Webadmin page doesn't open after install

Hi 

After install, I'm not able to open the url htts://172.16.16.16:4444. On my web browser says ERR_CONNECTION REFUSED. I have made a lot of troubleshooting, I made a tcpdump capture and on the response there's a Reset connection. This made me think the port is not open, so I tried with the netstat and I can see the port 4444 is not open. 

I have bee trying to get some info from the forum but, there's no much info. I'm able to ping and login... Indeed I can use it as gateway so I have internet access thru the firewall, but I can't connect to the webadmin page. I have tried to reset the default Web Admin Certificate, I have tried also to restart the tomcat service (200 OK) but nothing fixes the issue

Any help would be much appreciated 

  • Hi,

    sounds a bit like you are trying toes the external interface rather than your LAN interface? Do you get a 172 addresses assigned to your PC?

    Ian

  • Hi  

    Are you trying to access the device from the same LAN network as 172.16.16.X as per the LAN interface configured on the XG firewall?

    You may try to enable appliance access using command- system appliance_access enable

    Please refer to the article- https://community.sophos.com/products/xg-firewall/f/recommended-reads/117385/sophos-xg-firewall-what-to-do-when-the-web-admin-is-not-accessible

  • In reply to rfcat_vk:

    Thanks Ian

    Yes, I'm accessing the LAN interface... indeed I'm able to ping and to console (ssh) to the firewall... 

    So far I can see apache service is stopped, now I just need to know why

    Thanks

  • In reply to Keyur:

    Keyur,

    Thank you very much for the link to the article, it has helped me a lot to at least find the issue...

    So far I can see apache service is stopped, now I just need to know why

    Thanks

  • In reply to Mario Gonzalez2:

    Hi  

    I would recommend referring below given articles for log file location and it's operation.

    https://community.sophos.com/kb/en-us/123185

    https://community.sophos.com/kb/en-us/132211

  • In reply to Keyur:

    Hi Keyur and thanks for the reply 

     

    I follow the URL links to check that apache service is in stopped state. 

    SF01V_SO01_SFOS 17.5.9 MR-9# service -S | grep -iE 'tomcat|apache'
    tomcat RUNNING
    apache STOPPED

     

    I tried to start the service, and it seems to work 

    SF01V_SO01_SFOS 17.5.9 MR-9# service apache:start -ds nosync
    200 OK

     

    Then I tried to debug it but I got the following response

    SF01V_SO01_SFOS 17.5.9 MR-9# service apache:debug -ds nosync
    400 Bad Request

     

    Then I tail the apache.log and get the following:

    [Wed Feb 05 10:32:01.636860 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${userportal_listen_port} is not defined
    [Wed Feb 05 10:32:01.637010 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${userportal_listen_port} is not defined
    [Wed Feb 05 10:32:01.637168 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${SSLCertificateFileWithPath} is not defined
    [Wed Feb 05 10:32:01.637187 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${SSLCertificateKeyFileWithPath} is not defined
    [Wed Feb 05 10:32:01.637779 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${NEWURLMAP} is not defined
    [Wed Feb 05 10:32:01.637805 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${MYBASE} is not defined
    [Wed Feb 05 10:32:01.637828 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${MYBASE} is not defined
    [Wed Feb 05 10:32:01.637851 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${NEWURLMAP} is not defined
    [Wed Feb 05 10:32:01.637873 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${MYBASE} is not defined
    [Wed Feb 05 10:32:01.637895 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${NEWURLMAP} is not defined
    [Wed Feb 05 10:32:01.637917 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${NEWURLMAP} is not defined
    [Wed Feb 05 10:32:01.637939 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${NEWURLMAP} is not defined
    [Wed Feb 05 10:32:01.637949 2020] [core:warn] [pid 25307:tid 4143192384] AH00111: Config variable ${MYBASE} is not defined
    AH00526: Syntax error on line 8 of /cfs/web/apache/ssl.conf:
    SSLCertificateFile: file '/conf/certificate/ApplianceCertificate_wz.pem' does not exist or is empty

     

    Then I checked the certificate path (last line) and there's no "ApplianceCertificate_wz.pem" at this folder. Here's the content

    SF01V_SO01_SFOS 17.5.9 MR-9# cd /conf/certificate/
    SF01V_SO01_SFOS 17.5.9 MR-9# ls
    aacerts caprivate client csrs internalcas licensing ocspcerts openvpn serial tmclient.pem
    cacerts certs crls index.txt internalcerts nsgsig old_ca_list private sslvpn u2dclient.pem
    SF01V_SO01_SFOS 17.5.9 MR-9#

     

    I also tried to find the certificate on other place but It doesn't seem to be in any where

    SF01V_SO01_SFOS 17.5.9 MR-9# find / -name "ApplianceCertificate_wz.pem"
    SF01V_SO01_SFOS 17.5.9 MR-9#

     

    Is there any way to generate this certificate over the CLI and place it on the requiered path??

  • In reply to Mario Gonzalez2:

    Mario,

    CA is created automatically during the XG installation. You can force the CA re-creation via CLI > option 2 > option 4

    Otherwise, I would suggest to reset XG to factory reset via CLI > option 5 > option 1.

    Let us know.

  • In reply to lferrara:

    Thank you lferrara

    * I have done this before, but tried again

    System Settings

    1. Set Password for User Admin
    2. Set System Date
    3. Set Email ID for system notification
    4. Reset Default Web Admin Certificate
    0. Exit

    Select Menu Number [0-4]: 4
    Sophos Firmware Version SFOS 17.5.9 MR-9

    This will reset the web admin console certificate to default device certificate. Are you sure you want to continue?(Y/N): Y

    Web admin certificate reset successfully.

    Sophos Firmware Version SFOS 17.5.9 MR-9

     

    * Then I went to the specified path (/conf/certificate) but there are just 2 certificates (tmclient.pem & u2dclient.pem) but not the ApplianceCertificate_wz.pem certificate


    SF01V_SO01_SFOS 17.5.9 MR-9# cd /conf/certificate/
    SF01V_SO01_SFOS 17.5.9 MR-9# ls
    aacerts caprivate client csrs internalcas licensing ocspcerts openvpn serial tmclient.pem
    cacerts certs crls index.txt internalcerts nsgsig old_ca_list private sslvpn u2dclient.pem
    SF01V_SO01_SFOS 17.5.9 MR-9#

     

    * I have also reset the XG to factory defaults with no difference

     

    Thanks

  • In reply to Mario Gonzalez2:

    Hi,

    are you running this on a VM or a real machine?

    Ian

  • In reply to Mario Gonzalez2:

    Hi  ,

    It seems we would need to create an Appliance Certificate manually inside the cd /conf/certificate directory on your Xg Appliance.

    Now if you have access to any other test XG firewall on which the Appliance certificate is already present, you can copy its content and paste it on a newly created Appliance certificate on your device.

  • In reply to rfcat_vk:

    Hi Ian

    This one is on a dedicated pc, but I tried also on the same pc but over an ESX virtual environment with the same results. 

    I also tried with on a different pc with vmware workstation and I downloaded the vm from sophos. In that case I was able to login normally

    Thanks

  • In reply to SamilV:

    Hi Samil

     

    Seem to be a good option. I'll give a try and I'll post the result. 

    Thanks for the advice

  • In reply to Mario Gonzalez2:

    Hi,

    Quiet the same problem here. Apache.log shows an error the certificate does not exist. It was a wildcard certificate which does not exist anymore. I can see ApplianceCertificate.pem in /conf/certificate. Now the question, how to set the default cert as "active"when apache starts?

    Thanks

    Regards

  • In reply to Mario Gonzalez2:

    Hi Samil,

    I made a try on this.. I copied the ApplianceCerificate.key from a VM that works to /conf/certificate then I rebooted the appliance... didn't work.. I checked apache.log and now the log entry was:

    SSLCertificateKeyFile: file '/conf/certificate/private/ApplianceCertificate_wz.key' does not exist or is empty

    So I made the same process to copy the cert on this path and copied on the new path (/conf/certificate/private/), then rebooted but the problem persists and the log shows the same:

    SSLCertificateKeyFile: file '/conf/certificate/private/ApplianceCertificate_wz.key' does not exist or is empty

    So, it didn't make it 

    Thanks