Replacement Firewall, new VPN installs do not connect

Hi all,

Sophos sent us a replacement XG 310. I registered the device to a distribution group rather than the single user the old firewall was registered to. 

I have noticed that, since doing that, new SSL VPN installs do not connect. Any thoughts?

  • Did you restore your Backup before or after the registration?

  • As Lucar suggested, if you uploaded the configuration, CA and all certificates are also restored so VPN users, for example, can connect.

    For new users, did you put the users in the SSL VPN configuration?

    Do you see the user's certificate under Certificates > Certificate menu?


  • In reply to lferrara:

    I restored a backup of the old XG and everything was working fine running unregistered. When I registered the device, I changed the registration to a different mySophos account. That's when I noticed that new VPN installs do not connect (though already installed clients do).

    I can see user certificiates under Certificates -> Certificates.

  • In reply to tripleview:

    Try to restore the Backup again.


    If you skip the registration and restore the configuration, XG will not process the VPN Configuration.

    The registration is needed for the VPN Certificates. 

    Therefore your Configs are not correct imported. 


    A Restore with the same backup after the registration should work. 

  • In reply to tripleview:

    Thanks for the feedback.

    Is the user an existing user or a new created one on the XG?

    Logs from remote vpn client and from XG side?


  • In reply to lferrara:

    Existing user.

    I tried experimenting with my own account. My VPN client was working. I uninstalled and reinstalled with a fresh download of the client. Now it does not connect.

    When I restored from backup, it restored all certs and ran with registration (person)@(domain). Everything was working.

    Now that I have changed registration to (group)@(domain), new VPN installs do not work. I am guessing it is a certificate issue?

  • In reply to tripleview:

    Can you try what suggested by Lucar?

  • In reply to lferrara:

    The backup I restored from is more than two weeks old at this point. I would much prefer not to restore it as I would lose changes I have made since then.

  • In reply to tripleview:

    Sadly the registration process regenerates the XG's certificate chain (I've had this one crop up before), the only way to fix this if you don't want to restore is to just people to download and reinstall the SSL Client.



  • In reply to carbon15:

    I was thinking to suggest to create a new vpn user and check if the VPN works.

    If the CA is re-generated, no other change to download the SSL VPN config and start over.


  • In reply to carbon15:

    I had a feeling... that is unfortunate.


    I wonder - if I changed the registration back to what it was (person)@(domain) to match the certificate store, would that provide a (less than ideal) fix?

  • In reply to tripleview:

    If you know, which changes you made, use Export / Import to export those modules into XML.

    Then restore your old backup.

    Restore the needed / changed modules via XML. 

  • In reply to LuCar Toni:

    Use the log viewer > Admin log to understand which changes you performed. Of course you do not have all the details, but at least you know the items created, modified, deleted.

    If you have a old backup, you can import the backup configuration on a XG VM, export everything as suggested by Lucar and then compare the XML files with the new exported one.


  • In reply to lferrara:

    Ok thank you. That is certainly an option.


    Is it possible to re-register the firewall as it is?

  • In reply to tripleview:

    Hi tripleview,

    It is possible to re-register the XG firewall, but you have to de-register it first. I would suggest you to open a case with customer care to assist you with the process as it is not possible to de-register the firewall from the GUI, customer care team should be able to help you with this.

    Send an email to, if you decide to de-register and re-register the firewall.