Skip to content

Troubleshooting

This tells you how to fix common issues with the Sophos virtual appliance (VA).

My VA doesn't boot when I first start it up.

During its first boot the virtual machine (VM) checks for an internet connection by pinging sophos.com and waiting five seconds for a reply. This check is repeated up to six times. If there's no internet connection detected, you must power off the VM and resolve the issue.

Follow the instructions for "No internet connection", then restart the VM.

Here's an example of the first boot failure screen.

First boot failure

No internet connection.

The VM needs to send and receive HTTP, HTTPS, DNS, and NTP. It also needs DHCP if the management network is configured for it.

Check the following:

  • If your firewall is using website filtering, can the virtual machine access these domains?

    • sophos.com: used for Sophos Central communication.
    • archive.ubuntu.com: used for base OS updates.
    • ntp.ubuntu.com: used for ntp time sync.
    • baltocdn.com: used for Helm package updates.
    • sophossecops.jfrog.io: used for our repository servers.
    • docker.io: used for Clickhouse and RedisDB containers.
    • amazon.com, amazonaws.com: used to upload data to S3 buckets.
  • Is a web proxy blocking internet access?

  • Is the Sophos VA able to read network packets tagged with a VLAN ID on the management and syslog network interfaces?
  • If a manual IP was set up in Sophos Central, are the settings correct for the network that was assigned to MGMT during VM setup?
  • If you're using DHCP, does anything in your customer network environment prevent the VM from getting an IP address from the DHCP server? For example: firewalls, VLANs, proxies.
SPAN isn't working

If you suspect SPAN isn't working, go to System Stats.

If you see a very low number of unicast packets, while the number of multicast packets increases, this can mean SPAN isn't working.

Sophos Central isn't receiving integration data

Check S3 Upload Status in the header to see if data is being uploaded from the Sophos VA. If a third-party log collector integration has been added, you can see that too.

We're adding more data to the console to help troubleshoot an integration that isn't sending data to Sophos Central.

Until this data is added, if data is being sent, but not received in Sophos Central, you can contact the NDR engineering team. An engineer will access integration log files and resolve the issue.