Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-howto-recovery-no-console-port

Recover a switch without a console port

Recover a switch with a corrupted firmware image using Trivial File Transfer Protocol (TFTP).

Symptoms

When the switch isn't responding to ping and there's no activity on any switch interfaces, there may be an issue with the firmware.

Process

You can recover the switch by flashing the firmware image using the TFTP-based recovery process. This process runs automatically on the switch when the switch starts with a corrupt image file. The recovery process starts listening using BOOTP and looks for a DHCP server configured with a TFTP server IP address. The recovery process stops if a server isn't found after five attempts.

When the switch gets the TFTP Server IP address, the switch sends a GET request for a recovery image through BOOTP. When found, the image is loaded, and the switch restarts automatically. The process takes five to ten minutes to write the file and start for the first time.

The supported switch models without an RJ45 console port are as follows:

  • CS101-8
  • CS101-8FP

How to recover the switch

This example uses Tftpd64 as the DHCP and TFTP server. You can use any server with the same settings.

To recover a switch, you must configure a Windows device as a DHCP and TFTP server and connect it directly to the switch. Do as follows:

  1. Sign in to your Sophos Central account and go to Devices > Installers.
  2. Under Switches, click Download recovery image.
  3. Locate the .zip file and extract it to the location of your choice.

  4. Configure the Windows device's Ethernet port with a static IP address of 172.16.16.20.

    Note

    The default IP address of the switch is 172.16.16.239. If your Windows device isn't on the same subnet as the default IP address, the DHCP server can't assign an IP address to the switch.

  5. Configure the DHCP server with the following options:

    • IP pool start address: 172.16.16.220
    • Size of pool: 10

    • Boot File: This is the name of the recovery image file downloaded from Sophos Central. The file looks like one of the following examples:

      • series_vmlinux.bix
      • CS-RTL93xx_fw_3.02.260c_20220406-1658.bix
      • CS-RTL838x_fw_2.02.260c_20220406-1658.bix

      Note

      Make sure you use the correct recovery image for your switch. The .zip file downloaded from Sophos Central contains recovery images for switches with and without console ports.

    • Def. router (Opt 3): 172.16.16.220

    • Mask (Opt 1): 255.255.255.0
    • Additional Option: Use option 66 (TFTP server) and enter 172.16.16.20.
    • Bind DHCP to this address: 172.16.16.20

  6. Configure the TFTP server with the following settings:

    • Base Directory: Set this to the folder where you extracted your recovery image.
    • TFTP security: None
    • PXE compatibility: Selected
    • Allow '\' as virtual root: Selected

  7. Start the DHCP and TFTP servers.

  8. Connect the Windows device directly to the switch with the .bix file in the default TFTP path.
  9. Restart the switch to begin the recovery process. To monitor the progress, you can check the DHCP/TFTP server application logs for events.