Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4170 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Moving to a new Sophos server

schmidt

I have a weird issue – a server caught in limbo. I have created a VB script using the tool that a Sophos tech told me about that will point my Sophos client servers from one Sophos master server (Sophos-old) to another Sophos master server (Sophos-new).

I have tested this script on 4 servers and it has run fine on those 4. They now point to Sophos-new for their policies and updates. On the 5th server, the resulting log file from the script looks fine (just like the other 4 servers). But it’’’’s not completely responding to either Sophos console.

From Sophos-old, the status says: Differs from policy.

On Sophos-new, it says: Awaiting policy update.

From Sophos-new, I select the computer, right click and say “Update the computer now… “ On the 5th server, the update log shows that it’’’’s communicating with Sophos-Old.

From Sophos-old, I select the computer, right click and say “Update the computer now… “  Nothing happens on the 5th server. Its log does not show any attempt to communicate with either Sophos server.

Oh, and I have rebooted the 5th server.

Has anyone come across this situation before?

:41327


This thread was automatically locked due to age.
Parents
  • 0

    Thanks for the logs.

    In the Agent log, you can see a status message (01D32C54) get created by the Sophos Agent:
    02.07.2013 15:39:00 119C I SendStatus: Sent EM-GetStatus-Reply (id=01D32C54) to EM

    In the Router log, you can see this message is sent:
    02.07.2013 15:39:00 120C I Routing to parent: id=01D32C54, origin=Router$server5:72699.Agent, dest=EM, type=EM-GetStatus-Reply
    02.07.2013 15:39:00 11B4 I Sent message (id=01D32C54) to Router$Sophos-new

    The line "Sent message" means it has left the endpoint and has been delivered somewhere, the next question is where?

    I do find a couple of things odd in the logs which might help to answer it.

    In the router log it has:
    02.07.2013 15:38:33 10D4 I Local IP addresses: 159.91.5.5


    But it also has the line:
    I This router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000e0000003135392e39312e31342e3130390001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100ae00004f415401000000140000000100ae000100010000000000090101000000000014000000080000000100a60086000220

    parsing that IOR through http://catior.org/ shows the IP in the IOR to be: 159.91.14.109, that should be the local IP.

    I'm not sure why these would differ, but it's a similar story with the parent address.

    02.07.2013 15:38:33 0CB0 I Getting parent router IOR from 159.91.5.9:8192


    So I assume this is the IP in the ParentAddress registry key mentioned earlier and the new sec server? But when it gets the IOR from the server on port 8192 it has:

    02.07.2013 15:38:33 0CB0 I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000e0000003135392e39312e31342e3135390001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001007100004f41540100000014000000010071000100010000000000090101000000000014000000080000000100a60086000220

    That has in it the IP: 159.91.14.159


    This tells me that the client is connecting to its parent on address 159.91.5.9 on port 8192, reading the IOR from that port and then connecting to a different address (159.91.14.159) to send messagest to?

    So I'm a bit confused what these IPs are.    Can you check what:

    159.91.5.9 and 159.91.14.159 represent?

    Regards,

    Jak

    :41375
Reply
  • 0

    Thanks for the logs.

    In the Agent log, you can see a status message (01D32C54) get created by the Sophos Agent:
    02.07.2013 15:39:00 119C I SendStatus: Sent EM-GetStatus-Reply (id=01D32C54) to EM

    In the Router log, you can see this message is sent:
    02.07.2013 15:39:00 120C I Routing to parent: id=01D32C54, origin=Router$server5:72699.Agent, dest=EM, type=EM-GetStatus-Reply
    02.07.2013 15:39:00 11B4 I Sent message (id=01D32C54) to Router$Sophos-new

    The line "Sent message" means it has left the endpoint and has been delivered somewhere, the next question is where?

    I do find a couple of things odd in the logs which might help to answer it.

    In the router log it has:
    02.07.2013 15:38:33 10D4 I Local IP addresses: 159.91.5.5


    But it also has the line:
    I This router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000e0000003135392e39312e31342e3130390001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100ae00004f415401000000140000000100ae000100010000000000090101000000000014000000080000000100a60086000220

    parsing that IOR through http://catior.org/ shows the IP in the IOR to be: 159.91.14.109, that should be the local IP.

    I'm not sure why these would differ, but it's a similar story with the parent address.

    02.07.2013 15:38:33 0CB0 I Getting parent router IOR from 159.91.5.9:8192


    So I assume this is the IP in the ParentAddress registry key mentioned earlier and the new sec server? But when it gets the IOR from the server on port 8192 it has:

    02.07.2013 15:38:33 0CB0 I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000e0000003135392e39312e31342e3135390001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001007100004f41540100000014000000010071000100010000000000090101000000000014000000080000000100a60086000220

    That has in it the IP: 159.91.14.159


    This tells me that the client is connecting to its parent on address 159.91.5.9 on port 8192, reading the IOR from that port and then connecting to a different address (159.91.14.159) to send messagest to?

    So I'm a bit confused what these IPs are.    Can you check what:

    159.91.5.9 and 159.91.14.159 represent?

    Regards,

    Jak

    :41375
Children
No Data