Why does sophos XG not recognise that I have a connection

I have been using sophos XG for about a week now but have yet to register the product. I have tried everything from reinstalling to swapping nics in my server but still get the following error.
None of the other suggestion on this topic seems to work for me. I am using the default config and all connected client can connect. What is my way forward as I can clearly ping the sophos servers? 

 

  • Hi Ashruf,

     

    SSH into the XG -- go to option 5 then 3. 

    Run the command tail -f /log/licensing.log 

    Reproduce the synchronization and it will tell you where it is failing. 

    I would recommend opening a support case for this as well. 

  • In reply to MasterRoshi:

    Thanks,

    The log revealed the following

    INFO Jan 02 09:46:11 [0]: --requestType = 1
    INFO Jan 02 09:46:11 [0]: --serial = C01001Y7K2P42CC
    INFO Jan 02 09:46:11 [0]: --deviceid = 566c840b-f906-4655-8f32-1afc770ed7df
    INFO Jan 02 09:46:11 [0]: --model = SF01V
    INFO Jan 02 09:46:11 [0]: --vendor = SO01
    INFO Jan 02 09:46:11 [0]: --upgradedFrom = 0
    INFO Jan 02 09:46:11 [0]: --fwversion = 17.5.1.347
    INFO Jan 02 09:46:11 [0]: --cert = /_conf/certificate/licensing/mfgr_vendor_SO.pem
    INFO Jan 02 09:46:11 [0]: --token = Token-Id:SO-D5C052A8
    INFO Jan 02 09:46:11 [0]: --key = /_conf/certificate/licensing/mfgr_vendor_SO.key
    INFO Jan 02 09:46:11 [0]: URL : eu-prod-utm.soa.sophos.com/.../applianceactivation
    INFO Jan 02 09:46:11 [0]: request : { "serialNumber": "C01001Y7K2P42CC", "deviceId": "566c840b-f906-4655-8f32-1afc770ed7df", "model": "SF01V", "deviceFirmwareVersion": "17.5.1.347", "vendorCode": "SO01" }
    ERROR Jan 02 09:46:12 [0]: curl_easy_perform(60) failed: Peer certificate cannot be authenticated with given CA certificates
    ERROR Jan 02 09:46:12 [0]: licensing_do_activation() : Problem in contacting Server
    { "statusmessage": "Operation failed due to an unknown error. Please contact Support.", "status": "510" }

     

    I applied the workaround at https://community.sophos.com/kb/en-us/132458 but the error stays the same.

  • In reply to Ashruf Rodrigues:

    Perhaps try rebooting and if the issue persists, try the KB steps once more.

    If that does not resolve things and the logs are the same, I would suggest opening a support ticket to investigate what is going on at a deeper level. 

  • In reply to MasterRoshi:

    Is there any HTTPs Inspection between XG WAN and the Internet? 

    Any Kind of Proxy? 

  • In reply to LuCar Toni:

    He can try this command:

    openssl s_client -showcerts -connect eu-prod-utm.soa.sophos.com:443

    then paste the output here. 

  • In reply to MasterRoshi:

    I would suggest he doesn't have the XG DNS setup correctly.

    Ian

  • In reply to rfcat_vk:

    Next Guess: Do you have the proper Timezone selected? 

  • In reply to MasterRoshi:

    Thanks,

    I got a bit further this time after fixing the system time and applying the workaround. The web interface now seems to be stuck on the "Retrieving Eligible Source Devices!" page.

    The Log contains:

    generate certificate signing request (CSR) Fri Feb 15 10:19:19 SAST 2019


    Fri Feb 15 10:19:20 SAST 2019 certificate signing request generated with status :: 0
    ####################################################
    INFO Feb 15 10:19:20 [0]: --requestType = 4
    INFO Feb 15 10:19:20 [0]: --serial = C01001Y7K2P42CC
    INFO Feb 15 10:19:20 [0]: --deviceid = af45b180-0114-488f-9ad2-6b08188be78d
    INFO Feb 15 10:19:20 [0]: --cert = /_conf/certificate/licensing/mfgr_vendor_SO.pem
    INFO Feb 15 10:19:20 [0]: --key = /_conf/certificate/licensing/mfgr_vendor_SO.key
    INFO Feb 15 10:19:20 [0]: URL : eu-prod-csr.soa.sophos.com/.../signing
    INFO Feb 15 10:19:20 [0]: certificate_signing_request() : request : { "serialNumber":"C01001Y7K2P42CC", "deviceId":"af45b180-0114-488f-9ad2-6b08188be78d", "certificateSigningRequest":"-----BEGIN CERTIFICATE REQUEST-----
    MIIDIjCCAgoCAQAwgZcxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtPeGZvcmRzaGly
    ZTERMA8GA1UEBwwIQWJpbmdkb24xFDASBgNVBAoMC1NvcGhvcyBMdGQuMQwwCgYD
    VQQLDANOU0cxGzAZBgNVBAMMElNGX0MwMTAwMVk3SzJQNDJDQzEeMBwGCSqGSIb3
    DQEJARYPaW5mb0Bzb3Bob3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEAns7ld+jupslhEBNQ8MbG8HW0IMuYs1N+r/Y12jyDou1kYK1kQdMHd9AQ
    2W1nsM5RwjJbXZC5ClmW+17lvw0klKIk3RR1dhdbZHtN7xCeTIm4LhrxN8EvHA+/
    Mu89XeIPyb7jRBPIWDcXVRrrnwtEJkDNdb7zBpta0Kbz5W7YpgPu25bdj7JaPDUB
    /eXZeOaCHgGqrjSoWESob5/dozcgD4evnxPEtRNM6Oe1LUZyJyeazKoYuBZ1gwi5
    FRY41dN8DjkcsxSaUzhjA1cu3QOn5Nm0+1ZjntsQAmAw8ktuIL1wzjaxIdBvCwS7
    pFWBYYYBvNWZ+yKWguh/OmXSO5hDhwIDAQABoEUwGgYJKoZIhvcNAQkCMQ0MC1Nv
    cGhvcyBMdGQuMCcGCSqGSIb3DQEJDjEaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMC
    BeAwDQYJKoZIhvcNAQELBQADggEBAHfeScipFFnOBlnRrR4FP7LlNmVs9D9x4E/R
    qks4A3l7bjy1QYyCsnP7YwkGRz362BdoIZmeq0ejBlrC/R3HK9LtHhHxZ1a0WzZi
    CGjuiNSXv2uvrccm+e6GlaxLnPdZBqbtzZl86Z491jdHXFM7YmLVYjCBBWmSO82s
    hMVxT7uMJyW8iAS1h66u4pGMnpv6IRQUbGvvyPQIQCKvgg2SQrLMMKJqGNzGi9un
    mvomCujPmLe4/LGkeY2LoboRJTyojL22i9W+kHOdpKsQ4U9oZvJAYs97vWXTIQGI
    lnVfzw1lQATy+sJWc7mrcyAn8sUrw9uhXp4VZrJm1efFFMsb/TU=
    -----END CERTIFICATE REQUEST-----
    "}
    INFO Feb 15 10:19:22 [0]: certificate_signing_request() : response : {"errorCode":"ITSERVICELAYER_PROVIDER_REQUEST_ERROR","message":"Device must be activated and registered","statusCode":400,"trackingId":"289de8e9-a08a-4588-8d17-da17af2cfba5"}

    ERROR Feb 15 10:19:22 [0]: Certificate signing Failed : Device must be activated and registered...:(
    ERROR Feb 15 10:19:22 [0]: certificate signing request() : parsing failed...

  • In reply to rfcat_vk:

    I have my DNS setup by DHCP and I made no changes to the default config.

  • In reply to Ashruf Rodrigues:

    Like mentioned in the Log.

    You need to restart the Appliance.

    It should come up and after login into the webadmin, the appliance should ask for a activation and everything should work fine. 

  • In reply to Ashruf Rodrigues:

    I just ran the registration using chrome and it went through. Not sure why firefox gave me all this trouble. Thanks for the help all.

  • In reply to Ashruf Rodrigues:

    I have noticed issues with registration if you have an adblock add-on to your browser before. 

  • In reply to MasterRoshi:

    Can confirm UBlock broke XG registration for me.