Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-howto-recovery-no-console-port

Recover a switch with a corrupt firmware image

When Sophos Switch can't start any active or backup partition images, you must restore functionality by using a TFTP-based recovery process that involves downloading the correct recovery image from Sophos Central, setting up a DHCP/TFTP server, flashing the switch with the recovery image, updating to the latest firmware, and re-registering the switch with Sophos Central.

Process

When a switch can't start due to a corrupt firmware image, it starts in bootloader mode. In this mode, you must upload a new firmware file in .bix format from a TFTP server. Using the TFTP-based recovery process, you can recover the switch by flashing the recovery image. The recovery process starts listening using BOOTP and looks for a TFTP server. When the switch finds the TFTP server, it sends a GET request for a recovery image through BOOTP. When found, the image is loaded, and the switch restarts automatically. The recovery process stops if a server isn't found after five attempts. Writing the file and restarting takes five to ten minutes.

Select a recovery image

Before starting the recovery process, you must download the recovery image for your switch. Do as follows:

  1. Sign in to Sophos Central and go to Devices > Installers.
  2. Under Switches, click Download recovery image.
  3. Locate the .zip file and extract it to a location of your choice. Make a note of this location, you'll need it later.

  4. Select the correct recovery image for the switch.

    Multiple recovery images exist for most Sophos Switch models in the .zip file downloaded from Sophos Central. The files look like the following example:

    Example

    CS-RTL<SERIES>_fw_<MODEL>_<HARDWARE_ID>_3.02.<VERSION>.bix

    The placeholder values contain the following information:

    • <SERIES>: The series of switch you have and is one of the two following values:

      • 838x: These switches don't have console ports and include the following models:

        • CS101-8
        • CS101-8FP

      • 93xx: These switches have console ports and include the following models:

        • CS110-24
        • CS110-24FP
        • CS110-48
        • CS110-48P
        • CS110-48FP
        • CS210-8FP
        • CS210-48FP
        • CS1010-8FP

    • <MODEL: The model of the switch this recovery image is for.

    • <VERSION>: The version of the recovery image.

    • <HARDWARE_ID>: The hardware ID of the switch this recovery image is for. To determine which version to use, get the three character prefix of the switch's serial number from Sophos Central and consult the following table:

      Switch model Serial number prefix Recovery image
      CS101-8 W10 CS-RTL838x_fw_CS101-8_0x01000000_2.02.<VERSION>.bix
      CS101-8FP W11 CS-RTL838x_fw_CS101-8FP_0x01000001_2.02.<VERSION>.bix
      W40 CS-RTL838x_fw_CS101-8FP_0x02001001_2.02.<VERSION>.bix
      CS110-24 W12 CS-RTL93xx_fw_CS110-24_0x01000000_3.02.<VERSION>.bix
      CS110-24FP W13 CS-RTL93xx_fw_CS110-24FP_0x01001002_3.02.<VERSION>.bix
      W33 CS-RTL93xx_fw_CS110-24FP_0x02002002_3.02.<VERSION>.bix
      CS110-48 W14

      CS-RTL93xx_fw_CS110-48_0x01000000_3.02.<VERSION>.bix

      CS-RTL93xx_fw_CS110-48_0x01100000_3.02.<VERSION>.bix
      CS110-48P W15

      CS-RTL93xx_fw_CS110-48P_0x01000001_3.02.<VERSION>.bix

      CS-RTL93xx_fw_CS110-48P_0x01100001_3.02.<VERSION>.bix
      W35

      CS-RTL93xx_fw_CS110-48P_0x02001001_3.02.<VERSION>.bix

      CS-RTL93xx_fw_CS110-48P_0x02101001_3.02.<VERSION>.bix
      CS110-48FP W16

      CS-RTL93xx_fw_CS110-48FP_0x01001002_3.02.<VERSION>.bix

      CS-RTL93xx_fw_CS110-48FP_0x01101002_3.02.<VERSION>.bix
      W36

      CS-RTL93xx_fw_CS110-48FP_0x02002002_3.02.<VERSION>.bix

      CS-RTL93xx_fw_CS110-48FP_0x02102002_3.02.<VERSION>.bix
      CS210-8FP W20 CS-RTL93xx_fw_CS210-8FP_0x01000004_3.02.<VERSION>.bix
      W41 CS-RTL93xx_fw_CS210-8FP_0x02001004_3.02.<VERSION>.bix
      CS210-24FP W21 CS-RTL93xx_fw_CS210-24FP_0x01000006_3.02.<VERSION>.bix
      CS210-48FP W22 CS-RTL93xx_fw_CS210-48FP_0x01000006_3.02.<VERSION>.bix
      W43 CS-RTL93xx_fw_CS210-48FP_0x02001006_3.02.<VERSION>.bix
      CS1010-8FP W44 CS-RTL93xx_fw_CS1010-8FP_0x01001004_3.02.<VERSION>.bix

      Note

      If two recovery images are available for a specific switch model and serial number combination, you can use either .bix file to recover the switch. For example, a CS110-48FP whose serial number prefix is W15 can use either CS-RTL93xx_fw_CS110-48P_0x01000001_3.02.<VERSION>.bix or CS-RTL93xx_fw_CS110-48P_0x01100001_3.02.<VERSION>.bix for recovery.

  5. Make a note of the correct file for your switch. You'll need this later.

How to recover the switch

The switch recovery process varies depending on the model and series of switch.

Click the appropriate tab to see how to recover your switch.

To recover an 838x series switch without a console port, you must configure a Windows device as a DHCP server to provide the switch with the TFTP server information and connect it directly to the switch. Do as follows:

  1. On a Windows device, go to Control Panel > System and Security > Windows Defender Firewall > Turn Windows Defender Firewall on or off, and make sure Windows Firewall is off.

  2. Configure the Windows device's Ethernet port with a static IP address of 172.16.16.20.

    Note

    The default IP address of the switch is 172.16.16.239. If your Windows device isn't on the same subnet as the default IP address, the DHCP server can't assign an IP address to the switch.

  3. Start Tftpd64 and click Settings.

    Note

    This example uses Tftpd64 as the DHCP and TFTP server. You can use any server with the same settings.

  4. Click DHCP and configure the following options:

    • IP pool start address: 172.16.16.220
    • Size of pool: 10
    • Boot File: This is the name of the recovery image file downloaded from Sophos Central.
    • Def. router (Opt 3): 172.16.16.220
    • Mask (Opt 1): 255.255.255.0
    • Additional Option: Use option 66 (TFTP server) and enter 172.16.16.20.
    • Bind DHCP to this address: 172.16.16.20
    • Ping address before assignation: Turn this option off.

  5. Click TFTP and configure the following settings:

    • Base Directory: Set this to the folder where you extracted your recovery image.
    • TFTP security: Select None.
    • PXE compatibility: Select this option.
    • Allow '\' as virtual root: Select this option.
    • Bind TFTP to this address: 172.16.16.20

  6. Click GLOBAL and make sure TFTP Server and DHCP Server are selected.

  7. Click OK.
  8. Connect the Windows device directly to the switch with the .bix file in the default TFTP path.

  9. Restart the switch to begin the recovery process.

    The switch receives an IP address from the DHCP server and recovery image information from the TFTP server. It contacts the TFTP server and downloads the recovery image. You can see this process on the Log viewer tab of Tftpd64 or in the logs of your DHCP or TFTP server. During this process, don't power off the switch or disconnect it from the TFTP server. The recovery process is complete only when you can access the switch at https://172.16.16.220.

93xx series switches with console ports let you configure the switch's IP address and TFTP server information using the console connection. To recover the switch using the console port, do as follows:

  1. Sign in to your Sophos Central account and go to Devices > Installers.
  2. Under Switches, click Download recovery image.
  3. Locate the .zip file and extract it to the location of your choice.
  4. On a Windows device, go to Control Panel > System and Security > Windows Defender Firewall > Turn Windows Defender Firewall on or off, and make sure Windows Firewall is off.

  5. Configure the Windows device's Ethernet port with a static IP address of 172.16.16.20.

    Note

    The switch's default IP address is 172.16.16.239. If your Windows device isn't on the same subnet as the default IP address, the switch won't be able to connect to the TFTP server.

  6. Start Tftpd64 and click Settings.

    Note

    This example uses Tftpd64 as the TFTP server. You can use any server with the same settings.

  7. Click TFTP and configure the following settings:

    • Base Directory: Set this to the folder where you extracted your recovery image.
    • TFTP security: Select None.
    • PXE compatibility: Select this option.
    • Allow '\' as virtual root: Select this option.
    • Bind TFTP to this address: 172.16.16.20

  8. Click GLOBAL and make sure TFTP Server is selected.

  9. Click OK.
  10. Connect to the switch using the console port.
  11. Open any terminal emulation program, such as PuTTY.

  12. Select the COM port, and use the following settings:

    • Baud Rate: 115200
    • Data bits: 8
    • Parity: None
    • Stop bits: 1
    • Flow Control: None

    Press Enter on your keyboard to connect to the CLI.

  13. Sign in using the username "admin" and the unique password for this switch.

    Tip

    The unique password is located on a sticker on the switch's chassis. An additional sticker is in the packaging.

  14. Select option 5 to check the switch's current IP address. Make sure it's the default IP address, 172.16.16.239.

  15. Select option 1 to set the IP address of your TFTP server.
  16. Enter 172.16.16.20.
  17. Select option 3 and enter 1 to upgrade partition 1.
  18. Enter the name of the .bix recovery image file on your TFTP server.

  19. Press Enter to start the recovery process.

    The switch contacts the TFTP server and downloads the recovery image. You can see this process on the Log viewer tab of Tftpd64 or in the logs of your TFTP server. During this process, don't power off the switch or disconnect it from the TFTP server. The recovery process is complete only when you can access the switch at https://172.16.16.239.

Update the firmware

The recovery image only contains the minimum software needed to start and connect the switch to the network. Before registering the switch and managing it with Sophos Central, you must update the firmware to the latest version. Do as follows:

  1. Sign in to Sophos Central and go to Devices > Installers.
  2. Under Switches, click Download firmware for your switch.
  3. Locate the .zip file and extract it to a location of your choice. Make a note of the location, as you'll need to find this file later.
  4. Open a web browser and connect to the switch on the device where you downloaded the firmware.
  5. Go to Configure > Firmware > Firmware upgrade.
  6. Select HTTPS for the Upgrade method.
  7. Select Partition 1(Active) for Partition.

  8. Click Select file, select the file you extracted earlier, and click Open.

    Note

    CS101 switch models and CS110 and CS210 switch models have different firmware images. Make sure you select the right image for your switch.

  9. Click Apply, then click Apply to upload the firmware to the switch.

  10. When the upload is complete, click Upgrade to apply the firmware.
  11. Once the firmware is applied, select Reboot or Continuous PoE Power to restart the switch and complete the upgrade.

Register with Sophos Central

Once the switch starts with the new firmware image, you must re-register it in Sophos Central. Do as follows:

  1. Sign in to Sophos Central.
  2. Go to My Products > Switches > Switches.
  3. Click the serial number of the switch you just recovered and click Remove from Sophos Central.
  4. Register the switch with Sophos Central. See Add switches.