RED20 doesn't connect to the XG

Recently I purchased a RED20 to connect our branch office to HQ. The HQ has a Sophos XG firewall (XG310) which is all up to date.

When I try to connect the RED20 from the brach office to HQ no connection is being made.

What happens is this:

when booting the RED20 the system light starts blinking green and after a few seconds it's steady green and the router light starts blinking green.

After 70 seconds the router light dies and the system light turns red. This sequence keeps repeating itself.

The RED20 is connected directly to router and it should get an IP address from it.

On the XG I added a RED interface but it doesn't show any signs of connectivity with the RED20 (offline)

Does somebody have any clue why this isn't working?



Edited TAGs
[edited by: emmosophos at 9:45 PM (GMT -7) on 10 Sep 2021]
Parents
  • Hello Alex,

    Thank you for contacting the Sophos Community.

    Usually, that combination of lights might mean that the Default Gateway is unreachable. 

    If possible as a test I would recommend you to remove the Router where the RED is connecting and connect the RED directly to the internet line.

    Or if the router in front of the RED allows assigning a Static IP to the RED, try setting a static IP to the RED.

    You can also confirm if you see traffic arriving at the XG, by using the Public IP of the remote site as a host in the tcpdump. 

    tcpdump -eni any host 99.100.101.102 

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello Emmanuel,

    Thanks for your reply.

    Unfortunately it isn't possible to connect the RED directly to the internet. But in the router I see the RED gets an IP-address assigned to it (DHCP client list).

    If I replace the RED with a laptop it gets also an IP-address, gateway-address and dns-server-addresses assigned to it.

    Tommorrow I will be on the remote location again and give the tcpdump a try.

    You also mentioned assigning a static IP-address to the RED. Can you tell me how that's be done?

    Sincerely,

    Alex

  • Hi, I've checked the update status of the XG and it is fully updated.

    It seems like there is something blocking the access to red.astaro.com on port 3400

  • with windows 10 a nice tool to test with is the powershell command tnc

    Test-NetConnection

    two examples for red.astaro.com on tcp:3400


    PS > tnc red.astaro.com -port 3400
    WARNUNG: TCP connect to (184.72.39.13 : 3400) failed


    ComputerName           : red.astaro.com
    RemoteAddress          : 184.72.39.13
    RemotePort             : 3400
    InterfaceAlias         : Ethernet
    SourceAddress          : 172.16.xxx.xxx
    PingSucceeded          : True
    PingReplyDetails (RTT) : 162 ms
    TcpTestSucceeded       : False



    PS > tnc red.astaro.com -port 3400


    ComputerName     : red.astaro.com
    RemoteAddress    : 46.51.176.142
    RemotePort       : 3400
    InterfaceAlias   : WLAN
    SourceAddress    : 192.168.xxx.xxx
    TcpTestSucceeded : True

    You need to check if there is some upsetream firewall blocking this port. As it is not widely used, there may be some 443 and basic web stuff enabled on your router or it's upstream firewall.

    Or your device is not masqued outside to the internet on the WAN router.

  • Hi LHerzog, 

    Thanks for your reply, that is a great way of checking.

    It's seems the connection from my network to red.astaro.com:3400 is okay.  I don't see anything else in the router that might block outgoing traffic.

    Do you have any other suggestions?

    Sincerely,

    Alex

  • I just checked the documentation:

    SD-RED 20 & SD-RED 60 uses TCP 3400 + UDP 3410

    You cannot check UDP with tnc by the way.

    Is this the first RED connecting to your XG?

    From: https://community.sophos.com/utm-firewall/f/remote-ethernet-device-red/127171/sd-red-20-an-sopos-xg-210

    "RED is connecting to red.astaro.com to get the config via port 3400. Then will connect to the XG hostname via 3400 and 3410."

    But from your description the RED internet LED will not light up, correct? So it cannot access Sophos Cloud.

  • Yes, you're absolutely right. This is our first RED device.

    Also the Internet light does not light up. It reaches the third stage of the booting codes (Device is connecting to default gateway/router) and after that the system light turns red (DHCP or static address settings failed, defaulte gateway not reachable)

  • Hello Alex,

    If possible, I would move the RED to a different location and test from there.

    Also if your NAT device allows some type of diagnostics tools, or TCPdump, I would see if it sees any traffic coming from the RED device.


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello Emmanuel,

    I have moved the RED to a different location but the results are the same. My NAT device is unfortunately a very basic device with almost no diagnostic tools on board.

    I've send you two zip-files (through private message). One is the tcpdump file, made from de XG console. The other one is a putty log from the RED20.

    Perhaps you'll find some clues in it.

    Sincerely,

    Alex

  • This would'nt be the first RED that has been shipped with faulty firmware unable to connect.

    It is always connecting to Sophos Servers first to look for new configurations you made for it before connecting to your XG firewall.

    So if connecting to Sophos = Internet is not working, you may have a bricked box there.

    Don't know if you can re-image a RED or if this needs to be done by RMA. Perhaps  can write a line about that?

  • Yeah, I agree, that could be the case.

    It should all be straight forward.

    If nothing else will do, I'm gonna give the USB-stick option a try.

    Thanks for your replies, I really appreciate it.

    Sincerely,

    Alex

  • Hello Alex,

    Thank you for the PM, I have requested some more information from you.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children