Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 4124 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Update Manager Issues

Stelker

Hello again all,

I hope you are all doing well and any help with the following problem is greatly appreciated.

I haven't been able to get Sophos updates downloaded to my update manager since November 6, 2013. Some light infrastructure and background information: we are running Sophos Enterprise Console and Sophos Update Manager on the same server. We ran out of disk space a few weeks ago and I was only able to reclaim it by changing the recovery mode to simple and shrinking our "SOPHOS50" database. This was at the suggestion of an older SophosTalk post that I don't have a URL for.

The error I receive when pulling up the update manager details says:
"Unable to write to distribution location \\OCRACOKE\SophosUpdate for software subscription 'xxxxxx'."

This happens for three different subscriptions of the software, one of which includes the "10.0 Recommended" subscription.

LogViewer shows that there are checksum errors for many different files after the update process. I don't feel it is terribly relevant to post their names as it appears to be different files after every failed update.

WireShark seems to show that some files that are being requested from the akamai content servers don't exist on those servers, as many of them receive a 404/not found error. I have attached a .jpg showing part of a Wireshark capture for one such string of errors. Note that packets 6, 11, and 16 contain HTTP 404/Not Found errors (I am not sure why some info columns are showing as 'Unknown' when it should show the HTTP information). This happens for multiple files in a normal attempted update, not just "sddsconf.xml".

After reviewing our firewall logs, I noticed that our SonicWALL thinks there are port scans for random ports above 1024 coming from the akamai IP's that SUM is trying to connect to. I wonder if traffic is being blocked because of these "portscans" (I'm not convinced the "portscans" are real, but I can't make sense of everything yet).

I moved all of the CID folders to a different location and attempted to rerun the update with no success--same issues.

Does anyone have any clues as to what's going on? Thanks again for any help!

Sincerely,
Cameron

:45373


This thread was automatically locked due to age.
  • 0
    Hello Cameron,

    you don't need Wireshark to troubleshoot "normal" errors - the SUMTrace logs should show what is actually considered an error.
    Can't check with my SUMs right now what these files contain though. Anyway, the checksum errors are not caused by the 404. In such cases - and especially when you ran out of space - you should empty the \Warehouse and \Working folders as well as (at least) the affected CIDs (stop the SUM service before doing so).
    Further steps depend on the result of the next update. That Wireshark can't fully interpret the response packets is odd - the packets might or might not be causing the issues though.

    Christian

    :45391