Firewall Connection Lost in Sophos Central

service -S | grep ssod  is Running 

centralmanagement.log                       
/bin/sh: centralmanagement.log: not found 

did you type the complete command I shared or just "centralmanagement.log ?" Ahmed Fahmy1

2022-08-10 13:32:08Z INFO central-connect[1914]:221 main:: - Polling for SSO to 
PIC-URI [https://utm-cloudstation-us-east-2.prod.hydra.sophos.com]/sophos/api/v1
/firewalls/Firewallserial/sshTunnel  Timezone: Africa/Cairo                    
2022-08-10 13:32:09Z INFO central-connect[1914]:271 main:: -  got response of po
ll for SSO. Status: requested backupExpected:                                   
2022-08-10 13:32:40Z INFO central-connect[2202]:221 main:: - Polling for SSO to 
PIC-URI [https://utm-cloudstation-us-east-2.prod.hydra.sophos.com]/sophos/api/v1
/firewalls/Firewallserial/sshTunnel  Timezone: Africa/Cairo                    
2022-08-10 13:32:41Z INFO central-connect[2202]:271 main:: -  got response of po
ll for SSO. Status: requested backupExpected:                                   
2022-08-10 13:33:12Z INFO central-connect[2396]:221 main:: - Polling for SSO to 
PIC-URI [https://utm-cloudstation-us-east-2.prod.hydra.sophos.com]/sophos/api/v1
/firewalls/Firewallserial/sshTunnel  Timezone: Africa/Cairo                    
2022-08-10 13:33:13Z INFO central-connect[2396]:271 main:: -  got response of po
ll for SSO. Status: requested backupExpected:                                   
2022-08-10 13:33:44Z INFO central-connect[3009]:221 main:: - Polling for SSO to 
PIC-URI [https://utm-cloudstation-us-east-2.prod.hydra.sophos.com]/sophos/api/v1
/firewalls/Firewallserial/sshTunnel  Timezone: Africa/Cairo                    
2022-08-10 13:33:44Z INFO central-connect[3009]:271 main:: -  got response of po
ll for SSO. Status: requested backupExpected:                                   
2022-08-10 13:34:15Z INFO central-connect[3337]:221 main:: - Polling for SSO to 
PIC-URI [https://utm-cloudstation-us-east-2.prod.hydra.sophos.com]/sophos/api/v1
/firewalls/Firewallserial/sshTunnel  Timezone: Africa/Cairo                    
2022-08-10 13:34:16Z INFO central-connect[3337]:271 main:: -  got response of po
ll for SSO. Status: requested backupExpected:                                   
2022-08-10 13:34:46Z INFO central-connect[3660]:221 main:: - Polling for SSO to 
PIC-URI [https://utm-cloudstation-us-east-2.prod.hydra.sophos.com]/sophos/api/v1
/firewalls/Firewallserial/sshTunnel  Timezone: Africa/Cairo                    
2022-08-10 13:34:47Z INFO central-connect[3660]:271 main:: -  got response of po
ll for SSO. Status: requested backupExpected:                                   
                                                            

Hey Ahmed Fahmy1,

You can check the status of the central here: https://centralstatus.sophos.com/

Plus, you can also perform a nslookup & telnet on the XG 

#nsloookup utm-cloudstation-us-east-2.prod.hydra.sophos.com
#telnet utm-cloudstation-us-east-2.prod.hydra.sophos.com

And are you seeing any errors popping up from the central while accessing ? 

All systems normal

all our Firewall on different locations are reporting this issue today but it happened over the last days also.

What's going on at Sophos Central Central Europe Region?

I'm sure these are false positives in term of Internet connectivity of the firewall. There must be something in Central.

We've also had this issue with only the Aux nodes, now Aux and Pri nodes reported the issue

Thu 13.10.2022 08:09 CEST

Thu 13.10.2022 09:13-09:36 CEST multiple times

502 and 504 Response Codes from Central...

2022-10-13 07:16:58Z INFO central-connect[30861]:232 main:: -  Poll for SSO Sessions failed.
2022-10-13 07:16:58Z ERROR Tools.pm[30861]:97 SFOS::Common::Central::Tools::report_status - EPOLLSSOFAIL: no sophisticated error message supplied
2022-10-13 07:17:30Z INFO central-connect[374]:221 main:: - Polling for SSO to PIC-URI [https://utm-cloudstation-eu-central-1.prod.hydra.sophos.com]/sophos/api/v1/firewalls/xxxxx/sshTunnel  Timezone: Europe/Berlin
2022-10-13 07:17:30Z WARN API.pm[374]:119 SFOS::Common::Central::API::send_request - HTTP/1.1 502 Bad Gateway
Connection: close
Date: Thu, 13 Oct 2022 07:17:30 GMT
Server: awselb/2.0
Content-Length: 122
Content-Type: text/html
Client-Date: Thu, 13 Oct 2022 07:17:30 GMT
Client-Peer: 18.156.141.44:443
Client-Response-Num: 1
--
Title: 502 Bad Gateway

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>

2022-10-13 07:15:27Z INFO central-connect[30220]:232 main:: -  Poll for SSO Sessions failed.
2022-10-13 07:15:27Z ERROR Tools.pm[30220]:97 SFOS::Common::Central::Tools::report_status - EPOLLSSOFAIL: no sophisticated error message supplied
2022-10-13 07:15:57Z INFO central-connect[30861]:221 main:: - Polling for SSO to PIC-URI [https://utm-cloudstation-eu-central-1.prod.hydra.sophos.com]/sophos/api/v1/firewalls/xxxxx/sshTunnel  Timezone: Europe/Berlin
2022-10-13 07:16:58Z WARN API.pm[30861]:119 SFOS::Common::Central::API::send_request - HTTP/1.1 504 Gateway Time-out
Connection: close
Date: Thu, 13 Oct 2022 07:16:58 GMT
Server: awselb/2.0
Content-Length: 132
Content-Type: text/html
Client-Date: Thu, 13 Oct 2022 07:16:58 GMT
Client-Peer: 3.64.249.208:443
Client-Response-Num: 1
--
Title: 504 Gateway Time-out

<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
</body>
</html>

502 and 504 Response Codes from Central...

2022-10-13 07:16:58Z INFO central-connect[30861]:232 main:: -  Poll for SSO Sessions failed.
2022-10-13 07:16:58Z ERROR Tools.pm[30861]:97 SFOS::Common::Central::Tools::report_status - EPOLLSSOFAIL: no sophisticated error message supplied
2022-10-13 07:17:30Z INFO central-connect[374]:221 main:: - Polling for SSO to PIC-URI [https://utm-cloudstation-eu-central-1.prod.hydra.sophos.com]/sophos/api/v1/firewalls/xxxxx/sshTunnel  Timezone: Europe/Berlin
2022-10-13 07:17:30Z WARN API.pm[374]:119 SFOS::Common::Central::API::send_request - HTTP/1.1 502 Bad Gateway
Connection: close
Date: Thu, 13 Oct 2022 07:17:30 GMT
Server: awselb/2.0
Content-Length: 122
Content-Type: text/html
Client-Date: Thu, 13 Oct 2022 07:17:30 GMT
Client-Peer: 18.156.141.44:443
Client-Response-Num: 1
--
Title: 502 Bad Gateway

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>

2022-10-13 07:15:27Z INFO central-connect[30220]:232 main:: -  Poll for SSO Sessions failed.
2022-10-13 07:15:27Z ERROR Tools.pm[30220]:97 SFOS::Common::Central::Tools::report_status - EPOLLSSOFAIL: no sophisticated error message supplied
2022-10-13 07:15:57Z INFO central-connect[30861]:221 main:: - Polling for SSO to PIC-URI [https://utm-cloudstation-eu-central-1.prod.hydra.sophos.com]/sophos/api/v1/firewalls/xxxxx/sshTunnel  Timezone: Europe/Berlin
2022-10-13 07:16:58Z WARN API.pm[30861]:119 SFOS::Common::Central::API::send_request - HTTP/1.1 504 Gateway Time-out
Connection: close
Date: Thu, 13 Oct 2022 07:16:58 GMT
Server: awselb/2.0
Content-Length: 132
Content-Type: text/html
Client-Date: Thu, 13 Oct 2022 07:16:58 GMT
Client-Peer: 3.64.249.208:443
Client-Response-Num: 1
--
Title: 504 Gateway Time-out

<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
</body>
</html>

Hey LHerzog,

Can you check the following from the Sophos appliance shell access ?
nslookup utm-cloudstation-eu-central-1.prod.hydra.sophos.com
Domain Name Server# 127.0.0.1
Domain Name # utm-cloudstation-eu-central-1.prod.hydra.sophos.com
Resolved Address 1# utm-spinnaker-1431807683.eu-central-1.elb.amazonaws.com.
Resolved Address 1# 18.156.141.44
Resolved Address 2# 3.121.70.112
Resolved Address 3# 3.64.249.208
Total query time # 34.29 msec

telnet utm-cloudstation-eu-central-1.prod.hydra.sophos.com 443
Trying 18.156.141.44...
Connected to utm-cloudstation-eu-central-1.prod.hydra.sophos.com.
Escape character is '^]'.
^]quit

telnet> Connection closed.

See if you are getting this results, or not ?

as the issue is not present currently, these commands are successful

XGS136_XN01_SFOS 19.0.1 MR-1-Build365#  nslookup utm-cloudstation-eu-central-1.prod.hydra.sophos.com
Domain Name Server#  127.0.0.1
Domain Name       #  utm-cloudstation-eu-central-1.prod.hydra.sophos.com
Resolved Address 1#  utm-spinnaker-1431807683.eu-central-1.elb.amazonaws.com.
Resolved Address 1#  3.64.249.208
Resolved Address 2#  18.156.141.44
Resolved Address 3#  3.121.70.112
Total query time  #  0.12 msec

XGS136_XN01_SFOS 19.0.1 MR-1-Build365# telnet utm-cloudstation-eu-central-1.prod.hydra.sophos.com 443
Trying 3.64.249.208...
Connected to utm-cloudstation-eu-central-1.prod.hydra.sophos.com.
Escape character is '^]'.
^]
HTTP/1.1 400 Bad Request
Server: awselb/2.0
Date: Thu, 13 Oct 2022 09:20:41 GMT
Content-Type: text/html
Content-Length: 122
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
</body>
</html>
Connection closed by foreign host.
XGS136_XN01_SFOS 19.0.1 MR-1-Build365#

Hmm, then request you to perform this again along with the the tcpdump on the host utm-cloudstation-eu-central-1.prod.hydra.sophos.com and share the results. 

happened again between 2:08 and 2:12 PM CEST.

Runing tcpdump only makes sense when the issue is present. That cannot be automated.

Hey LHerzog
tcpdump with ring buffer

nohup tcpdump -C 50 -W 20 -w filename.pcap -i Port2 port 443 -s0 &

writes 20 single 50MB big dumpfiles with specified filename / nohup starts the dump in background.
killall tcpdump to stop the packet capture.

You can tweak according to your requirement !

Vivek Jagad - do you want dump and logs?