Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
As part of deploying a replacement XG firewall, I wanted to do two things: 1) move my APs to the new firewall, 2) move the management of the APs to a new VLAN. My as-is configuration had an AP55 and APX530 operating on VLANs 5 and 6. VLAN5 for management and guest access (so bridge to my WiFi VLAN), VLAN6 for bridge to a trusted subnet (LAN). XG provided the DHCP. After configuring my PoE Switch to the new management VLAN (default PVID for connected port), my APs would get the DHCP address, but not display the APs for registration on the new XG.
In short, the AP / APX were coming from a prior configuration state in which the AP VLAN ID was set to VLAN5. The boot of the AP started a DHCP request that received the default VLAN of the connected PoE switch port (VLAN8). So, yes, the AP got a VLAN8 DHCP address. Next step was for the AP to issue a magic IP packet. But, did so on its last known AP VLAN ID (still VLAN5 from its as-is configuration). In other words, my 10.1.8.x AP address was trying to magic ip, but tagged to VLAN5. Only 10.1.5.x addresses on VLAN5. Even if the XG was able to receive the magic ip on a VLAN trunk, it had no way to respond to the AP due to XG interface to AP mismatch of IP address-VLAN. Until I could change the AP VLAN ID, I needed a working session between the XG and the AP on the existing VLAN ID.
Easy fix was to
The thing to keep in mind is the DHCP will come from the PVID of the PoE switch port. Management traffic from the AP will use the configured AP VLAN ID. Mismatching the two is...bad.
Thanks for sharing the details.