XG330 (SFOS 18.5.4 MR-4-Build418)
today i get this error on CAA
Could not validate certificate! CAA Will now close
certificate is already deployed on windows computers and expire at 2036, no problem before until today.
I have one MAC Computer, so it has also this error and i try to reinstall CAA certificate on this MAC computer ( after download it from user portal)
but the problem still exist !
"server is not thrustworty! program will now terminate"
I never had this before and i don't know what is the problem, and i have no idea to resolve it.
Any help please.
Hello Fotit,Thank you for reaching out to the community, XG is sending the CA certificate with the future date stored under “/conf/certificate/internalcas/ClientAuthentication_CA.der”Did you recently upgrade the firmware ? If that is the case, then
1) Need to rollback to previous version where CAA agent is working fine.
2) Make sure that time is correctly set on the appliance in that firmware version.
3) Upgrade the firmware.
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
but it was working very for two months...!!
I did upgrade at the beginning of July.. (sfos 18.5.3 MR3 Build 408 -----> sfos 18.5.4 MR4 Build 418)
i have HA
You say on 1) rollback and on 3) Upgrade the firmware !?
HA is Active-Active or Active-Passive? HA means 0 downtime, it would be great if you raise the case with Sophos Support to help you upgrading the firmware version
Refer below link for the same :
Follow the below link for Sophos Firewall: Suggestions before updating the SFOS firmware version
"Sophos Partner: Infrassist Technologies Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.
Hello Bharat & Vivek
After some thought, I contacted support, they didn't find a problem!So I decided to do a reboot, just to see what it will give.finally the CAA worked after the reboot.Why? I don't know.
thanks for your help.
That's very weird, cheers it worked for you !!
thank you very much for your help
I would suggest to plan upgrade the firmware to the latest version and share the feedback
Go through the Sophos release notes below link to plan upgrade.
The latest firmware is available to refer the following link: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available
Thanks and Regards
I think waiting until it appears in my console over the next few weeks.
I read the thread above , and there are some issues with ipsec site-to-site after upgrading
I have 15 branchs with vpn ipsec site-to-site, so I remain cautious for the moment and I will follow the evolution of things.
Hey Fotit,Have you gone through the release notes:
Okay, Vivek Bharat , i have noted :)
Fotit said:So I decided to do a reboot
Whenever you are rebooting the Sophos XG firewall make sure you run fsck-on-nextboot from Sophos XG SSH CLI console with option 4
This checks the file system integrity of all the partitions. Turning ON this option forcefully checks the file system integrity on the next device reboot. By default, check is OFF but whenever device goes in failsafe due to following reasons, this check is automatically turned ON: • Unable to start Config/Report/Signature Database • Unable to Apply migration • Unable to find the deployment mode fsck-on-nextboot[ off | on | show ] Once the check is turned ON, on the boot, all the partitions will be checked. The check will be turned OFF again on the next boot.
Below are commands:
system fsck-on-nextboot show system fsck-on-nextboot on