Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to setup an Awair Glow device

I have an Awair Glow device I purchased a few years ago that monitors the air quality in a room. It connects to the network via WiFi and it's worked great until a few months ago. I noticed it was having issues with staying connected to the WiFi access point, so I performed a factory reset to see if maybe that would resolve it. I've done factory resets in the past without any issues. However, I think this was the first time I tried since running Sophos v18 (EAP at the time). It connects to the WiFi network just fine, but when I try to continue the setup process where it communicates with the Awair server, it basically says the connection could not be established. I've tried:

  • Disabling ATP
  • Setting all policies to None and unchecking all scanning (basically a "clean" firewall rule)
  • Connecting to both my primary and guest network
  • Factory reseting the device several times
  • Disabling my ad-blocker (PiHole)

It still does not work. If I pair it to my phone as a hotspot, it works just fine. Anyone else out there with an Awair device on Sophos v18? I'm at a loss with this one.



This thread was automatically locked due to age.
Parents
  • Hi Shred,

    have you setup the modified default firewall block 0 so you can see what is being dropped?

    Required WiFi Specifications

    Glow is only compatible with 2.4GHz B/G/N WiFi networks. Glow can operate on dual band routers (2.4GHz and 5GHz), but we recommend giving each band a separate SSID before connecting to the 2.4GHz network. We also recommend turning off the load balancing feature for dual routers, as this can occasionally move Glow to the 5GHz network. Your firewall must also allow access to TCP ports 8883, 123, and 443.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yeah, it’s on a separate VLAN and I turned on logging for that firewall rule. I don’t see anything being dropped.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Hi  

    Is there a way you can check the IP of the Glow device?

    Could you please try to capture packets on the ports used in communication?

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi,

    what I found wasn't the device but the application required access to a lot of unpublished ports which the camera support people only acknowledged after I sent a support request with the limited range I had discovered. The actual range was port UDP 0-65535.

    Also found that the application was trying to talk to countries I had blocked, the web logviewer showed a connection, but the firewall rule logviewer should blocked.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, I see the IP address being registered by the DHCP server. The only thing I see in the firewall logs is an attempt to connect to a destination IP of 8.8.8.8 on UDP Port 53 (DNS) and both 52.26.177.117 and 52.40.15.135 on TCP 443. I did a packet capture from the Diagnostics page and this is what I'm seeing:

     


    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • I've tried everything I can possible think of with this one. It works perfectly fine when I pair it to my phone as hot spot, so I'm fairly confident the device is fine. It never had any issues on Sophos XG v17, so something under the hood with v18 it does not like.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

Reply Children
  • Did you try to disable the DPI Engine? (Disable and / or the Off Switch - Try both).

    Do you see something in the TLS Logviewer? 

    __________________________________________________________________________________________________________________

  • Hm, I did try all that before but I just gave it a shot again and it seems after disabling SSL/TLS inspection by turning the entire thing off, it's now able to connect. I'm confused as to why this is though. This device is on a separate VLAN and separate firewall rule that does not have SSL/TLS scanning enabled, so why is this setting affecting that firewall rule? This separate VLAN is for my guest network and only has one firewall rule, which has no scanning at all.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Hi Shred,

    SSL/TLS scanning happens on all none proxy rules according to the experts.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I guess I no longer understand how Sophos XG works.

    If I have a device with:

    • All policies set to None on the firewall rule
    • All options under Web Filtering deselected on the firewall rule
    • No SSL/TLS inspection rule defined
    • ATP turned off

    My understanding is that is no longer using the DPI engine or proxy.

    Can someone explain how the DPI engine is still being used?

    Secondly, why would turning SSL/TLS inspection to off make any difference for a device that wasn't using SSL/TLS inspection to begin with?

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Hi Shred,

    I asked about setting up a firewall rule without DPI during the EAP. MichaelDunn responded with a very detailed explanation of how it all works.

    I will search the EAP forums and up date this post with link to the answer.

     

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi Keyur,

    thank you, that is probably a better link than the one I was after.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I have read his posts (which are extremely helpful and informative), but that is why I'm confused. If you read my post, it's covering the steps he mentions. Specifically, in regards to IoT devices, he mentions:

    If you have an IoT device that does not work, my recommendation is to first have it working with no filtering/scanning/decryption. Once this is working, administrators can then make changes that improve security around these devices.

    Firewall Rule - The IoT device should hit a rule that has no web policy and no malware scanning. When you open the rule the Web Filtering section should be unexpanded. The Other security features should be be set to None.

    SSL/TLS inspection rules - The IoT device traffic should hit a rule that is Don't Decrypt with a profile Maximum Compatibility, or it should have no matching rule. If you have some TLS decryption rules for some things, you can create a higher level rule with don't decrypt that uses source of your device, similar to your firewall rule.

    Let me highlight the steps he mentions:

    • "no filtering/scanning/decryption" - I did that.
    • "no web policy and no malware scanning" - I did that.
    • "Other security features should be be set to None" - I did that.
    • "or it should have no matching rule" - I did that.

    So again, I don't understand why turning SSL/TLS inspection to off (the "master switch") has any affect for a device that wasn't using SSL/TLS inspection to begin with.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • It doesn't matter, since the DPI engine will still look in to the traffic. So you need to make an exception for the URL/IP-address the device is trying to access.

    I know, this is not the answer you would like, but this is who it's works today. I agree that if you choose not to scann and decrypt the DPI engine would NOT play with the traffic, but this is the way it works right now.

    You can also make a rule the uses the "v17.5" version "use proxy instead of DPI" and add the url as the destionation. This will work as well.

     

    //Rickard