My Sophos XG installation has stopped validating. The time is correct on the firewall and it has an internet connection.
In the licensing log, there is a device not found error
The content/licensing folder is empty
Hi Greg Bross,
Thank you for reaching out to Sophos Community.
It seems the device is unable to reach to Sophos licensing server.
Can you please take tcpdump on eu-prod-utm.soa.sophos.com URL and initiate a license synchronization request.
==> Login to SSH > 5. Device Management > 3. Advanced Shell
# tcpdump -nei any host eu-prod-utm.soa.sophos.com
Please share output of the below command as well.
# openssl s_client -connect eu-prod-utm.soa.sophos.com:443
You may also try regenerating the Default certificate on the firewall.
Hi Greg Bross,
Thank you for reaching out to Sophos Community.
It seems the device is unable to reach to Sophos licensing server.
Can you please take tcpdump on eu-prod-utm.soa.sophos.com URL and initiate a license synchronization request.
==> Login to SSH > 5. Device Management > 3. Advanced Shell
# tcpdump -nei any host eu-prod-utm.soa.sophos.com
Please share output of the below command as well.
# openssl s_client -connect eu-prod-utm.soa.sophos.com:443
You may also try regenerating the Default certificate on the firewall.
SFVH_SO01_SFOS 18.0.5 MR-5# openssl s_client -connect eu-prod-utm.soa.sophos.com
:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
verify return:1
depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.soa.sophos.com
verify return:1
---
Certificate chain
0 s:/C=GB/ST=Oxfordshire/L=Abingdon/O=SOPHOS LIMITED/CN=*.soa.sophos.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGmzCCBYOgAwIBAgIMbm8b9WIj3Jb5rhdMMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
....
1jO1hsGUm3ttCd7vmXJR
-----END CERTIFICATE-----
subject=/C=GB/ST=Oxfordshire/L=Abingdon/O=SOPHOS LIMITED/CN=*.soa.sophos.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 3412 bytes and written 540 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 020200003C810E1E753B1B38C9EDDA5DE2EFDE279BEA85C772A49793D6EAD359
Session-ID-ctx:
Master-Key: A271ECBE5D32759B88E3E8CA431E6035CC97459F7C3B28E4ADFEE4170E0E29083C8B1622364EB5660BEF1B423E0A7614
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1619293505
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
SFVH_SO01_SFOS 18.0.5 MR-5# tcpdump -nei any host eu-prod-utm.soa.sophos.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:59:33.876938 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 68: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [S], seq 1376958572, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:59:33.982244 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 68: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [S.], seq 2769469024, ack 1376958573, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:59:33.982291 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 1, win 229, length 0
14:59:34.007278 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 573: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [P.], seq 1:518, ack 1, win 229, length 517
14:59:34.114186 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 1516: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [.], seq 1:1461, ack 518, win 256, length 1460
14:59:34.114219 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 1461, win 251, length 0
14:59:34.114188 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 1516: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [.], seq 1461:2921, ack 518, win 256, length 1460
14:59:34.114232 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 2921, win 274, length 0
14:59:34.114240 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 441: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [P.], seq 2921:3306, ack 518, win 256, length 385
14:59:34.114248 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 3306, win 297, length 0
14:59:34.158871 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 306: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [P.], seq 518:768, ack 3306, win 297, length 250
14:59:34.290482 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 163: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [P.], seq 3306:3413, ack 768, win 255, length 107
14:59:34.290549 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 3413, win 297, length 0
14:59:34.291037 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 397: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [P.], seq 768:1109, ack 3413, win 297, length 341
14:59:34.396018 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 141: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [P.], seq 3413:3498, ack 1109, win 254, length 85
14:59:34.396290 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 653: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [P.], seq 1109:1706, ack 3498, win 297, length 597
14:59:34.503259 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 1516: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [.], seq 3498:4958, ack 1706, win 252, length 1460
14:59:34.503261 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 1516: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [.], seq 4958:6418, ack 1706, win 252, length 1460
14:59:34.503325 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 6418, win 343, length 0
14:59:34.503339 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 565: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [P.], seq 6418:6927, ack 1706, win 252, length 509
14:59:34.544525 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 6927, win 365, length 0
14:59:34.557231 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 1473: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [P.], seq 1706:3123, ack 6927, win 365, length 1417
14:59:34.676699 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 242: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [P.], seq 6927:7113, ack 3123, win 256, length 186
14:59:34.676718 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 7113, win 388, length 0
14:59:41.045236 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 813: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [P.], seq 7113:7870, ack 3123, win 256, length 757
14:59:41.045276 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 7870, win 411, length 0
14:59:41.045579 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 141: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [P.], seq 3123:3208, ack 7870, win 411, length 85
14:59:41.047955 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [F.], seq 3208, ack 7870, win 411, length 0
14:59:41.152713 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 56: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [.], ack 3209, win 256, length 0
14:59:41.152713 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 56: 52.18.17.127.443 > 71.xx.xxx.xxx.60998: Flags [F.], seq 7870, ack 3209, win 256, length 0
14:59:41.152762 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.60998 > 52.18.17.127.443: Flags [.], ack 7871, win 411, length 0
14:59:43.562551 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 68: 71.xx.xxx.xxx.32792 > 52.18.17.127.443: Flags [S], seq 1795138606, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:59:43.682707 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 68: 52.18.17.127.443 > 71.xx.xxx.xxx.32792: Flags [S.], seq 2762666911, ack 1795138607, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:59:43.682769 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.32792 > 52.18.17.127.443: Flags [.], ack 1, win 229, length 0
14:59:43.683041 Port2, OUT: Out 90:e2:ba:3e:ab:31 ethertype IPv4 (0x0800), length 56: 71.xx.xxx.xxx.32792 > 52.18.17.127.443: Flags [F.], seq 1, ack 1, win 229, length 0
14:59:43.802900 Port2, IN: In d2:07:ca:16:1c:cb ethertype IPv4 (0x0800), length 56: 52.18.17.127.443 > 71.xx.xxx.xxx.32792: Flags [R.], seq 1, ack 2, win 0, length 0
It looks like your device ID changed somehow and therefore the licensing backend server cannot find your device.
Assuming a re installation would solve this issue, can you reinstall the XG and use your backup?
__________________________________________________________________________________________________________________
