Sophos Firewall v22 EAP is now available! Click here to learn more.

Thread Info
Options

"Failed to check for updates" with upstream proxy

ChrisM

I'm getting the error "Failed to check for updates"  (message id 18029) then I searching to fimware updates or pattern updates in Sophos XGS 128 (SFOS 21.0.1 MR-1-Build277). 

The output of /log/u2d.log

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
DEBUG 2025-08-14 09:25:51Z [30716]: --fwversion = 21.0.1.277
DEBUG 2025-08-14 09:25:51Z [30716]: --productcode = CN
DEBUG 2025-08-14 09:25:51Z [30716]: --model = XGS128
DEBUG 2025-08-14 09:25:51Z [30716]: --vendor = XN01
DEBUG 2025-08-14 09:25:51Z [30716]: --pkg_sysupdate_version = 7
DEBUG 2025-08-14 09:25:51Z [30716]: --oem = Sophos
DEBUG 2025-08-14 09:25:51Z [30716]: --server = u2d.sophos.com
DEBUG 2025-08-14 09:25:51Z [30716]: --port = 443
DEBUG 2025-08-14 09:25:51Z [30716]: Added new server : Host - u2d.sophos.com, Port - 443
DEBUG 2025-08-14 09:25:51Z [30716]: --u2d_proto = 2.00
DEBUG 2025-08-14 09:25:51Z [30716]: --mem = 7440
DEBUG 2025-08-14 09:25:51Z [30716]: --cpu = 4
DEBUG 2025-08-14 09:25:51Z [30716]: Final query string is :
?&serialkey=0000&deviceid=0000&fwversion=21.0.1.277&productcode=CN&appmodel=XGS128&appvendor=XN01&useragent=SF&oem=Sophos&pkg_sysupdate_version=7&u2d_proto=2.00&mem=7440&cpu=4
DEBUG 2025-08-14 09:26:06Z [30716]: Response code : 0
DEBUG 2025-08-14 09:26:06Z [30716]: Response body :
DEBUG 2025-08-14 09:26:06Z [30716]: Response length : 0
ERROR 2025-08-14 09:26:06Z [30716]: Response not parsed successfully.
ERROR 2025-08-14 09:26:06Z [30716]: FATAL : Error in parsing response, exiting.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


I use a active-passive HA and have configured an upstream proxy.

When I try 'curl "'">https://u2d.sophos.com"' in the CLI, I get the error "Connection reset by peer"
If an network client via webproxy/upstream proxy calls "">https://u2d.sophos.com" then he get an HTTP 403 (Access Forbidden), that I would expected. 


Can system update be checked via an upstream proxy? 

Or must the updates go over an connections without upstream proxy? (Wich routes/nat rules/fw rules/... are necassary?)



Added TAGs
[edited by: Raphael Alganes at 1:50 PM (GMT -7) on 14 Aug 2025]