Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 2 replies
  • Subscribers 40 subscribers
  • Views 457 views
  • Users 0 members are here
Options
Suggested

Zero Touch troubleshooting

FFin

For every new XGS appliance i'm preparing for customer, i'm trying to use new zero touch.

Unfortunately every 2-3 appliances that process fails and needs further investigation.
So currently i'm not confident enough to send appliance directly to customer and rely on successfull zero touch.

Yesterday i got an XGS108 with V20.0MR1. No Success.
Removed from central and re-added, reimaged with V21 - still no success.
Today, another reboot without any other changes - success.

NTP was fine, nslookup utm.cloud.sophos.com fine, DHCP/WAN ok - no issues in status.sophos.com.
Is there anything i can provide to improve zero touch and make this more stable for future deployments?

Can you provide a more detailed troubleshooting-guide for zero touch? (docs.sophos.com/.../index.html)

{"error":{"code":"FORBIDDEN"}}
2024-12-09 14:56:21 INFO czt-hub-connect[11208]:347 main::_tzt_post_signed_data - [TZT]: Connecting to Sophos Central HUB [https://utm.cloud.sophos.com/api/utm] failed 3 times. Exiting 
2024-12-09 14:56:21 ERROR Tools.pm[11208]:97 SFOS::Common::Central::Tools::report_status - EAGAIN: Temporary error while accessing Sophos Central or Sophos Central indentity could not be verified. 
2024-12-09 14:56:07Z [TZT] tzt_get_uri: Empty url or correlation id received, Exiting..
[ ZeroTouch ] opcode: reset_zerotouch_flags: Reset necessary nvram flags
2024-12-09 14:56:07Z [TZT] on_config_file_download_fail: Error occured, cleaning up..
2024-12-09 14:56:07Z [TZT] on_config_fail Error Occured, cleaning up..

Case #02071778.



Added TAGs
[edited by: Raphael Alganes at 10:17 AM (GMT -8) on 10 Dec 2024]
Parents
  • 0

    Basically Central has a Rate Limiting on Zero Touch Requests to protect Central. Apparently your firewall ran into this rate limit and today it was lifted again.

    Do you have the Logs of zt. from the entire 09 or did you reimage? 

    What were the very first log errors of zt? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That would explain - but that's the only appliance being prepared from our wan-ip yesterday.
    zt.log only after reimage with V21 - but i've only tried 2 times on V20MR1 before and the error messages were the same:

                                        ___________________________
                                    |                           |
------------------------------------|   Checking for ZeroTouch  |------------------------------------
                                    |___________________________|
 
Deleting old czt.log file as it's not being used
2024-12-09 14:44:34Z  [ZeroTouch]  zt_validate_basic_requirements: The appliance is in factory reset mode, so trying to configure the appliance via CZT/TZT
2024-12-09 14:44:34Z  [ZeroTouch]  zt_validate_firmware_group: checking firmware eligibility for SF310_SO01
2024-12-09 14:44:34Z  [ZeroTouch]  zt_validate_firmware_group (SF310_SO01): Firmware is elligible for ZT Flow.
2024-12-09 14:44:34Z  [ZeroTouch]  zt_validate_firmware_group (SF310_SO01): Device is TPM Provisioned, triggering TZT..
                                 ________________________________
                                |                                |
--------------------------------|   Checking for True ZeroTouch  |--------------------------------
                                |________________________________|
 
2024-12-09 14:44:35Z  [TZT]  TZT Process Start
2024-12-09 14:44:35Z  [TZT]  zt_check_network_service_status: Networkd service is up and running.
[ ZeroTouch ] opcode: czt_check_server_availability: ZeroTouch is not in process
2024-12-09 14:44:35Z  [TZT]  tzt_get_uri: Signing Serial: X103XXXXXXXX
2024-12-09 14:44:35Z [TZT] get_data_signed_by_tpm: Signing data for serial
2024-12-09 14:44:35Z [TZT] get_data_signed_by_tpm: Data signed successfully
2024-12-09 14:44:35Z [TZT] tzt_get_uri: Signed  Serial: MEYCIQCteyzXxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2024-12-09 14:44:39 INFO czt-hub-connect[13410]:234 main::_tzt_get_challenge_payload - [TZT]: Fetch challenge payload from Central [https://utm.cloud.sophos.com/api/utm] for Serial [X1030476FYB3M7B] 
2024-12-09 14:44:41 WARN API.pm[13410]:119 SFOS::Common::Central::API::send_request - HTTP/1.1 403 Forbidden
Cache-Control: no-store,no-cache,must-revalidate,max-age=0;
Connection: close
Date: Mon, 09 Dec 2024 14:44:17 GMT
Server: -
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Content-Language: en-US
Content-Length: 30
Content-Type: application/json;charset=UTF-8
Client-Date: Mon, 09 Dec 2024 14:44:41 GMT
Client-Peer: 34.243.209.222:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=Amazon/CN=Amazon RSA 2048 M02
Client-SSL-Cert-Subject: /CN=central.sophos.com
Client-SSL-Cipher: ECDHE-RSA-AES128-SHA256
Client-SSL-Socket-Class: IO::Socket::SSL
Content-Security-Policy: frame-ancestors 'none'
Set-Cookie: SESSION=ZGYzZGYXXXXXXXXXXXXXXXXXXXXXX; Domain=sophos.com; Path=/; Secure; HttpOnly; SameSite=Lax
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Correlation-ID: adc7802d-37f1-4c4e-8057-a6d53963846b
X-Frame-Options: DENY
X-XSS-Protection: 1

{"error":{"code":"FORBIDDEN"}}
 
2024-12-09 14:44:41 INFO czt-hub-connect[13410]:267 main::_tzt_get_challenge_payload - [TZT]: Connecting to Sophos Central HUB [https://utm.cloud.sophos.com/api/utm] failed for the 1 time. Retry in a second. 
2024-12-09 14:44:44 WARN API.pm[13410]:119 SFOS::Common::Central::API::send_request - HTTP/1.1 403 Forbidden

Reply
  • 0 in reply to LuCar Toni

    That would explain - but that's the only appliance being prepared from our wan-ip yesterday.
    zt.log only after reimage with V21 - but i've only tried 2 times on V20MR1 before and the error messages were the same:

                                        ___________________________
                                    |                           |
------------------------------------|   Checking for ZeroTouch  |------------------------------------
                                    |___________________________|
 
Deleting old czt.log file as it's not being used
2024-12-09 14:44:34Z  [ZeroTouch]  zt_validate_basic_requirements: The appliance is in factory reset mode, so trying to configure the appliance via CZT/TZT
2024-12-09 14:44:34Z  [ZeroTouch]  zt_validate_firmware_group: checking firmware eligibility for SF310_SO01
2024-12-09 14:44:34Z  [ZeroTouch]  zt_validate_firmware_group (SF310_SO01): Firmware is elligible for ZT Flow.
2024-12-09 14:44:34Z  [ZeroTouch]  zt_validate_firmware_group (SF310_SO01): Device is TPM Provisioned, triggering TZT..
                                 ________________________________
                                |                                |
--------------------------------|   Checking for True ZeroTouch  |--------------------------------
                                |________________________________|
 
2024-12-09 14:44:35Z  [TZT]  TZT Process Start
2024-12-09 14:44:35Z  [TZT]  zt_check_network_service_status: Networkd service is up and running.
[ ZeroTouch ] opcode: czt_check_server_availability: ZeroTouch is not in process
2024-12-09 14:44:35Z  [TZT]  tzt_get_uri: Signing Serial: X103XXXXXXXX
2024-12-09 14:44:35Z [TZT] get_data_signed_by_tpm: Signing data for serial
2024-12-09 14:44:35Z [TZT] get_data_signed_by_tpm: Data signed successfully
2024-12-09 14:44:35Z [TZT] tzt_get_uri: Signed  Serial: MEYCIQCteyzXxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2024-12-09 14:44:39 INFO czt-hub-connect[13410]:234 main::_tzt_get_challenge_payload - [TZT]: Fetch challenge payload from Central [https://utm.cloud.sophos.com/api/utm] for Serial [X1030476FYB3M7B] 
2024-12-09 14:44:41 WARN API.pm[13410]:119 SFOS::Common::Central::API::send_request - HTTP/1.1 403 Forbidden
Cache-Control: no-store,no-cache,must-revalidate,max-age=0;
Connection: close
Date: Mon, 09 Dec 2024 14:44:17 GMT
Server: -
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Content-Language: en-US
Content-Length: 30
Content-Type: application/json;charset=UTF-8
Client-Date: Mon, 09 Dec 2024 14:44:41 GMT
Client-Peer: 34.243.209.222:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=Amazon/CN=Amazon RSA 2048 M02
Client-SSL-Cert-Subject: /CN=central.sophos.com
Client-SSL-Cipher: ECDHE-RSA-AES128-SHA256
Client-SSL-Socket-Class: IO::Socket::SSL
Content-Security-Policy: frame-ancestors 'none'
Set-Cookie: SESSION=ZGYzZGYXXXXXXXXXXXXXXXXXXXXXX; Domain=sophos.com; Path=/; Secure; HttpOnly; SameSite=Lax
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Correlation-ID: adc7802d-37f1-4c4e-8057-a6d53963846b
X-Frame-Options: DENY
X-XSS-Protection: 1

{"error":{"code":"FORBIDDEN"}}
 
2024-12-09 14:44:41 INFO czt-hub-connect[13410]:267 main::_tzt_get_challenge_payload - [TZT]: Connecting to Sophos Central HUB [https://utm.cloud.sophos.com/api/utm] failed for the 1 time. Retry in a second. 
2024-12-09 14:44:44 WARN API.pm[13410]:119 SFOS::Common::Central::API::send_request - HTTP/1.1 403 Forbidden

Children
No Data
Unfiltered HTML