Sophos Firewall: License Sync Failed

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview
Scenario
What to do

Overview

This recommended read describes the troubleshooting steps & possible solutions when you get an error "Synchronization with server failed" while unable to sync the license of a Sophos device.

Scenario

Not able to sync the purchased license on Sophos Firewall.
Getting error "Synchronization with server failed" while syncing purchased license.

What to do

Step: 1 Correct Activation Key

Please use the correct activation key given by the licensing team – when syncing the license for the first time on your new device.
Check license details on the mySophos account portal for a specific appliance and confirm those are registered/displayed correctly. The below steps will help you with the path to check the same:
- Sign in to the Licensing Portal (id.sophos.com).
- Go to My Sophos > Network Protection > View Devices > Search for the appliance's serial number and check the subscription validity.

Note: For more info about licenses, see - https://support.sophos.com/support/s/article/KB-000038005?language=en_US

Step: 2 Internet Connectivity

Check that the appliance has good internet connectivity.
Try to sync the license, verify the error on GUI, and collect the logs via SSH (https://support.sophos.com/support/s/article/KB-000038697?language=en_US).
- GUI > Administration> Licensing > click Synchronize: Wait until you see the error.
- SSH > Login > 5. Device Management > 3. Advanced Shell > Use the below command to see the logs of license sync.
  - ```
  tail -f /log/licensing.log
```

Note: Start the log file using the above command and sync the license to get the appropriate logs.

To retrieve the license and sync the Sophos Firewall try to contact any of the following domains/servers:
- eu-prod-utm.soa.sophos.com
- eu-prod-csr.soa.sophos.com
From the logs, you'll get the "server name" from which the device is fetching the licensing info. Note - The keyword to find the server-name is "URL"

Do the nslookup to the server name and check the tcpdump to confirm the connectivity status.

Command to do lookup -

Command to check tcpdump -

To confirm the connectivity with the server, you may check the telnet and openssl connection with the below commands:
```
# telnet eu-prod-utm.soa.sophos.com 443
# openssl s_client -connect eu-prod-utm.soa.sophos.com:443
```

If there's no issue with the connectivity, you may get the below outcome:

# openssl s_client -connect eu-prod-utm.soa.sophos.com:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = Sophos Ltd., CN = *.soa.sophos.com
verify return:1
---
Certificate chain
0 s:/C=GB/ST=Oxfordshire/L=Abingdon/O=Sophos Ltd./CN=*.soa.sophos.com
.. i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
.. i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHQTCCBimgAwIBAgIMO+m+m/tuZVmw8GYUMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTgwMTMwMTAzMTAxWhcNMjEwMzA2MjA0MTAxWjBnMQswCQYDVQQGEwJH
QjEUMBIGA1UECBMLT3hmb3Jkc2hpcmUxETAPBgNVBAcTCEFiaW5nZG9uMRQwEgYD
VQQKEwtTb3Bob3MgTHRkLjEZMBcGA1UEAwwQKi5zb2Euc29waG9zLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKvs9pl1VOTx5jRBdruY4kA6BASe
Mcdm8gL6uCXQrubH4PZ/zuLV5tKdaAqoEIpJd2Ry9Fpmyw5zhqcZOFhngD0a+Ey8
EjCCTnMBhSAtVNO8e+Q4pQsJNiTIkipMh2cSpNGxFbaEM/q7xCKNoQgl22tdtHf8
qmW+HUAuZQm0AG678JI1bH7xE4gXieqn5R7TdJ8k5XcCzwz1EOXqf0qwkF1XmKA4
8b+dTAJZvAJzKNv7H/rBHcvtM/1fYHrLudrGb8h5mVg0EpbrKVv7dNwEZ91LfN91
Whwrko5iVZ8JaaxiSno2/DjR2Lzk4FQhOhIXUw2XRAX3cgS13fYGEVgNGHcCAwEA
AaOCA+wwggPoMA4GA1UdDwEB/wQEAwIFoDCBoAYIKwYBBQUHAQEEgZMwgZAwTQYI
gBSW3mHxvRwWKVMcwMx9O4MAQOYafDCCAfcGCisGAQQB1nkCBAIEggHnBIIB4wHh
AHYA3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFhRp670AAABAMA
RzBFAiANenoxg7rJCcsh2qvqrrzbDugyVuN/lwGq4040Z1WQ3wIhAMJI4WaoXNFr
+4AB40U9pnsIvWz1TZaCPmo5XTIzJqbuAHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZ
EVzA75SYVdaJ0N0AAAFhRp68JgAABAMARzBFAiB9aKYcJowWzqr+3WXqBzpJihIW
L9cdiNLomojqxZbQKwIhAPiQ56UQoTdpYfTa7DYdsPUgB1rRjrMhj3J3UL6PGV4a
AHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFhRp6/EgAABAMA
RzBFAiAn5qxiaM3T7PrTsGCZ2c+9f+ym9OXtEjxuj8WWTficUgIhAKXrz4eAE7rH
GKujyICgs8uqmcpRJjjcnw3FmoSOiH3tAHcA7ku9t3XOYLrhQmkfq+GeZqMPfl+w
ctiDAMR7iXqo/csAAAFhRp7BggAABAMASDBGAiEAhW3V9icWo6SBIgeJVgjo6z3r
KlpTMq3X5+5ThVEq9nECIQCktZCw3PVghPU2UVIxrp/k2DUa6MOX5BE9V0ve+flY
jTANBgkqhkiG9w0BAQsFAAOCAQEAvJHsCp1fcvAfxbf0LCFJu9hIfFtM4J3pfSiI
voW9IV2bGM2xRmtA5NToFekN/vX2HrYhB0rqME2+FI5jLpRO2WNBoGWxQSB5LF7m
w7n+gkoIRewoGpdA47JT+0zfIplNVG851Ju274WngdCfDZdBtiqQn6L7Eq61IrzU
tdlGS5ow2pQfWuMLc18mGzNj8q2Ijvo3q15ZK7R83unu3FrV58RukQovp3qew+ws
wlvUY3GRap3Xyk5WtDPVSBJNw2iYejWRdj4axagqUj6IKqhZnBwYgrmYHq0DPHeI
2O+m7NXKSN1PY943uoawrjsSThW84uR0oyHPN8+UOJjCFx04AQ==
-----END CERTIFICATE-----
subject=/C=GB/ST=Oxfordshire/L=Abingdon/O=Sophos Ltd./CN=*.soa.sophos.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 3605 bytes and written 552 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
........... Protocol. : TLSv1.2
........... Cipher : ECDHE-RSA-AES256-SHA384
........... Session-ID: 3C3C000060F56ACD91AB1C424061500D598251B31BCBBD6F6F3CDF11100E02B0
........... Session-ID-ctx:
Master-Key: A8F2B1B280A9024573DE727DADBF87019FE7AC991A6B7B
3682BFC65818BC47973033AACBDE25280367B5FE61456EADBF
........... Key-Arg.. : None
........... PSK identity: None
........... PSK identity hint: None
........... SRP username: None
........... Start Time: 1523308380
........... Timeout.. : 300 (sec)
........... Verify return code: 0 (ok).

If you observe connectivity-related issues, please see the common reasons below:
- The upstream device is blocking the Traffic.
- ISP is blocking/ not allowing the connection.

Step: 3 Sync License

If you have multiple ISPs, you can sync the license by using either of the ISP connections to figure out the issue either by CLI or UI using the below options:
Create an SDWAN route to route the Traffic to the licensing servers through a specific ISP.

Once the SD-WAN route is created, we would also need to enable the system-generated Traffic for SD-WAN traffic.
Please refer doc.sophos.com/.../index.html
You can also create the SYSTEM NAT from the CLI to pass the Traffic from a specific ISP. The options to add the sys-traffic-nat would be available in the command guide(https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/v16/SF-OS-Command-Reference-Guide.pdf). If required help reach-out to Sophos support.

NAT policy for system originated Traffic
---------------------
. . Destination Network.... Destination Netmask.... Interface...... SNAT IP
....... 52.209.248.4. . . . . . . 255.255.255.255. . . . . . . . . . . . .14.139.61.129
....... 54.72.168.115. . . . . . 255.255.255.255. . . . . . . . . . . . .14.139.61.129
....... 34.249.219.184......... 255.255.255.255....................... 14.139.61.129

Step: 4 Certificate Error

If there are any errors related to the invalid certificate or certificate signing failures, check below:
Go to the Certificates > Certificates Authorities > Confirm the Default certificate is filled up correctly with all the details.

Ensure that the date on the device is correctly set.
Verify if the certificate and its key are present. Check the key files using the below commands:
```
#.ls -larth /content/licensing/
```

The output of above command would look as follows:

If the internet connection is OK with the device, and the server connectivity is perfect from a device to the licensing server, start the licensing.log file and then sync the license from GUI to see the accurate logs.
- Apart from licensing.log, you can check - csc-debug, applog.log.

Sample logs:

INFO Jun 25 17:00:15 [0]: --requestType = 2
INFO Jun 25 17:00:15 [0]: --lastCheckCode = 46dbf4cf-b4b0-43b1-bf99-24c1f7de0ab3
INFO Jun 25 17:00:15 [0]: --cert = /content/licensing/lic_csr.pem
INFO Jun 25 17:00:15 [0]: --token = Token-Id: C320A0000000000
INFO Jun 25 17:00:15 [0]: --key = /content/licensing/lic_csr.key
INFO Jun 25 17:00:15 [0]: URL : https://eu-prod-utm.soa.sophos.com/api/device/2/license
INFO Jun 25 17:00:26 [0]: response : {"errorCode":"ITSERVICELAYER_CLIENT_AUTHENTICATION_ERROR","message":"Authentication failed","statusCode":403,"trackingId":"a0430985-badc-4423-8865-bb252fe849f6"}
ERROR Jun 25 17:00:26 [0]: license_check failed : Authentication failed
ERROR Jun 25 17:00:26 [0]: licensing_do_licensecheck() :parsing response failed...

####################################################

generate certificate signing request (CSR) Thu Jun 25 17:00:27 IST 2020

Thu Jun 25 17:00:28 IST 2020 certificate signing request generated with status :: 0

####################################################

INFO Jun 25 17:00:28 [0]: --requestType = 4
INFO Jun 25 17:00:28 [0]: --serial = C320A0000000000
INFO Jun 25 17:00:28 [0]: --deviceid = 68bbbf67aea2179b44673104389b4b4288f7
INFO Jun 25 17:00:28 [0]: --cert = /_conf/certificate/licensing/mfgr_vendor_AM.pem
INFO Jun 25 17:00:28 [0]: --key = /_conf/certificate/licensing/mfgr_vendor_AM.key
INFO Jun 25 17:00:28 [0]: URL : https://eu-prod-csr.soa.sophos.com/api/certificate/1/signing
INFO Jun 25 17:00:28 [0]: certificate_signing_request() : request : { "serialNumber":"C0A0B74XT26MYED", "deviceId":"68bbbf67aea2179b44673104389b4b4288f7", "certificateSigningRequest":"-----BEGIN CERTIFICATE REQUEST-----
MIIDIjCCAgoCAQAwgZcxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtPeGZvcmRzaGly
ZTERMA8GA1UEBwwIQWJpbmdkb24xFDASBgNVBAoMC1NvcGhvcyBMdGQuMQwwCgYD
VQQLDANOU0cxGzAZBgNVBAMMElNGX0MwQTBCNzRYVDI2TVlFRDEeMBwGCSqGSIb3
DQEJARYPaW5mb0Bzb3Bob3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA658alZf50aD2k0YnFKIfRXY9zX6CJydKthgzSBSsEvAhW4ZsfUEP94+n
cQrJ03H6ydZ3TRoNZF9tUa2fEUo882yT+iKqeRO7zIo44QGXFu4uuf33gmTGyZR/
HCyNvRtnPoffKszUu9LcyXfB8bfsYdPOn77hd2AlnRi0OU5EJncyGI3si5vFIGqO
9lmAljIlhiDeuoUjxsYBCkKm+ezr9zwFTV8St8q/l2WMtj0Ld8yXVS/B96MvZECZ
1GOea1q3wmof6J0xPmHL0b6yJ2uR0kPwMvg6TWIO8EJRqCNWnj9p0eOdinHF9PHW
aK4v94/SJrVl5r7pCZVJiAsrqUSGnwIDAQABoEUwGgYJKoZIhvcNAQkCMQ0MC1Nv
cGhvcyBMdGQuMCcGCSqGSIb3DQEJDjEaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMC
BeAwDQYJKoZIhvcNAQELBQADggEBADPgNyafi3WUqIOlTMdVjLapnZb5C99ESBoE
sI1d57iKOsKFAQCdEMxom2cJA4B6MISeBSvu0laE95pNfkdbRV3H7+sZgVvc6+We
sy4HaXFBSEMXxOQTcr2gaLVDi+PJk4wPha/E2yiP4i4+fHMe8mvNQuFNivcBr7eX
gn8cQRYp6hGnbfZF2v5opkoWu4y4bKNwE9GxKkBqawDE1HKiG3PIOFqRcVjhA7iO
Q57Ku/U93AB6+E85ZLH76e0OSE+7LRpPSfwBjm0wfx1R9dmD6QVTLmIci/MBdXh6
lO96QOwY0zP9Au6+mHtXg2KWgtBXuoSfmQgIDhi5Nmnf8Bg4Mos=
-----END CERTIFICATE REQUEST-----
"}
INFO Jun 25 17:00:30 [0]: certificate_signing_request() : response :{"errorCode":"ITSERVICELAYER_DEVICE_NOTFOUND_ERROR","message":"Device not.found","statusCode":404,"trackingId":"b7b4f2b0-8ee9-4900-86a3-385cfb674e3d"}
ERROR Jun 25 17:00:30 [0]: Certificate signing Failed : Device not found...:(
ERROR Jun 25 17:00:30 [0]: certificate signing request() : parsing failed....

Jun 25 17:03:54 getpublickey success Key: 68bbbf67aea2179b44673104389b4b4288f7
Jun 25 17:04:08 lic_csr lock waiting
Jun 25 17:04:08 lic_csr lock acquired
Jun 25 17:04:09 getpublickey success Key: 68bbbf67aea2179b44673104389b4b4288f7
Jun 25 17:04:19 lic_csr lock released on fail
Jun 25 17:04:20 System is not updated since 11 days
Jun 25 17:04:20 MODULE :base
Jun 25 17:04:21 getpublickey success Key: 68bbbf67aea2179b44673104389b4b4288f7
Jun 25 17:04:21 REG STATUS:Active###XG86###L0009704722###0001-01-01###2999-12-31###Purchased
Jun 25 17:04:21 EXPIREDAYS :357773
Jun 25 17:04:21 MODULE :net
Jun 25 17:04:21 getModuleInformation opcode failed
Jun 25 17:04:21 REG STATUS :fail
Jun 25 17:04:21 MODULE :web
Jun 25 17:04:22 getModuleInformation opcode failed
Jun 25 17:04:22 REG STATUS :fail
Jun 25 17:04:22 MODULE :email:
Jun 25 17:04:22 getModuleInformation opcode failed
Jun 25 17:04:22 REG STATUS :fail
Jun 25 17:04:22 MODULE :waf
Jun 25 17:04:23 getModuleInformation opcode failed
Jun 25 17:04:23 REG STATUS :fail
Jun 25 17:04:23 MODULE :sand
Jun 25 17:04:23 getModuleInformation opcode failed
Jun 25 17:04:23 REG STATUS :fail
Jun 25 17:04:23 MODULE :esup
Jun 25 17:04:23 getModuleInformation opcode failed
Jun 25 17:04:23 REG STATUS :fail
Jun 25 17:04:23 MODULE :epsup
Jun 25 17:04:24 getModuleInformation opcode failed
Jun 25 17:04:24 REG STATUS :fail
Jun 25 17:04:24 MODULE EXPIRE LIST :
Jun 25 17:04:24 MODULE EXPIRE WITHIN 5 DAYS :
Jun 25 17:04:24 MODULE EXPIRE WITHIN 10 DAYS :
Jun 25 17:04:24 MODULE EXPIRE WITHIN 20 DAYS :
Jun 25 17:04:24 Request type = 1
Jun 25 17:04:24 apiInterface:versionsupported: true.
Jun 25 17:04:24 apiInterface:request mode -> 1804.
Jun 25 17:04:24 apiInterface:Current ver :::'1702.1'
Jun 25 17:04:24 apiInterface:entityjson::::::::HASH(0x9a58eb0)
Jun 25 17:04:24 Info:: Transaction will not be rolled back for opcode lic_registrationinfo. If any operation fails, request is part of multiple request :
Jun 25 17:04:26 Request type = 1
Jun 25 17:04:26 apiInterface:versionsupported: true.
Jun 25 17:04:26 apiInterface:request mode -> 1803.
Jun 25 17:04:26 apiInterface:Current ver :::'1702.1'
Jun 25 17:04:26 apiInterface:entityjson::::::::HASH(0x9a58f60)
Jun 25 17:04:26 info:: Transaction will not be rolled back for opcode lic_subinfo. If any operation fails, request is part of multiple request :

DEBUG Jun 25 17:04:19 [worker:1940]: request name = lic_csr
DEBUG Jun 25 17:04:19 [worker:1940]: # OPCODE Exited: 'lic_csr' with Status: '500'
INFO Jun 25 17:04:19 [daily_lic_check:1829]: create_act_out_perl_obj: varname=out
INFO Jun 25 17:04:19 [daily_lic_check:1829]: create_act_out_perl_obj: out.status=500
INFO Jun 25 17:04:19 [daily_lic_check:1829]: create_act_out_perl_obj: out.error=OK
INFO Jun 25 17:04:19 [daily_lic_check:1829]: opcode 'daily_lic_check': time taken: 26.308560849 seconds
INFO Jun 25 17:04:19 [daily_lic_check:1829]: opcode 'daily_lic_check': time taken: 26.308560849 seconds
DEBUG Jun 25 17:04:19 [worker:1829]: request name = daily_lic_check
DEBUG Jun 25 17:04:19 [worker:1829]: # OPCODE Exited: 'daily_lic_check' with Status: '500'
INFO Jun 25 17:04:19 [lic_check:1897]: create_act_out_perl_obj: varname=out
INFO Jun 25 17:04:19 [lic_check:1897]: create_act_out_perl_obj: out.status=500
INFO Jun 25 17:04:19 [lic_check:1897]: create_act_out_perl_obj: out.error=Opcode Failed
INFO Jun 25 17:04:19 [lic_check:1897]: do_at: (daily_lic_chk:add)
INFO Jun 25 17:04:19 [lic_check:1897]: do_at: (daily_lic_chk:add)
INFO Jun 25 17:04:19 [lic_check:1897]: do_at: ATTRIBUTE(hours 24) OPCODE(lic_check)
INFO Jun 25 17:04:19 [lic_check:1897]: do_at: ATTRIBUTE(hours 24) OPCODE(lic_check)
INFO Jun 25 17:04:19 [lic_check:1897]: ACTION: DLOPEN(do_nvram_eget, li.rdm)
ERROR Jun 25 17:04:19 [timer:783]: add_sched_node: timer daily_lic_chk already exist
INFO Jun 25 17:04:19 [lic_check:1897]: do_nvram_eget: li.rdm in rdm var
INFO Jun 25 17:04:19 [lic_check:1897]: ACTION: CALL handle_incommunicado_timer
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE lic_inc_period
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE lic_inc_period
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE lic_inc_period CONTENT-TYPE:text, BODY_LEN:0
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE lic_inc_period CONTENT-TYPE:text, BODY_LEN:0
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE update_cr_alerts
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE update_cr_alerts CONTENT-TYPE:text, BODY_LEN:0
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_query: 'select servicevalue from tblclientservices where servicekey = 'initialsetup''
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_query: 'select servicevalue from tblclientservices where servicekey = 'initialsetup''
DEBUG Jun 25 17:04:19 [lic_check:1897]: Initializing database handle
DEBUG Jun 25 17:04:19 [worker:1984]: # OPCODE Called: 'lic_inc_period'
DEBUG Jun 25 17:04:19 [worker:1984]: request name = lic_inc_period
DEBUG Jun 25 17:04:19 [worker:1984]: ### insert_uuid: hdr: len=0 content=1 method=1 name=lic_inc_period
INFO Jun 25 17:04:19 [lic_check:1897]: create_act_out_perl_obj: varname=out
INFO Jun 25 17:04:19 [lic_check:1897]: create_act_out_perl_obj: out.status=0
INFO Jun 25 17:04:19 [lic_check:1897]: create_act_out_perl_obj: JSON out.output={ "servicevalue": [ "0" ] }
DEBUG Jun 25 17:04:19 [lic_check:1897]: json_to_perl: Object
DEBUG Jun 25 17:04:19 [lic_check:1897]: json_to_perl: Array
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE lic_appliance_update
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE lic_appliance_update
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE lic_appliance_update CONTENT-TYPE:text, BODY_LEN:0
DEBUG Jun 25 17:04:19 [lic_check:1897]: do_ao: OPCODE lic_appliance_update CONTENT-TYPE:text, BODY_LEN:0
INFO Jun 25 17:04:19 [lic_check:1897]: UNLOCK: 28
DEBUG Jun 25 17:04:19 [worker:1961]: # OPCODE Called: 'lic_appliance_update'
DEBUG Jun 25 17:04:19 [worker:1961]: request name = lic_appliance_update
DEBUG Jun 25 17:04:19 [worker:1961]: ### insert_uuid: hdr: len=0 content=1 method=1 name=lic_appliance_update
INFO Jun 25 17:04:19 [lic_check:1897]: opcode 'lic_check': time taken: 26.753769911 seconds
INFO Jun 25 17:04:19 [lic_check:1897]: opcode 'lic_check': time taken: 26.753769911 seconds
DEBUG Jun 25 17:04:19 [worker:1897]: request name = lic_check
DEBUG Jun 25 17:04:19 [worker:1897]: response content = '{ "status": "500", "statusmessage": "License Check Failed" }'
DEBUG Jun 25 17:04:19 [worker:1897]: # OPCODE Exited: 'lic_check' with Status: '500'
INFO Jun 25 17:04:19 [apiInterface:1900]: create_act_out_perl_obj: TEXT out.output={ "status": "500", "statusmessage": "License Check Failed" }
DEBUG Jun 25 17:04:19 [worker:1900]: response content = '{ "status": "500", "statusmessage": "License Check Failed" }

Verify the public key and the device ID in the Sophos Firewall using the following commands:
From the Advanced Shell, type:
- ```
# opcode getpublickey -ds nosync
```

From the Device Console, type:

console> system diagnostics show version-info

If you continue observing this issue after following all the steps above, please reach out to the Sophos Support team (support.sophos.com) with the following information:

Are you facing this issue after an RMA/replacement of the device?
Share the error message which you receive while syncing the license from the web GUI?
As mentioned in step-1, share the snap/picture of the subscription from your licensing portal.
As mentioned in step-2, share the outputs of nslookup, tcpdump, logs(licensing.log), and openssl commands.
How many ISPs do you have?
If you have multiple ISPs - Have you tried with SYSNAT or SD WAN route? Please share the snapshot of the configuration.
Share the output of the page certificate > Certificate authority.
Enable support tunnel and share the access ID as per KBA - https://support.sophos.com/support/s/article/KB-000035546?language=en_US.

Revamped RR Added Horizontal lines, Table of contents Corrected Grammar Updated Links and screenshots ^EV Horizontal Bottom Line Removed the ":" from the titles
[edited by: emmosophos at 12:15 AM (GMT -8) on 24 Nov 2023]

Dan Norman over 1 year ago

I am experiencing the same issue. However, I am using the home version. The only resolution I have seen is for the user to reinstall the software and the license. Is there another solution without me reinstalling the software and license?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel