Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=system-services-RED-troubleshoot

Troubleshoot RED issues

Troubleshoot common issues with Sophos Firewall RED devices.

RED connection issues

RED device in offline mode doesn't connect to the firewall

RED devices must update their time to complete the TLS handshake with the firewall, but are unable to do so in the following scenarios:

  • They can't connect with the Sophos NTP server pool when they're in offline mode. You must allow internet access for the RED to connect to the following Sophos NTP servers:

    • 0.sophos.pool.ntp.org
    • 1.sophos.pool.ntp.org
    • 2.sophos.pool.ntp.org
    • 3.sophos.pool.ntp.org

  • When they can't connect to the Sophos NTP server pool, RED devices try to establish an HTTPS connection to the firewall over port 4444 to synchronize with the firewall's time. The connection fails when HTTPS admin services are turned off from the WAN zone on Administration > Device access. You must follow these steps to add a Local service ACL exception rule:

    1. Go to Administration > Device access > Local service ACL exception rule.
    2. Click Add.
    3. Enter a rule name.
    4. Set Source zone to WAN.
    5. Set Source Network / Host to the RED device's IP address. Click Add to create an IP host for the RED if you don't already have one.
    6. Set Destination host to the firewall's WAN port.
    7. Set Services to HTTPS. This setting allows the HTTPS admin services, such as RED time synchronization on port 4444.
    8. Set Action to Accept.
    9. Click Save.

Failure to synchronize their time can result in a TLS handshake failure due to an invalid certificate period.

You're unable to connect to the RED provisioning server

Remedy

Check whether you can reach the RED service through Telnet.

On the command line, type as follows:

telnet red.astaro.com 3400

If the result shows Connected to red.astaro.com, a high network load may be preventing you from registering with the provisioning server. Try registering later.

RED device can't connect to the firewall and then restarts

Go to Backup and firmware > Pattern updates and update the RED firmware pattern. See Manual pattern update.

The RED device takes five to ten minutes to download and install the firmware.

Other issues

RED deployed through offline provisioning goes into online provisioning mode

Cause

You deployed the RED through online provisioning by connecting to the provisioning server. Later, you changed the deployment to offline provisioning by using a USB stick. The provisioning server retains the online provisioning configuration.

If the RED can't reach the firewall, it reaches out to the provisioning server, and the offline provisioning configuration is overwritten. The RED is then deployed through online provisioning.

Remedy

You must deploy the offline configuration again using the USB stick. The online configuration must also be manually deleted from the provisioning server to prevent it from overwriting the offline configuration when the RED can't reach the firewall. To delete the configuration, contact Sophos Support.

The online configuration must be manually deleted from the provisioning server to prevent it from overwriting the offline configuration when the RED can't reach the firewall. To delete the configuration, contact Sophos Support.

Inactive RED access points

After RED access points in a VLAN restart, Sophos Firewall shows them as Inactive.

Condition

You can configure SD-RED 20 and SD-RED 60 as access points. If a RED access point is in a VLAN, and you restart it, Sophos Firewall may show it as Inactive. After 30 retries, the RED gets a LAN IP address from the DHCP server. The RED access point now shows as Active again.

Cause

DHCP option 234 isn't configured for the VLAN interface of the RED. After the RED restarts, it doesn't get an IP address on its VLAN interface.

Remedy

  1. Click Console in the list in the upper-right corner and type 4 for Device Console.

  2. Attach the DHCP option as follows:

    system dhcp dhcp-options binding add dhcpname <dhcp server name> optionname dhcp_magic_ip(234) value <interface ip address>

    Replace <dhcp server name> with your DHCP server's name in the RED access point VLAN. Replace <interface IP address> with the IP address you configured for the RED access point interface connected to the VLAN.

    Within a short time, the RED access point receives an IP address on the VLAN interface.

  3. To check your settings, use the following command:

    system dhcp dhcp-options binding show dhcpname <dhcp server name>

    Replace <dhcp server name> with your DHCP server's name in the RED access point VLAN.