Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 28 subscribers
  • Views 3285 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Troubleshooting Guide - Sophos Central cannot push group policy to Sophos Firewall

taowang

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Table of Contents

Overview:

Sophos Central provides a centralized platform for firewall management. It also enables us to manage firewall configuration in the groups.

Occasionally, Sophos Central can't push group policy to Sophos Firewall.

The article demonstrates a common error and how to fix it.

Error: ADS server name already exists in TBLADSSERVER

Symptom

A Sophos Firewall is registered to and managed by Sophos Central.

It is member of a firewall group "Lab3", but Sophos Central cannot push firewall group policy to it.

Sophos Central Admin > Firewall Management > Task Queue shows group policy sync failure.

Clicked on "Failed", there is error message: AD server could not be update | addc (Update ADS server)


Here is a text version of Firewall Transaction Details

Firewall Transaction Details
ID : 13 | STATUS: FAILED | EVENT : UPDATE
AD server \"{srvname}\" could not be updated | addc (Update ADS server)
Error:: servertype type MisMatch (500)


{
"response": {
"Entity": "adsserver",
"Event": "UPDATE",
"status": "500",
"statusmessage": "Error:: servertype type MisMatch"
},
"msg_ids": "AD server \\\"{srvname}\\\" could not be updated"
}

Clicked on "SHOW MORE" shows Sophos Central can't add ADS server "addc" to Sophos Firewall, as it already exists

Here is a text version of SHOW MORE

{
"opcodeID": 2,
"entityID": 307,
"entityName": "add_ADS_server",
"opcodeType": 1,
"orderID": 0,
"opcodeString": "",
"responseStatus": "{\"Event\":\"ADD\",\"statusmessage\":\"ADS SERVER NAME ALREADY EXISTS IN TBLADSSERVER\",\"Entity\":\"adsserver\",\"status\":\"503\"}",
"uniqueName": "addc-307",
"updateFlag": "f",
"mainEntity": "t"
}

Investigation

There is Authentication Server "ADDC" on Sophos Firewall.

On Sophos Central, firewall group policy has an authentication server with the name "addc",

The authentication server name is case-insensitive on Sophos Firewall, and duplicate server names with the same IP address are not allowed. Therefore, Sophos Central can't push the configuration to Sophos Firewall.

Solution

- Create a same Authentication Server "ADDC" 192.168.20.5 on Sophos Central firewall group policy, or

Delete the authentication server "ADDC" from Sophos Firewall, and then retry the task in Sophos Central Admin > Firewall Management > Task Queue so that authentication server "addc" will be pushed to Sophos Firewall.



Revamped RR
[edited by: Erick Jan at 11:33 AM (GMT -7) on 17 Sep 2024]
Unfiltered HTML