Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

zero touch and initial deployment not working Firewall is able to reach Sophos licensing system.

Firewall is able to reach Sophos licensing system
https://eu-prod-utm.soa.sophos.com

in manual setup wizard

That no NTP server enabled per default flaw should be fixed quickly.


XGS136_XN02_SFOS 21.0.0 GA-Build169# date
Thu Jan  1 01:16:05 BST 1970
XGS136_XN02_SFOS 21.0.0 GA-Build169# ntpclient n -s -c 0 -l
Starting NTP Client v0.0.2
Configuration:
  -f inital_freq   0
  -c probe_count   0
  -d (debug)       0
  -g goodness      0
  -i interval      600
  -l live          1
  -T TimeOut       30
  -o Offset        900
  -q min_delay     800.000000
  -s set_clock     1
  -H Num of Hours  24
  -x cross_check   1
  -p local_port    0
  -L LogFile      'STDERR|STDOUT'
  -D Daemonize     0
  -h Host     pool.ntp.org
ERROR     Jan 01 00:16:53Z [13616]: setup_receive: bind for fd,family (3,2)
ERROR     Jan 01 00:16:53Z [13616]: setup_receive: bind for fd,family (4,10)
MESSAGE   Jan 01 00:16:53Z [13616]: Switch to Server 'pool.ntp.org' => '167.235.70.245'.
MESSAGE   Jan 01 00:16:53Z [13616]: ntp_step called
MESSAGE   Oct 18 14:47:10Z [13616]: ntp_step called
MESSAGE   Oct 18 14:47:12Z [13616]: Set time to : '18-10-2024 15:47:10'.
MESSAGE   Oct 18 14:47:12Z [13616]: Shutdown NTP-Client

then it worked

manual config wizard finished and brought me to the EULA page



Added TAGs
[edited by: Erick Jan at 12:21 AM (GMT -7) on 21 Oct 2024]
  • If the firewall offers a Webadmin for Config, it already skipped the ZeroTouch Process for this firewall. 

    Can you check the firewall on the log? It is zt.log 

    __________________________________________________________________________________________________________________


  • XGS136_XN02_SFOS 21.0.0 GA-Build169 HA-Auxiliary# cat /log/zt.log
                                         ___________________________
                                        |                           |
    ------------------------------------|   Checking for ZeroTouch  |------------------------------------
                                        |___________________________|

    Deleting old czt.log file as it's not being used
    1970-01-01 00:03:08Z  [ZeroTouch]  zt_validate_basic_requirements: The appliance is in factory reset mode, so trying to configure the appliance via CZT/TZT
    1970-01-01 00:03:08Z  [ZeroTouch]  zt_validate_firmware_group: checking firmware eligibility for SF310_SO01
    1970-01-01 00:03:08Z  [ZeroTouch]  zt_validate_firmware_group (SF310_SO01): Firmware is elligible for ZT Flow.
    1970-01-01 00:03:08Z  [ZeroTouch]  zt_validate_firmware_group (SF310_SO01): Device is TPM Provisioned, triggering TZT..
                                     ________________________________
                                    |                                |
    --------------------------------|   Checking for True ZeroTouch  |--------------------------------
                                    |________________________________|

    1970-01-01 00:03:09Z  [TZT]  TZT Process Start
    1970-01-01 00:03:09Z  [TZT]  zt_check_network_service_status: Networkd service is up and running.
    [ ZeroTouch ] opcode: czt_check_server_availability: ZeroTouch is not in process
    1970-01-01 00:03:09Z  [TZT]  tzt_get_uri: Signing Serial: X1330xxxx22B
    1970-01-01 00:03:09Z [TZT] get_data_signed_by_tpm: Signing data for serial
    1970-01-01 00:03:09Z [TZT] get_data_signed_by_tpm: Data signed successfully
    1970-01-01 00:03:09Z [TZT] tzt_get_uri: Signed  Serial: MEUCIC1mmMnaGmYFbyn3gdmXiGpmBnomxxxxxxxxxxxxxxxxxx7O9Y8C8E=
    1970-01-01 01:03:12 INFO czt-hub-connect[13046]:234 main::_tzt_get_challenge_payload - [TZT]: Fetch challenge payload from Central [https://utm.cloud.sophos.com/api/utm] for Serial [X133xxxx22B]
    1970-01-01 01:03:13 WARN API.pm[13046]:119 SFOS::Common::Central::API::send_request - 500 Can't connect to utm.cloud.sophos.com:443 (certificate verify failed)
    Content-Type: text/plain
    Client-Date: Thu, 01 Jan 1970 00:03:13 GMT
    Client-Warning: Internal response

    Can't connect to utm.cloud.sophos.com:443 (certificate verify failed)

    SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /lib32/perl/site_perl/5.26.3/LWP/Protocol/http.pm line 47.

    1970-01-01 01:03:13 INFO API.pm[13046]:120 SFOS::Common::Central::API::send_request - HTTP::Request failed due to a SSL verification error
    1970-01-01 01:03:13 INFO czt-hub-connect[13046]:267 main::_tzt_get_challenge_payload - [TZT]: Connecting to Sophos Central HUB [https://utm.cloud.sophos.com/api/utm] failed for the 1 time. Retry in a second.
    1970-01-01 01:03:14 WARN API.pm[13046]:119 SFOS::Common::Central::API::send_request - 500 Can't connect to utm.cloud.sophos.com:443 (certificate verify failed)
    Content-Type: text/plain
    Client-Date: Thu, 01 Jan 1970 00:03:14 GMT
    Client-Warning: Internal response

    Can't connect to utm.cloud.sophos.com:443 (certificate verify failed)

  • I wonder how many support cases this NTP server not enabled creates. must be many and many frustration.