Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=system-services-RED-troubleshoot

Troubleshoot RED issues

Troubleshoot common issues with RED devices.

RED connection issues

RED device in offline mode can't connect to the firewall

Issue

The RED device is in offline mode and can't connect to the firewall. No tunnel can be established with the firewall.

This may occur due to the following reasons:

  • Incorrect offline provisioning configuration.
  • The firewall isn't reachable from the RED device.
  • Network connectivity issues.

  • When in offline mode, they can't connect to the following Sophos NTP server pool to update their time:

    • 0.sophos.pool.ntp.org
    • 1.sophos.pool.ntp.org
    • 2.sophos.pool.ntp.org
    • 3.sophos.pool.ntp.org

  • If NTP access fails, RED devices attempt to synchronize time using HTTPS port 4444 with the firewall. This fallback fails when HTTPS admin services are turned off on the WAN zone under Administration > Device access.

  • Failure to synchronize their time results in a TLS handshake failure due to an invalid certificate period.

Solution

To resolve this issue, do as follows:

  • Check the offline provisioning settings on the firewall. See Set up a RED device manually.
  • Make sure that the firewall is reachable from the RED device network.
  • Check the internet access and DNS resolution on the RED device network.

  • Check if the required ports are allowed between the RED device and the firewall:

    • Using the firewall CLI, check if TCP port 3400 or UDP port 3410 is being blocked. Do as follows:

      1. Sign in to the CLI console. See Accessing Command Line Console.
      2. Type 5 to select Device Management, then type 3 to select Advanced Shell.

      3. To check if there's traffic for TCP port 3400 or UDP port 3410, run the following command:

        tcpdump -ni any port 3400 or port 3410

    • Using packet capture, check if TCP port 3400 or UDP port 3410 is being blocked.

  • Allow internet access for the RED devices. Make sure that the RED devices can connect to the following Sophos NTP servers:

    • 0.sophos.pool.ntp.org
    • 1.sophos.pool.ntp.org
    • 2.sophos.pool.ntp.org
    • 3.sophos.pool.ntp.org

  • If NTP access isn't possible, configure a local service ACL exception rule to allow HTTPS communication to the firewall for time synchronization. Do as follows:

    1. Go to Administration > Device access > Local service ACL exception rule.
    2. Click Add.
    3. Enter a rule name.
    4. Set Source zone to WAN.
    5. Set Source Network / Host to the RED device's IP address. Click Add to create an IP host for the RED if you don't already have one.
    6. Set Destination host to the firewall's WAN port.
    7. Set Services to HTTPS. This setting allows the HTTPS admin services, such as RED time synchronization on port 4444.
    8. Set Action to Accept.
    9. Click Save.
RED device can't connect to the RED provisioning server

Issue

The RED device can't connect to the RED provisioning server, resulting to server connection errors and failed provisioning.

This may occur due to the following reasons:

  • Internet connectivity issues.
  • DNS resolution failure.
  • Blocked outbound traffic.
  • High network load.

Solution

To resolve this issue, do as follows:

  • Check the internet access from the RED device network.
  • Check the DNS configuration and make sure that the RED provisioning server can be resolved.
  • Check if outbound HTTPS port 443 traffic is allowed from the RED device network.
  • Check firewall rules that may block provisioning traffic on TCP port 3400.

  • Check the connectivity to the RED provisioning service on TCP port 3400 from the RED network. On a command prompt, run the following command:

    telnet red.astaro.com 3400

    If the result shows Connected to red.astaro.com, a high network load may be preventing you from registering with the RED provisioning server. Try registering later.

RED device can't connect to the firewall and then restarts

Issue

The RED device repeatedly attempts to connect to the firewall and then restarts. No stable tunnel can be established.

This may occur due to the following reasons:

  • Incorrect configuration.
  • Firmware or compatibility issues.
  • Unstable network.

Solution

To resolve this issue, do as follows:

  • Check the RED configuration. See the following links:

  • Make sure that the RED device firmware is up to date. Do as follows:

    1. Go to Backup and firmware > Pattern updates.
    2. Update the RED firmware pattern. See Manual pattern update.

    The RED device takes five to ten minutes to download and install the firmware.

  • Check network stability and packet loss.

  • Make sure that the firewall is reachable from the RED device network.

Other issues

RED deployed through offline provisioning switches to online provisioning

Issue

You deployed the RED device through online provisioning. Later, you changed the deployment to offline provisioning by using a USB drive. The RED provisioning server retains the online provisioning configuration.

If the RED device can't connect to the firewall, it connects to the RED provisioning server to download the configuration, which then overwrites the offline provisioning configuration. The RED device is then deployed through online provisioning.

Solution

To resolve this issue, do as follows:

  1. Deploy the RED device through offline provisioning again using the USB drive.
  2. Delete the online configuration from the RED provisioning server to prevent it from overwriting the offline configuration when the RED device can't connect to the firewall. To delete the configuration, contact Sophos Support.
Inactive RED access points

Issue

After RED access points in a VLAN restart, the firewall shows them as Inactive.

You can configure SD-RED 20 and SD-RED 60 as access points. If a RED access point is in a VLAN and you restart it, the firewall may show it as Inactive. After 30 retries, the RED device gets a LAN IP address from the DHCP server. The RED access point now shows as Active again.

This may occur if DHCP option 234 isn't configured for the VLAN interface of the RED device. When the RED device restarts, it doesn't get an IP address on its VLAN interface.

Solution

To resolve the issue, do as follows:

  1. Sign in to the CLI console. See Accessing Command Line Console.
  2. Type 4 to select Device Console.

  3. Configure the DHCP option as follows:

    system dhcp dhcp-options binding add dhcpname <dhcp server name> optionname dhcp_magic_ip(234) value <interface ip address>

    Replace <dhcp server name> with your DHCP server's name in the RED access point VLAN. Replace <interface IP address> with the IP address you configured for the RED access point interface connected to the VLAN.

    Within a short time, the RED access point receives an IP address on the VLAN interface.

  4. To check your settings, use the following command:

    system dhcp dhcp-options binding show dhcpname <dhcp server name>

    Replace <dhcp server name> with your DHCP server's name in the RED access point VLAN.

RED tunnel is established and the RED LEDs are green, but no traffic is going through

Issue

RED tunnel is established and the RED LEDs are green, but no traffic is going through.

This may occur due to the following reasons:

  • Firewall rule restrictions.
  • Missing or incorrect routes.
  • NAT misconfiguration.
  • UDP port 3410 is being blocked by your ISP or other network devices in your network.

Solution

To resolve the issue, do as follows:

  • Check if the firewall rules allow traffic between zones.
  • Check routing configuration for RED networks.
  • Check NAT rules to make sure that translations are correct.

  • Using the firewall CLI, do as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.

    3. To check if there's traffic for UDP port 3410, run the following command:

      tcpdump -ni any port 3410

  • Using packet capture, check if UDP port 3410 is being blocked.

  • Check if your ISP or other network devices in your network block UDP port 3410.
No traffic is going through the RED VLANs

Issue

There's no VLAN-specific traffic going through the RED.

This may occur due to the following reasons:

  • VLAN misconfiguration.
  • Incorrect tagging or interface mapping.

Solution

To resolve the issue, do as follows:

  • Check VLAN IDs and tagging configuration.
  • Check interface assignments on the firewall.
  • Make sure that the switch ports are configured correctly.
  • Check firewall rules specific to VLAN networks.
  • Check which RED operation mode you're using. Only the standard/unified RED operation mode can handle VLAN traffic.
  • Check if the VLANs are also created in the RED device.
  • Check RED LAN modes. See RED LAN modes.
Can't create or edit a RED interface

Issue

You can't create or edit a RED interface.

This may occur due to the following reasons:

  • Permission issues.
  • Incorrect or conflicting configurations.
  • System limitations.
  • The firewall can't connect to the RED provisioning server.
  • Incorrect unlock code.

Solution

To resolve the issue, do as follows:

  • Check administrator permissions.
  • Check your RED configuration. See RED interfaces.
  • Check for conflicting configurations.

  • Check if the firewall can connect to the RED provisioning server. Do as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.

    3. To check if the firewall can connect to the RED provisioning server, run the following command:

      telnet red.astaro.com 3400

  • Check if the unlock code is correct. See RED unlock codes.

RED device is in a restart loop

Issue

The RED device restarts continuously. No stable connection can be established.

This may occur due to the following reasons:

  • Power issues.
  • Corrupt configuration.
  • Firmware issues.
  • TCP port 3400 or UDP port 3410 is being blocked by your ISP or other network devices in your network.
  • Incorrect unlock code.

Solution

To resolve the issue, do as follows:

  • Check the power supply and hardware integrity.
  • Check your RED configuration. See RED interfaces.

  • Make sure that the RED device firmware is up to date. Do as follows:

    1. Go to Backup and firmware > Pattern updates.
    2. Update the RED firmware pattern. See Manual pattern update.

    The RED device takes five to ten minutes to download and install the firmware.

  • Using the firewall CLI, check if TCP port 3400 or UDP port 3410 is being blocked. Do as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.

    3. To check if there's traffic for TCP port 3400 or UDP port 3410, run the following command:

      tcpdump -ni any port 3400 or port 3410

  • Using packet capture, check if TCP port 3400 or UDP port 3410 is being blocked.

  • Go to Adminstration > Device access and turn on RED for the WAN zone.

  • Check the local ACL of the firewall. You must allow the remote branch's public IP address to access the firewall's RED services. See Allow RED services.

  • Check the RED LED codes. See the following links:

  • Check the connectivity to the RED provisioning service on TCP port 3400 from the RED network. On the command prompt, run the following command:

    telnet red.astaro.com 3400

  • Check if the unlock code is correct. See RED unlock codes.

  • Reset the RED device to factory defaults and reconfigure.