Troubleshoot RED issues

RED devices must update their time to complete the TLS handshake with the firewall but are unable to do so in the following scenarios:

• They can't connect with the Sophos NTP server pool when they're in offline mode.
• RED devices then try to establish an HTTPS connection to the firewall over port 4444 to synchronize with the firewall's time. The connection isn't established when the web admin console uses port 4444 and access from the WAN zone is turned off for HTTPS admin services on Administration > Device access.

Failure to synchronize their time can result in a TLS handshake failure due to an invalid certificate period.

Remedy

You can take one of the following actions:

• Allow internet access for the RED to connect to the Sophos NTP server pool, which is as follows:

  • 0.sophos.pool.ntp.org
  • 1.sophos.pool.ntp.org
  • 2.sophos.pool.ntp.org
  • 3.sophos.pool.ntp.org

• Go to Administration > Device access and add a Local service ACL exception rule as follows:

  1. Click Add.
  2. Enter a rule name.
  3. Set Source zone to WAN.
  4. Set Source network or host to the RED device's IP address.
  5. Set Destination host to the firewall's WAN port.
  6. Set Services to HTTPS.
  7. Set Action to Accept.
  8. Click Save.

Remedy

Check whether you can reach the RED service through telnet.

On the command line, type as follows:

telnet red.astaro.com 3400

If the result shows Connected to red.astaro.com, a high network load may be preventing you from registering with the provisioning server. Try registering later.

Go to Backup and firmware > Pattern updates and update the RED firmware pattern. See Manual pattern update.

The RED device takes five to ten minutes to download and install the firmware.

Cause

You deployed the RED through online provisioning by connecting to the provisioning server. Later, you changed the deployment to offline provisioning by using a USB stick. The provisioning server retains the online provisioning configuration.

If the RED can't reach the firewall, it reaches out to the provisioning server, and the offline provisioning configuration is overwritten. The RED is then deployed through online provisioning.

Remedy

You must deploy the offline configuration again using the USB stick. The online configuration must also be manually deleted from the provisioning server to prevent it from overwriting the offline configuration when the RED can't reach the firewall. To delete the configuration, contact Sophos Support.

The online configuration must be manually deleted from the provisioning server to prevent it from overwriting the offline configuration when the RED can't reach the firewall. To delete the configuration, contact Sophos Support.

After RED access points in a VLAN restart, Sophos Firewall shows them as Inactive.

Condition

You can configure SD-RED 20, SD-RED 60, and RED 15w as access points. If a RED access point is in a VLAN, and you restart it, Sophos Firewall may show it as Inactive. After 30 retries, the RED gets a LAN IP address from the DHCP server. The RED access point now shows as Active again.

Cause

DHCP option 234 isn't configured for the VLAN interface of the RED. After the RED restarts, it doesn't get an IP address on its VLAN interface.

Remedy

1. Click Console in the list in the upper-right corner and type 4 for Device Console.

2. Attach the DHCP option as follows:

   system dhcp dhcp-options binding add dhcpname <dhcp server name> optionname dhcp_magic_ip(234) value <interface ip address>

   Replace <dhcp server name> with your DHCP server's name in the RED access point VLAN. Replace <interface IP address> with the IP address you configured for the RED access point interface connected to the VLAN.

   Within a short time, the RED access point receives an IP address on the VLAN interface.

3. To check your settings, use the following command:

   system dhcp dhcp-options binding show dhcpname <dhcp server name>

   Replace <dhcp server name> with your DHCP server's name in the RED access point VLAN.