Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 2671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some Endpoints now showing up as offline

NewImage
Hi

I'm still getting some endpoints, about 20% of them, displaying as being offline, including my own computer. 

I looked at the log and it registers my computer completing a scan

2013:01:29-11:41:19 keywest epsecd[6352]: I id="4225" severity="info" sys="System" sub="epsecd" name="Handled SAV event" event_type="SAV" effect="Scan 'Full Scan' completed." mcs_id="***XX-***X-***X-***X-******" cause="scanCompleteEvent"

I did a fresh, uninstall / install, after the last update when they said they fixed this problem.

Any ideas?


This thread was automatically locked due to age.
  • 0
    Now only 2 of the 20 or so computers are showing up as online..
    But now my computer is showing up as one of the ON computers

    Also strange, the Dashboard says that 1233 attacks were blocked today, but nothing shows in the logs

    Endpoint: 1233 attacks blocked

    Think this started after updating to 9.004-34, Could be just coincidence, thought that upgrade just fixed some versioning

    Edit-
    Different computers are going up and down, the original 2 are now offline and 4 others are now shown online, even though almost all of them are on
  • 0
    Looking back at the log
    2013:01:30-05:56:59 keywest epsecd[6352]: >=========================================================================
    2013:01:30-05:56:59 keywest epsecd[6352]: E id="4281" severity="critical" sys="System" sub="epsecd" name="Broker closed the connection at /Epsec/Logic/Client.pm line 1000." effect="Can't talk to Sophos LiveConnect"
    2013:01:30-05:56:59 keywest epsecd[6352]: 
    2013:01:30-05:56:59 keywest epsecd[6352]:  1. Epsec::Utils::Logging::_log:59() /Epsec/Utils/Logging.pm
    2013:01:30-05:56:59 keywest epsecd[6352]:  2. Epsec::Logic::Client:[:$]n_error:1088() /Epsec/Logic/Client.pm
    2013:01:30-05:56:59 keywest epsecd[6352]:  3. Epsec::Logic::Base::run:60() /Epsec/Logic/Base.pm
    2013:01:30-05:56:59 keywest epsecd[6352]:  4. main::top-level:62() client.pl

    everything looks normal on the log for a few hours, then I get hit with the same notice hundreds of times over that a scan has completed on the same 3 computers 

    2013:01:30-09:20:57 keywest epsecd[6352]: I id="4211" severity="info" sys="System" sub="epsecd" name="Recieved report(s) from Sophos LiveConnect"
    2013:01:30-09:20:57 keywest epsecd[6352]: I id="4225" severity="info" sys="System" sub="epsecd" name="Handled SAV event" event_type="SAV" effect="Scan 'Full Scan' completed." mcs_id="afc607c7-78fc-************" cause="scanCompleteEvent"
    2013:01:30-09:20:57 keywest epsecd[6352]: I id="4225" severity="info" sys="System" sub="epsecd" name="Handled SAV event" event_type="SAV" effect="Scan 'Full Scan' completed." mcs_id="6d0c5473-442b-************" cause="scanCompleteEvent"
    2013:01:30-09:20:57 keywest epsecd[6352]: I id="4225" severity="info" sys="System" sub="epsecd" name="Handled SAV event" event_type="SAV" effect="Scan 'Full Scan' completed." mcs_id="27af5a0f-27aa-************" cause="scanCompleteEvent"
    2013:01:30-09:20:57 keywest epsecd[6352]: W id="4204" severity="warn" sys="System" sub="epsecd" name="Computer already exists in Confd" mcs_id="618068ea-ab5c-************"
    2013:01:30-09:20:57 keywest epsecd[6352]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx"
    2013:01:30-09:20:59 keywest epsecd[6352]: I id="4211" severity="info" sys="System" sub="epsecd" name="Recieved report(s) from Sophos LiveConnect"
    2013:01:30-09:20:59 keywest epsecd[6352]: I id="4225" severity="info" sys="System" sub="epsecd" name="Handled SAV event" event_type="SAV" effect="Scan 'Full Scan' completed." mcs_id="afc607c7-78fc-************" cause="scanCompleteEvent"
    2013:01:30-09:20:59 keywest epsecd[6352]: I id="4225" severity="info" sys="System" sub="epsecd" name="Handled SAV event" event_type="SAV" effect="Scan 'Full Scan' completed." mcs_id="6d0c5473-442b-************" cause="scanCompleteEvent"
    2013:01:30-09:20:59 keywest epsecd[6352]: I id="4225" severity="info" sys="System" sub="epsecd" name="Handled SAV event" event_type="SAV" effect="Scan 'Full Scan' completed." mcs_id="27af5a0f-27aa-************" cause="scanCompleteEvent"
    2013:01:30-09:20:59 keywest epsecd[6352]: W id="4204" severity="warn" sys="System" sub="epsecd" name="Computer already exists in Confd" mcs_id="618068ea-ab5c--************"
    2013:01:30-09:20:59 keywest epsecd[6352]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx,******xx"
    2013:01:30-09:21:01 keywest epsecd[6352]: I id="4211" severity="info" sys="System" sub="epsecd" name="Recieved report(s) from Sophos LiveConnect"
  • 0
    Now today about 60% of them are showing up, mine is still off.
    The log still shows multiple updates of the same computer(s) finishing scans

    LOL

    Endpoint: 63803 attacks blocked

    edit---

    all offline again
  • 0
    Please have your reseller open a Support ticket for this with Sophos.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I did, the guy got some logs and I left an account open for them. I guess it needs to be escalated to a higher support team, 

    Will let ya know what they find
  • 0
    Sophos was working on it. I might have temporarily solved it, I guess sophos got hit bad by those storms in the north east US. 
    I just disabled endpoint protection, making sure I saved all settings, then restarted it. A few moments later all the endpoints showed back up.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?