When using Sophos UTM manager (SUM) to manage your UTM’s, you will find that it is a brilliant tool for central backup’s and firmware upgrades among other things.
Suddenly I kept getting theese mails at work:
“[INFO-132] SUM core daemon not running – restarted”
After some debugging at the SUM, I looked in the SUM Core logsfiles, I found this:
2020:10:10-00:00:00 sum accd: 6867436 [0xdc9dfb70] WARN server.device.DeviceCache null – DeviceCache::login() device is already connected 251[device;guid:<guid obfuscated for blog post);ip:<IP obfuscated for blog post)]
2020:10:10-00:00:00 sum accd: 6867436 [0xde9e3b70] WARN server.device.DeviceSession null – DeviceSession::clear() IO error during recv [device;guid:<guid obfuscated for blog post);ip:<IP obfuscated for blog post)]
2020:10:10-00:00:00 sum accd: 6867436 [0xea9fbb70] ERROR libs.io.Session null – send attempted after previous error [device;guid:<guid obfuscated for blog post);ip:<IP obfuscated for blog post)]
2020:10:10-00:00:00 sum accd: 6867436 [0xea9fbb70] WARN server.device.DeviceSession null – DeviceSession::clear() IO error during sendDone [device;guid:<guid obfuscated for blog post);ip:<IP obfuscated for blog post)]
So it looks like there are more than on UTM connected to this SUM with same GUID, no good!
This can happen if you import a backup to a new UTM device but did not take down the first one.
How to solve?
- Connect to the device not allowed to connect – in other words, connect to the IP above from the log file (obfuscated)
- Enable SSH
- Run this: rm -f /etc/guid
- And this: /var/mdw/scripts/nextgen-agent restart (restarting the next-gen agent will recreate a new guid for the one obove, that was deleted)
- Next you will find that this blocked device will now show up in SUM
- Case closed 🙂
