To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Policy Manager not receiving updates from the internet "connection refused" / guts2.sp.f-secure.com

Marcel42
Marcel42 W/ Alumni Posts: 7 Security Scout

We set up FSPM 15.20 recently, in a partly non-internet environment. I configured it to isolated mode and imported the updates.zip from another machine connected to the internet according to the documentation. this worked fine. whenever i imported a new batch of updates they were distributed amongst the clients by the pm.

now we turned on internet for the server, but it fails to fetch online updates. i reset the registry key that was used for isolated mode and restarted the server.

funnily, the actual av-client (fs server sec.) on the machine where the policy manager is, can download its updates just fine from the internet as the policy manager doesnt have new updates (fallback stepping in).

The log reads:


"21.09.2021 11:13:40,300 ERROR [c.f.f.s.g.d.DownloadUpdatesService] - Error while checking latest updates

org.apache.http.conn.HttpHostConnectException: Connect to guts2.sp.f-secure.com:80 [guts2.sp.f-secure.com/184.25.239.112, guts2.sp.f-secure.com/184.25.239.88] failed: Connection refused: connect

   at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:156) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.8.jar:4.5.8]

   at com.fsecure.common.http.RequestContext.execute(RequestContext.java:42) ~[commons-java-http-1-SNAPSHOT.jar:21.19.95099 (origin/release/pm-15.20#d8c31f58, 1620918918790)]

   at com.fsecure.common.http.RequestContext.post(RequestContext.java:64) ~[commons-java-http-1-SNAPSHOT.jar:21.19.95099 (origin/release/pm-15.20#d8c31f58, 1620918918790)]

   at com.fsecure.common.guts2.download.Guts2DownloaderImpl.refreshLatestVersions(Guts2DownloaderImpl.java:101) ~[commons-java-guts2-1-SNAPSHOT.jar:21.19.95099 (origin/release/pm-15.20#d8c31f58, 1620918918790)]

   at com.fsecure.fspms.service.guts2.download.DownloadUpdatesService.refreshChannelUpdates(DownloadUpdatesService.java:134) ~[fspms-webapp-1-SNAPSHOT.jar:15.20.95099 (origin/release/pm-15.20#d8c31f58, 1620918918790)]

   at jdk.internal.reflect.GeneratedMethodAccessor256.invoke(Unknown Source) ~[?:?]

   at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]

   at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]

   at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84) ~[spring-context-5.2.6.RELEASE.jar:5.2.6.RELEASE]

   at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-5.2.6.RELEASE.jar:5.2.6.RELEASE]

   at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]

   at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) ~[?:?]

   at java.util.concurrent.FutureTask.runAndReset(Unknown Source) ~[?:?]

   at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) ~[?:?]

   at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) ~[?:?]

   at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) ~[?:?]

   at java.lang.Thread.run(Unknown Source) [?:?]

Caused by: java.net.ConnectException: Connection refused: connect

   at java.net.PlainSocketImpl.waitForConnect(Native Method) ~[?:?]

   at java.net.PlainSocketImpl.socketConnect(Unknown Source) ~[?:?]

   at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) ~[?:?]

   at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) ~[?:?]

   at java.net.AbstractPlainSocketImpl.connect(Unknown Source) ~[?:?]

   at java.net.SocksSocketImpl.connect(Unknown Source) ~[?:?]

   at java.net.Socket.connect(Unknown Source) ~[?:?]

   at org.apache.http.conn.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:75) ~[httpclient-4.5.8.jar:4.5.8]

   at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.8.jar:4.5.8]

   ... 25 more"


any suggestions?

Best Answer

  • Marcel42
    Marcel42 W/ Alumni Posts: 7 Security Scout
    Answer ✓

    It was http :-)

    i switched the rules priority in our firewall (first "allow all traffic to f-secure servers" and then "allow https only")

    now i get:

    27.09.2021 14:32:16,539 INFO [c.f.c.g.d.Guts2DownloaderImpl] - Connected to url= *insert-http!-url-guts2-here* successfully without a proxy

    27.09.2021 14:32:16,552 INFO [c.f.f.s.g.d.DownloadUpdatesService] - New "mlcwin-dart" version available: "1526891595"

    27.09.2021 14:32:16,552 INFO [c.f.f.s.g.d.DownloadUpdatesService] - New "safe-anywhere-mac-Westman-SEBE" version available: "1426084449"

Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 498 Moderator

    Hi

    This error tells us there is connectivity error to our backend update server :

    org.apache.http.conn.HttpHostConnectException: Connect to guts2.sp.f-secure.com:80 [guts2.sp.f-secure.com/184.25.239.112, guts2.sp.f-secure.com/184.25.239.88] failed: Connection refused: connect


    First check if there is enough free hard disk space. For F-Secure Policy Manager, the minimum of 10 GB of free hard disk space is required. When managing Premium clients, an additional 10 GB is needed for serving software updates. 


    F-Secure Policy Manager Server connects to guts2.sp.f-secure.com for definitions update.


    Check the fspms-download-updates.log, and ensure that the connectivity to guts2.sp.f-secure.com has been allowed on the firewall (whitelist *.f-secure.com, and *.fsapi.com )


    Once you are certain that connectivity to guts2.sp.f-secure.com is working fine, but F-Secure Policy Manager Server still does not get the definitions update, do the following:

    1. Stop the F-Secure Policy Manager Server service.
    2. Delete the folders in the following path: C:\Program Files (x86)\F-Secure\Management Server 5\data\guts2\updates
    3. Start back the F-Secure Policy Manager Server service.


  • Marcel42
    Marcel42 W/ Alumni Posts: 7 Security Scout

    Thanks for the quick reply.

    • the server has enough free space (>300GB)
    • i can open the address guts2.sp.f-secure.com in a browser on that machine and get "F-Secure Automatic Update Server. Unauthorized access is monitored and strictly forbidden." as a reply
    • our firewall appliance logs no blocking activities for the ip of our machine in the given timeslot of the failed connect
    • i deleted the updates' directory content after stopping the fsms service, then restarted it with no change (still "connection refused" in the fspms-download-updates.log
    • i added a whitelist rule on our firewall for the given addresses but no change.

    could it have something to do with the fact that we use a trial version? We started the trial maybe 20-30 days ago on another machine, but same external ip but the current installation on the final server says we have 22 days left. We still wait for an offer and then a licence key from the reseller.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 498 Moderator

    Hi,

    Trial license should not matter.

    Are you using any sort of proxy or our Policy Manager Proxy product ?

    Let me check this and get back to you.

  • Marcel42
    Marcel42 W/ Alumni Posts: 7 Security Scout

    No, we dont use a proxy. The policy manager should communicate directly to the F-Secure update provider.

    And still, the f-secure server security premium installation on that very server (where the policy manager is installed) fetches its updates directly from the internet from time to time, after the policy manager has no new versions.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 498 Moderator

    Hi,

    If Policy Manager is not able to connect guts2.sp.f-secure.com , it might be related to http proxy not being set or something similar.

    As client itself is able to reach guts2.sp.f-secure.com , it means it has been allowed on the firewall. So, Client Security and Server Security hosts are able to autodetect proxy config, but Policy Manager is not able to.

    Configure the HTTP proxy server in the configuration file on the Policy Manager Server at:


    1. Navigate to folder C:\Program Files (x86)\F-Secure\Management Server 5\data on the Policy Manager server
    2. Open the fspms.proxy.config file
    3. Remove the # before the http_proxy line and add your password and proxy address
    4. Save the config file
    5. Restart the Policy Manager Server -service

    How to disable:

    1. Navigate to folder C:\Program Files (x86)\F-Secure\Management Server 5\data on the Policy Manager server
    2. Open the fspms.proxy.config file
    3. Add a # before the http_proxy line. The # means that the line is a comment and the setting will not be taken into use


  • Marcel42
    Marcel42 W/ Alumni Posts: 7 Security Scout

    We dont use a proxy, the client pcs have no proxy set, the servers dont have a proxy set.

    I checked the fspms.proxy.config file, it already has a # before the proxy line.

    What i found is, that http traffic is blocked everywhere and only https is allowed (which seems to be just fine for all the clients), can this be an issue?

    I found a setting "use proxy" in the central management node of fspm, it was set to "like browser", i changed it to an explicit "no". Another Option reads "use https to download updates" i also enabled this, but i think this only applies to the managed clients. Can i tell the fspm somewhere to please use https? (if that is needed at all)

  • spiceagent11
    spiceagent11 W/ Alumni Posts: 1 Security Scout

    First check if there is enough free hard disk space. For F-Secure Policy Manager, the minimum of 10 GB of free hard disk space is required. When managing Premium clients, an additional 10 GB is needed for serving software updates. 

This discussion has been closed.