Sophos Anti-virus for Linux: Linux endpoint not reporting as registering to Central though the MCS.log file and config file show that it has registered.

A Linux endpoint is not reporting as registering to the Cloud though the MCS.log file and config file show that it has registered. The following error may be seen if the Linux machine is not registered in the DNS A records or hosts file so the lookup against itself fails:

subprocess.CalledProcessError: Command '['hostname', '-f']' returned non-zero exit status 1

This will probably be due to a name resolution issue when the Endpoint is trying to register itself to Cloud. During this process two DNS queries are performed from the EP, one to the AWS cloud server,the other is to the Linux machine itself

The lookup process is as follows:

  1. DNS lookup from EP for AWS cloud
  2. Once IP address is identified by DNS lookup, TLSv1 session to AWS cloud is made. (typically ‘Server Hello’ is communicated.)
  3. DNS lookup for the Linux machine itself.
  4. Once the lookup for itself is successful, the next TLSv1 session with AWS cloud is made. (typically ‘Client Hello’ is communicated.)

When this error is seen the Linux machine is not registered in the DNS A records or hosts file so the lookup against itself fails.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Once a record in the DNS server for the Linux machine has been specified the registration with Sophos Central should proceed. Alternatively, the hosts file can be updated by adding the machine name of the Linux machine itself.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Linux SEP clients not connecting to Management Server

I need a solution

Hello,

I am trying to connect my Linux clients to a Windows Management Server and none of them seem to be appearing. All of my Windows workstations are able to connect to the management server, but the Linux servers cannot. The firewall on the Linux servers has been stopped and disabled. The debug.log says the same thing for each server “[ERROR] Send of message returned error 400 Bad Request” followed by “[WARN] Failed to connect to server <server_name> ServerException.” I’ll attach the file I got from one of the servers when I ran the SymDiag tool. Any idea what may be causing this error?

0

Related:

Can we configure more than one Primary DNS Servers from Proxy SG

I need a solution

Hi All,

Can we configure more than one Primary DNS Servers and Alternate DNS servers from ProxySG S400-30

Ex:

Primary DNS : 10.10.10.10,10.10.10.11,10.10.10.12

AlternateSecondary DNS : 10.10.10.13,10.10.10.15,10.10.10.17

Regards,

Ramu.

0

Related:

SEP blocking DNS for Microsoft Edge

I need a solution

Since I put SEP on the Domain Controller Microsoft Edge on a client can’t resolve DNS queries.  If I connect the client computer to a different network Edge works normally, it only fails on the network where DNS is provided by the machine running SEP.  Smart Firewall is off anyway it seems as it’s a server but I tried disabling it – Intrusion Prevention too, just to see.  That doesn’t help.

Other browsers on the same client, Chrome, IE, etc. can resolve DNS.  Only Microsoft Edge has issues.  Can anyone suggest why SEP might interfere with DNS just for Edge and not other browsers?

0

Related:

VNX: NFS issue due to DNS resolution

Article Number: 483305 Article Version: 3 Article Type: Break Fix



VNX1 Series,VNX2 Series

Loss of access to NFS export when a host is added or removed to the host access list for that export.

All hosts were using either RedHat of CentOS.

When there is a huge list of hosts in the access list for an export, and those hosts are entered using Fully Qualified Domain Name (FQDN) instead of the IP address, it is possible that some DNS resolution timeouts appear, causing loss of access to the export to all the hosts in the list.

This loss of access can has being reported to last between 5-10 minutes in a export list with 167 hosts where there were 3 hosts that had no DNS resolution.

The issue started when customer deleted from DNS configuration some hosts that were retired.

It will be recommended to use a test Filesystem prior to apply this solution to production Filesystem

Check DNS resolution for each host in the export list. This can be achieved using “server_ping” command or more practical using “ping” from the Control Station if the Data Movers and Control Station have the same DNS server configured.

Remove from the export access list the hosts that failed to resolve DNS. Check adding or removing a host to the list, whether the access is lost.

Related:

Dell EMC Unity: DNS settings lost during NDU

Article Number: 488027 Article Version: 7 Article Type: Break Fix



Unity 300,Unity 300F,Unity 400,Unity 400F,Unity 500,Unity 500F,Unity 600,Unity 600F,Unity All Flash,Unity Family,Unity Hybrid,UnityVSA,UnityVSA (Virtual Storage Appliance),UnityVSA Professional Edition,UnityVSA VVols Edition,Unity Hybrid flash

After code upgrade the statically configured DNS settings were removed for the management network, contents of file /etc/resolv.conf become erased. User will not receive email about successful completion of upgrade. All services that require DNS name resolution (NTP, SMTP, etc. etc.) will not work properly until DNS settings are re-entered by hand. Other than that, the user will not be able to connect to Unisphere GUI or UEM CLI using the system domain name.

Please note that the NAS server DNS settings are not affected by this issue.

This is currently impacting upgrades involving the below code revisions

  • 4.0.1.8194551 SP1

Code upgrade to product 4.0.1.8194551 erases DNS settings, if the latter were entered manually (Settings -> Management -> DNS Servers: Manage Domain Name Servers -> Configure DNS server address manually). After upgrade the contents of file /etc/resolv.conf are not restored. It will stop the DNS name resolving and delete the domain name information from the system. In turn, it may affect networking services, including NTP and SMTP, and remove the system domain name from the management connection SSL certificate.


Due to a persistence of settings issue that may occur post upgrade to Unity OE (Operating Environment) 4.0.1.8194551, EMC decided to remove this Unity and UnityVSA release from support.emc.com

A revised OE release is available 4.0.1.8404134 Unity SP1.2

Customers who were planning to upgrade to 4.0.1.8194551 are suggested to wait to upgrade to the upcoming release.

For customers already running 4.0.1.8194551, please review that your DNS server preferences are set correctly under Unisphere > Settings > Management > DNS Server, and update as required.

Please contact EMC support if you have any questions – go to EMC Online Support at: https://Support.EMC.com. After logging in, locate ‘Create a service request’.

4.0.1.8404134 SP1.2 has been released which resolve the issue

    Current workaround is to recreate the DNS settings in the management setup

    GUI:

    1. Navigate to the Settings Menu in the upper right
    2. Click on the Management section then DNS Server
    3. For manually configured DNS click Add and re-add the original DNS servers.
    4. Click “Apply” button at the bottom of the dialog.
    5. Navigate to: System –> Service –>Service Tasks
    6. Select “Restart Management Software”, then press “Execute”
    7. Refresh the browser window. You may need to wait for a few minutes to allow management software to start.
    8. If asked, confirm the security exception for this connection.

    dns_missing

    UEMCLI:

    1. Connect to the system by IP address.
    2. For each DNS address, enter the following command:

    uemcli /net/dns/config set -nameServer <value>

    1. Then restart the management software by the command shown below. Note that it should be executed from the service administrator account:

    uemcli –u service –p <service password> /service/system restart

    1. If the security certificate got changed, accept the new certificate as usual.

    After the last step you should be able to connect to the system by name again.

    Upgrade:

    The latest release of SP1 contains the fix for this issue 4.0.1.84.04134

Related:

SEP 14.0 MU1 MP1 affecting DHCP, DNS in Server 2008 R2 enterprise

I need a solution

I have 2 servers running 2008 R2 enterprise.

1 has issues with either the forward or reverse DNS zones populating, periodically have DNS issues with workstations.

1 has issues with DHCP.  Showing a down, red arrow in DHCP but task options show it is running.  This is resolved by restarting the service.  This has happened twice in under a week.  This started immediately after the upgrade from SEP 12.1.5

All SEP components installed.

0

Related:

7021563: Configuring Verastream Management Server Failover

With a Management Server failover configuration, if one of the management servers fails or is offline, another management server in the cluster can provide services. Failover configuration provides fault tolerance for production environments.

Note the following:

Implementing Management Server Failover

To configure failover for Management Server, perform the following steps:

  1. Install Host Integrator software (including the Management Server component) on your systems. When installing on a second (or additional) server, select “Join an existing installation” and use the host name or IP address of the first server.

Note: Beginning in version 7.0, you do not need to enter the DNS alias during installation. You can create and change your DNS alias (step 2 below) anytime before or after installation. (In version 6.6 and earlier, you were required to create an AADS common name prior to installing the first server, and any subsequent changes to this name required re-installation.)

  1. Create a single DNS alias (common name) for all the IP addresses of Management Servers in the installation environment. Each Management Server IP address must be assigned to the same common name.

Recommended Method: For ease of maintenance, it is recommended that you configure your DNS server.

Beginning in version 7.0, it is acceptable for the DNS server to return results in round-robin or random order for load distribution, as the default management server configuration (ManagementServer/conf/container.conf file) has DNS caching disabled (-Dsun.net.inetaddr.ttl=0).

Alternative Method: If it is impractical to configure your DNS server, you can edit the hosts file on each system with Host Integrator server or client components installed (including connectors used by client applications). Example:

# Hosts file example



# Verastream Host Integrator production environment in Seattle

# "vhi-prod-sea" is the common name for the management server cluster



# One line for each VHI server (running management server service)

# Each line has the IP address, unique server name, and cluster name

# The values within each line are delimited by spaces or tabs



10.0.0.1 workhorse01 vhi-prod-sea

10.0.0.2 workhorse02 vhi-prod-sea

10.0.0.3 workhorse03 vhi-prod-sea

Note the following:

    • If using this method, the hosts file should be updated on all systems in the environment. All servers (running management server and/or session server components) must be able to communicate with each other, and the clients (running connector API) must be able to communicate with all servers.
    • The local unique system name is listed separately first to avoid problems with reverse DNS lookups on some platforms. This is followed by lines for the cluster common name (one line for each system running the Management Server service).
    • For systems that have multiple network interfaces, all IP addresses should be listed.
    • On Windows systems, the hosts file is typically located in the C:WindowsSystem32driversetc folder. On UNIX/Linux systems, the hosts file is located in the /etc directory.
    • Networking protocols mandate that the hostname contain only ASCII letters a through z (case insensitive), digits 0 through 9, and the hyphen character (-).
    • Comments beginning with the # character (through the end of the line) are ignored.
  1. In Administrative Console, it is suggested that you also change the name of the Management Cluster (Perspective > Management > Servers > Management Cluster > Properties). The default cluster name is the system host name where Management Server was first installed, but you can change it to the cluster DNS alias for your installation environment.

The cluster name displays in the Administrative Console status bar (lower right) when connected.

  1. To achieve failover capability, enter the cluster DNS alias name whenever you are required to provide a Management Server address:
    • In Administrative Console, when prompted to connect.
    • In your client application, when calling ConnectToSessionViaDomain or ConnectToModelViaDomain method in the connector API.
    • In your Web Builder project properties, when “Connect to model via domain” or “Connect to session pool via domain” is selected for the model connection.
    • In the web service functionality, using one of the following methods:

Option 1: Edit the %VHI_ROOT%/sesssrvr/services/ws/META-INF/plugin-cfg.xml file (in version 7.1.1142 or higher) which is created after web services are configured in Administrative Console. Change the serverName key value to the management cluster alias (instead of the default localhost). Example:

<entry key="serverName">mycluster</entry>

Option 2: Alternatively, you can specify the ServerName environment variable in your SOAP/REST request, which takes precedence over any plugin-cfg.xml configuration.

However, when deploying models (using activatemodel and deactivatemodel commands, or Design Tool), use the specific individual session server system names (not the cluster common alias name).

What Happens At Runtime

When establishing a connection to the management server alias name, IP name resolution returns the list of IP addresses. An attempt is made to contact the first address in the list. If no response is received, the next address is tried, and so forth.

When deploying models, the session server contacts the management server for authentication and authorization. If you see the following errors when deploying a model, you may have an incorrect configuration in step 2 above.

[VHI 3852] Deployment of model failed: Cannot establish management session

[VHI 3852] Deployment of model failed: Token binding is invalid

Related:

How to Configure a DNS View for Global Server Load Balancing on a NetScaler Appliance

This article contains information about configuring a DNS view for Global Server Load Balancing on a NetScaler appliance.

Background

Based on the parameters that identify the client requests, you can use DNS views to control IP address returned in a DNS query. For example, you can use DNS views to control the client requests based in the source of the request. If the request is from a client within the LAN, then return a specific IP address. However, if the request is from a client from another network, then return another IP address.

You can configure DNS views to support only Global Server Load Balancing records. DNS views also support DNS proxy and ADNS deployments.

You must configure DNS policies on the NetScaler appliance to verify if a DNS view is applied. Consider the following points when configuring a DNS policy:

  • DNS policies are verified every time a client connection is made.

  • DNS policy should verify the condition applied to the connection. For example, if the client IP is in range 10.10.0.0/24, then apply a DNS view.

  • DNS policy must be bound globally.

  • You can apply priorities to the DNS policies. This influences the order of policy processing.

  • If a policy applies a view, then the statement returns the configured value.

Related:

Wincollect / SMB issues Qradar 7.3.0

Dear all,

We facing couple of issues with our 7.3.0 integration;
1.) Microsoft DNS Debug logs using Wincollect 7.2.7 does not seem to be working, we get a N/A status, no error message reported either on wincollect machine or qradar.

194 INFO Device.WindowsDNSDevice : Initializing Microsoft DNS Device Service…
94 INFO Device.WindowsDNSDevice : Microsoft DNS Device Service: Overriding thread pool type with type AdaptiveThreadPool.
209 INFO Device.WindowsDNSDevice : Microsoft DNS Device Service: Added device pool
209 INFO Device.WindowsDNS.WindowsDNSDeviceReader.172.16.0.2 : Created for C:dns dns.log FileMonitorNoFSRedirect UnicodeLogFile MultiLineByLineParser
225 INFO Device.WindowsDNSDevice : Started device instance DNS01 with credential handle -1240492210
225 INFO Device.WindowsDNSDevice : Microsoft DNS Device Service initialized.

But we do not see any logs nor the status changes from N/A. We are running wincollect 7.2.7 (updated DSMS) with Admin access and the username/password configured on the log source is also an Administrator account with full access.
We are also using Wincollect to collect Active directory logs using MSRPC and it works just fine, it is just the DNS debug logs.

2). As we all are aware SMBv1 is now deemed as a vulnerable protocol and unfortunately Qradar still does not support SMBv2/3. We are aware of the work around mentioned by IBM http://www-01.ibm.com/support/docview.wss?uid=swg22004891, but the instructions are not complete and clear. Anyone has a work around for this?

T&R
Arjun

Related: