Need help with a XG Licensing Issue, Home Edition

So while we are a Sophos Platinum Reseller, I can't create a case for a home license; this happens to be the home license I use for my personal XG at home, which I use sometimes to test new firmware, etc.

 

I've had something rather concerning happen; the system has just decided to deactivate the licenses on the box due to some sort of sync issue.  There is nothing wrong with the external connectivity of the unit, it still works, of course, just with no features.  I get the following when I try to manually sync:

 

 

The main reason I am concerned is that if this happened to a customer in a production environment, it would be very very bad indeed.

 

The license shows as active in the MySophos licensing portal: 

 

The firmware was at 17.1.3, just updated to 17.1.4 to see if that would help, no dice.

 

 

Also a note, looks like the English translation is not used completely for the Alert item for this either.

 

Any ideas, help?

  • And one more tidbit, a shot of the licensing.log logfile.  Looks like a backend issue...

     

  • In reply to BrucekConvergent:

    More interesting info further down the log:

     

    INFO     Nov 26 12:26:58 [0]: certificate_signing_request() : response : {"errorCode":"ITSERVICELAYER_DEVICE_NOTFOUND_ERROR","message":"Device not found","statusCode":404,"trackingId":"32aa209d-ca73-4b47-962c-ec2058bf5e6d"}

     

    ERROR     Nov 26 12:26:58 [0]: Certificate signing Failed : Device not found...:(

    ERROR     Nov 26 12:26:58 [0]: certificate signing request() : parsing failed...

    INFO     Nov 26 12:26:58 [0]: --requestType = 8

    INFO     Nov 26 12:26:58 [0]: --serial = C01001B3FHQ4D3F

    INFO     Nov 26 12:26:58 [0]: --fwversion = 17.1.4.254

    INFO     Nov 26 12:26:58 [0]: --cert = /content/licensing/lic_csr.pem

    INFO     Nov 26 12:26:58 [0]: --key = /content/licensing/lic_csr.key

    INFO     Nov 26 12:26:58 [0]: --token = Token-Id:C01001B3FHQ4D3F

    INFO     Nov 26 12:26:58 [0]: URL : eu-prod-utm.soa.sophos.com/.../appliance

    INFO     Nov 26 12:26:58 [0]: licensing_do_applianceupdate : request : { "serialNumber": "C01001B3FHQ4D3F", "applianceAttributes": [ { "name": "firmwareVersion", "value": "17.1.4.254" } ] }

    ERROR     Nov 26 12:26:58 [0]: curl_easy_perform(58) failed: Problem with the local SSL certificate

    ERROR     Nov 26 12:26:58 [0]: licensing_do_applianceupdate() : Problem in contacting Server

  • In reply to BrucekConvergent:

     The root cause for the problem is likely because you ran 2 instances of SF-OS using the same serial number from 11-Dec-2017 to 10-Feb-2018. As stated in https://community.sophos.com/products/xg-firewall/f/licensing/93760/not-able-to-sync-home-license the XG licensing system is only designed to support one instance per serial number. It is likely that you are not currently using the last instance you installed. When installing SF-OS a unique Device-ID generated and only the instance providing that unique ID will be able to sync.

    You are welcome to have more than one Firewall for Home use but you need to request an additional Home Use serial number.

    To resolve this problem you need to re-install SF-OS - that action will make the new instance the 'owner' of the license and it will sync ok again. However, as you have posted your serial number in the information you provided here, I would recommend taking a backup, requesting a new Home use serial number and re-installing using the new serial number.

    Regards

    Paul

  • In reply to PaulWarren:

    Paul, yes, I consulted our TAM (we are a platinum reseller) about this and he said the same thing (actually I had seen that before with some demo instances we spun up with our NFR -- but this serial has only ever been applied to my home unit -- a repurposed XG135) .... however, this license is only used on one box, and has only ever been used on one box.  That's the concerning part -- it just decided to fail so to speak.  If you guys are interested in looking into the root cause, I'd be glad to give you access to the box.  Otherwise I'll reload it as suggested -- just concerned that this could happen to my customers.

  • In reply to BrucekConvergent:

     Thanks for this offer - yes, I would like us to get more information. Probably best to work with your TAM for this and explain I request it, else, please send me a private message with your contact details and the name of your TAM. What would be useful to start with is a full copy of your 'licensing.log' file so we can see as much history as possible.

    Regards

    Paul

  • In reply to PaulWarren:

    Paul, I'll do that... I can provide you with the licensing.log file right off the bat.  PM inbound.

  • In reply to BrucekConvergent:

    Just an update for the forum; Paul took a look, looked like for a while there were two devices syncing with the same serial... I've never applied that one anywhere else... unfortunately the logs did not include IPs so we could see where this other device was.  They just fixed the license issue in the backend and we'll see if it happens again.