Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 2594 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't connect clients after somewhat convoluted upgrade

buuuuuuuuuh

We're having trouble getting our clients to reconnect after upgrading from Enterprise Console 4.0 to 5.1. 

Granted, a straight upgrade didn't work, so I had to run the stored procs in the various versions of the console to get the database from SOPHOS4 up to SOPHOS51, and the database is now located locally on the same box as the management server.  

After changing the connection string, I can open up the Enterprise Console and see all of the devices, but hte only one connected is the server itself as the Update Manager.

Things I've already checked:

(1) The box now only has one NIC on it, so thats not an issue.  the mrinit.conf files also show this single IP 

(2) I've checked the router logs, other than a bunch of "cannot verify peer's ssl certificate, unknown ca", things seem fine - I see these after I try and push a policy:

16.10.2012 17:29:37 113C I Logged on Agent as a client
16.10.2012 17:29:37 0A9C I Routing to Agent: id=007DDFD1, origin=Router$sophos, dest=Router$sophos.Agent, type=EM-ClientLogon
16.10.2012 17:29:37 0A7C I Sent message (id=027DDEEC) to Agent
16.10.2012 17:29:37 0A7C I Sent message (id=007DDEEF) to Agent
16.10.2012 17:29:37 0A7C I Sent message (id=007DDFD1) to Agent
16.10.2012 17:29:57 0A9C I Routing to EM: id=007DDFE5, origin=Router$sophos.Agent, dest=EM, type=EM-GetStatus-Reply
16.10.2012 17:29:57 06F4 I Sent message (id=007DDFE5) to EM

(3) For a test client, I've verified that I can ping the IP address that Sophos lists for that device from the Sophos enterprise console machine.

(4) The DNS is properly set up to go to the new machine, which has the necessary files within a folder in IIS that mirrors the old server's setup.  This "should" get around the primary update policy location IP address changing as it was listed under an http address that is a DNS name we can change.

Any pointers would be fantastic right now. 

:34235


This thread was automatically locked due to age.
  • 0

    Hello buuuuuuuuuh,

    (2) I've checked the router logs

    the snippet seems to be from the management server. As the clients initiated the RMS connection you should start with the Router logs on them.

    other than "unknown ca" things seem fine

    That's likely not fine. As said, the snippet seems to show only the server (and I get it that it successfully communicates with itself) and I assume these errors pertain to the clients connections, in fact all connection attempts. If you could show a part of a client log (and maybe the corresponding part from the server - guess the SSL error names the "offending" IP) maybe we can get a hint what's going on.

    Christian

    :34261
  • 0

    Unknown CA means the clients have a different certificate to the server.

    If you use: http://www.sophos.com/en-us/support/knowledgebase/116737.aspx to create a VBS to run on a couple of clients which show up in the server router logs with this issue it should solve them

    Regards,

    Jak

    :34277
  • 0

    Update:  things are marginally better.  After doing some cfg file snooping i was able to change the paths on the client - the box  is now connected to the console.

    It just won't update.  

    Trying to update the policy gives me the dreaded "The primary update location may not contain the selected software subscription "Recommended"., or any other subscription i add or create.  

    From the client's router when I tried to update:

    18.10.2012 16:29:26 0C18 I Successfully validated parent router's IOR

    18.10.2012 16:29:26 0C18 I Accessing parent

    18.10.2012 16:29:27 0C18 I Parent is Router$sophos

    18.10.2012 16:29:27 0C18 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer

    18.10.2012 16:29:27 0C18 I RouterTableEntry state (router, logging on): Router$sophos is passive consumer, passive supplier

    18.10.2012 16:29:27 0C18 I Logged on to parent router as Router$MWS0453200050:63008

    18.10.2012 16:29:27 0C18 I This computer is part of the workgroup REDACTED

    18.10.2012 16:30:01 0F68 I Client::LogonPushPush() successfully called back to client

    18.10.2012 16:30:01 0F68 I Logged on Agent as a client

    18.10.2012 16:30:01 0214 I Routing to Agent: id=028066C9, origin=Router$MWS0453200050:63008, dest=Router$MWS0453200050:63008.Agent, type=EM-ClientLogon

    18.10.2012 16:30:01 0620 I Sent message (id=028066C9) to Agent

    18.10.2012 16:30:01 0214 I Received message for this router

    18.10.2012 16:30:01 0214 I EM-NotifyClientUpdates originator Router$MWS0453200050:63008.Agent

    18.10.2012 16:30:01 0214 I Received message for this router

    18.10.2012 16:30:01 0214 I EM-GetClientStatus EMLib originator Router$MWS0453200050:63008.Agent

    18.10.2012 16:30:01 0214 I Routing to Agent: id=088066C9, origin=Router$MWS0453200050:63008, dest=Router$MWS0453200050:63008.Agent, type=EM-NotifyClientUpdates-Reply

    18.10.2012 16:30:01 0214 I Routing to Agent: id=0A8066C9, origin=Router$MWS0453200050:63008, dest=Router$MWS0453200050:63008.Agent, type=EM-GetClientStatus-Reply

    18.10.2012 16:30:01 07B8 I Sent message (id=088066C9) to Agent

    18.10.2012 16:30:01 07B8 I Sent message (id=0A8066C9) to Agent

    18.10.2012 16:30:21 0214 I Routing to parent: id=008066DD, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-GetStatus-Reply

    18.10.2012 16:30:21 0620 I Sent message (id=008066DD) to Router$sophos

    18.10.2012 16:31:03 0214 I Routing to parent: id=00806707, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-EntityEvent

    18.10.2012 16:31:03 058C I Sent message (id=00806707) to Router$sophos

    18.10.2012 16:33:34 0214 I Routing to parent: id=0080679E, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-GetStatus-Reply

    18.10.2012 16:33:34 07B8 I Sent message (id=0080679E) to Router$sophos

    18.10.2012 16:34:29 0214 I Routing to parent: id=008067D5, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-GetStatus-Reply

    18.10.2012 16:34:29 0620 I Sent message (id=008067D5) to Router$sophos

    Same push on the server:

    18.10.2012 15:29:23 113C I Logged on Router$MWS0453200050:63008 as a router
    18.10.2012 15:29:23 0A9C I Routing to EM: id=008066A3, origin=Router$sophos, dest=EM, type=EM-RouterLogon
    18.10.2012 15:29:23 0A7C I Sent message (id=008066A3) to EM
    18.10.2012 15:30:17 0A9C I Routing to EM: id=008066DD, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-GetStatus-Reply
    18.10.2012 15:30:17 0E3C I Sent message (id=008066DD) to EM
    18.10.2012 15:30:59 0A9C I Routing to EM: id=00806707, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-EntityEvent
    18.10.2012 15:30:59 0E7C I Sent message (id=00806707) to EM
    18.10.2012 15:33:29 0A9C I Routing to EM: id=0080679E, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-GetStatus-Reply
    18.10.2012 15:33:29 0E64 I Sent message (id=0080679E) to EM
    18.10.2012 15:34:24 0A9C I Routing to EM: id=008067D5, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-GetStatus-Reply
    18.10.2012 15:34:24 1160 I Sent message (id=008067D5) to EM

    Update was initiated form the client so thinking it must not be talking correctly back to the console machine.  

    Trying to push the group updating policy to the endpoint on the console begets:

    18.10.2012 15:57:59 0A9C I Routing to EM: id=00806D5B, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-GetStatus-Reply
    18.10.2012 15:57:59 0E7C I Sent message (id=00806D5B) to EM
    18.10.2012 15:58:19 0A9C I Routing to Router$MWS0453200050:63008: id=00806D6B, origin=Router$sophos.EM, dest=Router$MWS0453200050:63008.Agent, type=EM-SetConfiguration
    18.10.2012 15:58:19 1010 I Supplying message (id=00806D6B) to Router$MWS0453200050:63008

    Trying to push an update now to that endpoint:

    18.10.2012 15:58:40 0A9C I Routing to EM: id=00806D85, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-GetStatus-Reply
    18.10.2012 15:58:40 1160 I Sent message (id=00806D85) to EM
    18.10.2012 15:59:12 0A9C I Routing to Router$MWS0453200050:63008: id=00806DA0, origin=Router$sophos.EM, dest=Router$MWS0453200050:63008.Agent, type=EM-DoAction
    18.10.2012 15:59:12 113C I Supplying message (id=00806DA0) to Router$MWS0453200050:63008
    18.10.2012 15:59:17 0A9C I Routing to EM: id=00806DAA, origin=Router$MWS0453200050:63008.Agent, dest=EM, type=EM-EntityEvent
    18.10.2012 15:59:17 1058 I Sent message (id=00806DAA) to EM

    :34353
  • 0

    The console, after the attempt to push an update to the now connected computer, then gives "ERROR: Could not find a source for updated pacakges [0x00000071].

    I'm going to try whats told in http://www.sophos.com/en-us/support/knowledgebase/39155.aspx first.

    :34355
  • 0

    Hi,

    "C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg" or "C:\program files\Sophos\AutoUpdate\Config\iconn.cfg" (XP/2003/2000) is the config of Sophos AutoUpdate (SAU) in terms of update location and account to access the update share. You may wish to check that on the client, this path can be accessed.

    The update location should be something like:

    ConnectionAddress = \\server\SophosUpdate\CIDs\S000\SAVSCFXP\

    This location is derived from the updating policy as in SEC you specify 2 things:

    1. The update location, e.g. \\server\sophosupdate  (ensure that the client can resolve the address using the NetBIOS address if that's what is used)

    2. The subscription. (subscription tab)

    The subscription part adds on the "\CIDs\S000\SAVSCFXP\" part as the S000 part is the subscription as seen in the "view" - bootstrap locations.  Each subscription creates a new sxxx.

    As for the update account reference in iconn.cfg, e.g.

    UserName = domain\updateaccount

    that is defined in the updating policy and although can be any account with read access to the \\server\sophosupdate share, during the install, the installer asked for an account for access the share.  This account should be listed in the security properties of the SophosUpdate share on the server and is the default account details in the default updating policy.  When accessing the share from the client, this is the account you should test.

    Hope this info helps.

    Regards,

    Jak

    :34357
  • 0

    actually, went into IIS on the server and added a mime wildcard type and now its working fine.

    Its amazing how many moving parts there are with a console upgrade!

    Thanks for the help above guys, you really helped get me to where I needed to be.

    :34361