already reported 0
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Certification  : problem 0, changed 0, already reported 0
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Incoming       : problem 0, changed 0, already reported 0
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Outgoing       : problem 0, changed 0, already reported 0
    17.07.2013 10:05:00 0E68 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|<<< StatusReporting::StatusReporter::Done
    17.07.2013 10:05:00 0E68 I C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Successfully validated parent router's IOR
    17.07.2013 10:05:00 0E68 I C:\Program Files\Sophos\Remote Management System\RouterNT.exe|Accessing parent
    17.07.2013 10:05:00 0E68 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) - Connector::connect, looking for SSLIOP connection.
    17.07.2013 10:05:00 0E68 E C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) Initializing SSLIOP_Endpoint
    17.07.2013 10:05:00 0E68 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO_LF_Event::state_changed to 2. No follower.
    17.07.2013 10:05:00 0E68 E C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) - Transport_Cache_Manager::find_i, unable to locate a free connection
    17.07.2013 10:05:00 0E68 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) - SSLIOP_Connector::ssliop_connect, making a new connection
    17.07.2013 10:05:00 0E68 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|3688) - Transport_Cache_Manager::fill_set_i, current_size = 1, cache_maximum = 10
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Connection_Handler[548]::handle_input, handle = 548/548
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::handle_input
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::process_queue_head
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::handle_input, read 104 bytes
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_State::parse_message_header_i
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_State::get_version_info
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_State::get_byte_order_info
    17.07.2013 10:05:00 07A4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|1956) - ORB_Core::run, handle_events() returns 0
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_Base::dump_msg, recv GIOP v1.2 msg, 92 data bytes, my endian, Type Request[249]
    17.07.2013 10:05:00 07A4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|1956) - ORB_Core::run, calling handle_events()
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|GIOP message - HEXDUMP 104 bytes
    47 49 4f 50 01 02 01 00  5c 00 00 00 f9 00 00 00   GIOP....\...ù...
    03 00 00 00 00 00 08 28  23 00 00 00 14 01 0f 00   .......(#.......
    4e 53 54 a0 b1 e6 51 99  0d 04 00 02 00 00 00 01   NST ±æQ.........
    00 00 00 00 00 00 00 01  00 00 00 01 00 00 00 72   ...............r
    0c 00 00 00 47 65 74 45  6e 76 65 6c 6f 70 65 00   ....GetEnvelope.
    01 00 00 00 01 00 00 00  0c 00 00 00 01 8b 54 02   .............‹T.
    01 00 01 00 09 01 01 00                            .... ...       
    17.07.2013 10:05:00 0BB4 T C:\Program Files\Sophos\Remote Management System\RouterNT.exe|CertEnvelopeSupplier::GetEnvelope() called
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - GIOP_Message_Base::dump_msg, send GIOP v1.2 msg, 51 data bytes, my endian, Type Reply[249]
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|GIOP message - HEXDUMP 63 bytes
    47 49 4f 50 01 02 01 01  33 00 00 00 f9 00 00 00   GIOP....3...ù...
    01 00 00 00 00 00 00 00  23 00 00 00 49 44 4c 3a   ........#...IDL:
    53 6f 70 68 6f 73 4d 65  73 73 61 67 69 6e 67 2f   SophosMessaging/
    4e 6f 45 6e 76 65 6c 6f  70 65 3a 31 2e 30 00      NoEnvelope:1.0.
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::cleanup_queue, byte_count = 63
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO_LF_Event::state_changed to 3. No follower.
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::cleanup_queue, after transfer, bc = 0, all_sent = 1, ml = 0
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::drain_queue_helper, byte_count = 63, head_is_empty = 1
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Transport[548]::drain_queue_i, helper retval = 1
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - Connection_Handler[548]::handle_input, handle = 548/548, retval = 0
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - ORB_Core::run, handle_events() returns 1
    17.07.2013 10:05:00 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - ORB_Core::run, calling handle_events()
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - Connection_Handler[548]::handle_input, handle = 548/548
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - Transport[548]::handle_input
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - Transport[548]::process_queue_head
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - Transport[548]::handle_input, read 104 bytes
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - GIOP_Message_State::parse_message_header_i
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - GIOP_Message_State::get_version_info
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - GIOP_Message_State::get_byte_order_info
    17.07.2013 10:05:01 0BB4 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2996) - ORB_Core::run, handle_events() returns 0
    17.07.2013 10:05:01 08E0 D C:\Program Files\Sophos\Remote Management System\RouterNT.exe|TAO (3284|2272) - GIOP_Message_Base::dump_msg, recv GIOP v1.2 msg, 92 data bytes, my endian, Type Request[250]

    And then it begins to repeat itself. 

    Below is the wireshark log.  I applied a filter that only captured the message relay IP for the destination.

    "No.","Time","Source","Destination","Protocol","Length","Info"
    "30","21.822977000","165.201.184.232","165.201.22.33","TCP","54","vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=0"
    "31","21.852834000","165.201.184.232","165.201.22.33","TCP","1514","vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=1460"
    "32","21.852849000","165.201.184.232","165.201.22.33","TCP","882","vpjp > blp1 [PSH, ACK] Seq=1461 Ack=1778 Win=65535 Len=828"
    "34","24.493959000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=1460"
    "35","29.923646000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=1460"
    "40","31.811169000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] vpjp > blp1 [ACK] Seq=1 Ack=1778 Win=65535 Len=1460"
    "42","32.123402000","165.201.184.232","165.201.22.33","TCP","54","vpjp > blp1 [ACK] Seq=1461 Ack=1779 Win=65535 Len=0"
    "43","32.123521000","165.201.184.232","165.201.22.33","TCP","882","[TCP Retransmission] vpjp > blp1 [FIN, PSH, ACK] Seq=1461 Ack=1779 Win=65535 Len=828"
    "44","32.124359000","165.201.184.232","165.201.22.33","TCP","62","equationbuilder > blp1 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1"
    "47","32.148996000","165.201.184.232","165.201.22.33","TCP","54","equationbuilder > blp1 [ACK] Seq=1 Ack=1 Win=65535 Len=0"
    "48","32.149147000","165.201.184.232","165.201.22.33","TCP","114","equationbuilder > blp1 [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=60"
    "52","42.600399000","165.201.184.232","165.201.22.33","TCP","590","[TCP Retransmission] vpjp > blp1 [ACK] Seq=1 Ack=1779 Win=65535 Len=536"
    "57","56.807234000","165.201.184.232","165.201.22.33","TCP","54","equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=0"
    "58","56.836163000","165.201.184.232","165.201.22.33","TCP","1514","equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=1460"
    "59","56.836177000","165.201.184.232","165.201.22.33","TCP","882","equationbuilder > blp1 [PSH, ACK] Seq=1521 Ack=1778 Win=65535 Len=828"
    "67","59.392390000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=1460"
    "69","64.622850000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=1460"
    "71","66.796413000","165.201.184.232","165.201.22.33","TCP","1514","[TCP Retransmission] equationbuilder > blp1 [ACK] Seq=61 Ack=1778 Win=65535 Len=1460"
    "73","67.092851000","165.201.184.232","165.201.22.33","TCP","54","equationbuilder > blp1 [ACK] Seq=1521 Ack=1779 Win=65535 Len=0"
    "74","67.092958000","165.201.184.232","165.201.22.33","TCP","882","[TCP Retransmission] equationbuilder > blp1 [FIN, PSH, ACK] Seq=1521 Ack=1779 Win=65535 Len=828"
    "79","77.196087000","165.201.184.232","165.201.22.33","TCP","590","[TCP Retransmission] equationbuilder > blp1 [ACK] Seq=61 Ack=1779 Win=65535 Len=536"
    "85","97.093179000","165.201.184.232","165.201.22.33","TCP","62","lotusnote > spytechphone [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1"
    "87","97.114093000","165.201.184.232","165.201.22.33","TCP","54","lotusnote > spytechphone [ACK] Seq=1 Ack=1 Win=65535 Len=0"
    "90","97.137420000","165.201.184.232","165.201.22.33","TCP","54","lotusnote > spytechphone [ACK] Seq=1 Ack=462 Win=65075 Len=0"
    "91","97.137502000","165.201.184.232","165.201.22.33","TCP","54","lotusnote > spytechphone [FIN, ACK] Seq=1 Ack=462 Win=65075 Len=0"
    "92","97.139862000","165.201.184.232","165.201.22.33","TCP","62","relief > blp1 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1"
    "95","97.163107000","165.201.184.232","165.201.22.33","TCP","54","relief > blp1 [ACK] Seq=1 Ack=1 Win=65535 Len=0"
    "96","97.163366000","165.201.184.232","165.201.22.33","TCP","114","relief > blp1 [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=60"

    Thanks again for looking into this.

    Adam

    :41725
Children
No Data