Sophos Firewall: Troubleshooting Guide - Sophos Central cannot push group policy to Sophos Firewall

Sophos Central provides a centralized platform for firewall management. It also enables us manage firewall configration in group.

Occasionally, Sophos Central cannot push group policy to Sophos Firewall.

The article demonstrates a common error and how to fix it.

Error, ADS server name already exists in TBLADSSERVER

Symptom

A Sophos Firewall is registered to and managed by Sophos Central.

It is member of a firewall group "Lab3", but Sophos Central cannot push firewall group policy to it.

Sophos Central Admin > Firewall Management > Task Queue shows group policy sync failure.


Clicked on "Failed", there is error message: AD server could not be update | addc (Update ADS server)


Here is text version of Firewall Transaction Details

Firewall Transaction Details
ID : 13 | STATUS: FAILED | EVENT : UPDATE
AD server \"{srvname}\" could not be updated | addc (Update ADS server)
Error:: servertype type MisMatch (500)


{
"response": {
"Entity": "adsserver",
"Event": "UPDATE",
"status": "500",
"statusmessage": "Error:: servertype type MisMatch"
},
"msg_ids": "AD server \\\"{srvname}\\\" could not be updated"
}

Clicked on "SHOW MORE", it shows Sophos Central cannot add ADS server "addc" to Sophos Firewall, as it already exists

Here is text version of SHOW MORE

{
"opcodeID": 2,
"entityID": 307,
"entityName": "add_ADS_server",
"opcodeType": 1,
"orderID": 0,
"opcodeString": "",
"responseStatus": "{\"Event\":\"ADD\",\"statusmessage\":\"ADS SERVER NAME ALREADY EXISTS IN TBLADSSERVER\",\"Entity\":\"adsserver\",\"status\":\"503\"}",
"uniqueName": "addc-307",
"updateFlag": "f",
"mainEntity": "t"
}

Investigation

There is Authentication Server "ADDC" on Sophos Firewall.

On Sophos Central, firewall group policy has an authentication server with name "addc",

On Sophos Firewall, authentication server name is case insensitive, and duplicate server name with same IP address is not allowed. Therefore, Sophos Central cannot push the configuration to Sophos Firewall.

Solution

- Create a same Authentication Server "ADDC" 192.168.20.5 on Sophos Central firewall group policy, or

- Delete the authentication server "ADDC" from Sophos Firewall, and then retry the task in Sophos Central Admin > Firewall Management > Task Queue, so that authentication server "addc" will be pushed to Sophos Firewall.

Edition History

2022-08-10, first edition



first edition
[edited by: taowang at 2:15 AM (GMT -7) on 10 Aug 2022]