This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trouble adding APX 320 to Sophos Central

Hello

I'm having trouble adding my APX 320 access point to my Sophos Central, that is connected through a Sophos XG 115 firewall, that has been added to Sophos Central via central synchronization.
When i try to add the access point via "Wireless" in Sophos Central it runs for 5 minutes before timeout occours.

I have tried resetting the access point multiple times.



I can access the XG Firewall via console serial connection with no problems, but i cannot access the APX 320 via console serial connection without the console windows looking like this:


 
These are the serial settings i've used:
Bits per second: 38,400
Data bits: 8
Parity: N (none) 
Stop bits: 1

Is it possible that the APX 320 is broken since i cannot get any information from the serial connection?

Best Regards, 
Mark



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Mark, Thanks for reaching out to Sophos Community.

    To get the console output, You need to set the BAUD to 115200 for the APXs.

    Also, Ensure that the XG 115 has all the rules configured to allow traffic from the APX's IP to WAN for port 80 443 and 123 (NTP). You can take a tcpdump on the XG to verify this. Take the tcpdump on the resolved IPs of the domain: "wifi.cloud.sophos.com" or directly on the domain.

    The command would be --> tcpdump -nei any host wifi.cloud.sophos.com

    You can also try to check for the drop packets from the XG's console --> (Option 4 > Device Console) > drop-packet-capture 'host wifi.cloud.sophos.com

    Here are the prerequisites for central Wireless AP : Sophos Central Wireless: Network requirements

    Make sure to restart the APX320 before each attempt as once booting (and not configured) It tries to connect to Central first and then attempts to connect to XG on Magic IP (1.2.3.4).

  • Hello Davesh

    I set the BAUD to what you said and it worked, and i can type in the console but after a few seconds it reboots over and over again.

    It keeps saying No Direct-Attach Chipsets found.

    CONSOLE LOG:

    Format: Log Type - Time(microsec) - Message - Optional Info
    Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
    S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00108
    S - IMAGE_VARIANT_STRING=DAABANAZA
    S - OEM_IMAGE_VERSION_STRING=CRM
    S - Boot Config, 0x00000021
    S - Reset status Config, 0x00000010
    S - Core 0 Frequency, 0 MHz
    B - 262 - PBL, Start
    B - 1343 - bootable_media_detect_entry, Start
    B - 1686 - bootable_media_detect_success, Start
    B - 1700 - elf_loader_entry, Start
    B - 5135 - auth_hash_seg_entry, Start
    B - 7316 - auth_hash_seg_exit, Start
    B - 589413 - elf_segs_hash_verify_entry, Start
    B - 707917 - PBL, End
    B - 707941 - SBL1, Start
    B - 798489 - pm_device_init, Start
    D - 7 - pm_device_init, Delta
    B - 800032 - boot_flash_init, Start
    D - 58086 - boot_flash_init, Delta
    B - 862277 - boot_config_data_table_init, Start
    D - 3882 - boot_config_data_table_init, Delta - (419 Bytes)
    B - 869490 - clock_init, Start
    D - 7571 - clock_init, Delta
    B - 881567 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:6
    B - 884980 - sbl1_ddr_set_params, Start
    B - 890076 - cpr_init, Start
    D - 2 - cpr_init, Delta
    B - 894459 - Pre_DDR_clock_init, Start
    D - 4 - Pre_DDR_clock_init, Delta
    D - 13175 - sbl1_ddr_set_params, Delta
    B - 907771 - pm_driver_init, Start
    D - 3 - pm_driver_init, Delta
    B - 978398 - sbl1_wait_for_ddr_training, Start
    D - 27 - sbl1_wait_for_ddr_training, Delta
    B - 994570 - Image Load, Start
    D - 138310 - QSEE Image Loaded, Delta - (269176 Bytes)
    B - 1133314 - Image Load, Start
    D - 1435 - SEC Image Loaded, Delta - (2048 Bytes)
    B - 1143602 - Image Load, Start
    D - 219953 - APPSBL Image Loaded, Delta - (450356 Bytes)
    B - 1363952 - QSEE Execution, Start
    D - 60 - QSEE Execution, Delta
    B - 1370184 - SBL1, End
    D - 664321 - SBL1, Delta
    S - Flash Throughput, 2008 KB/s (721999 Bytes, 359533 us)
    S - DDR Frequency, 672 MHz


    U-Boot 2012.07 (Dec 05 2017 - 16:05:06)

    smem ram ptable found: ver: 1 len: 3
    DRAM: 512 MiB
    machid : 0x8010006
    NAND: ONFI device found
    ID = 9590dcc2
    Vendor = c2
    Device = dc
    SF: Detected GD25Q32 with page size 4 KiB, total 4 MiB
    ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x400000
    516 MiB
    In: serial
    Out: serial
    Err: serial
    machid: 8010006
    flash_type: 0
    Configurate GPIO setting
    Configurate TPM reset from low to high.
    Configurate BLE reset from low to high.
    Net:
    PHY ID = 0x4dd072, eth0 found AR8035 PHY
    MAC0 addr:7c:5a:1c:4:64:38
    eth0
    Creating 1 MTD partitions on "nand0":
    0x000000000000-0x000020000000 : "mtd=0"
    UBI: attaching mtd2 to ubi0
    UBI: physical eraseblock size: 131072 bytes (128 KiB)
    UBI: logical eraseblock size: 126976 bytes
    UBI: smallest flash I/O unit: 2048
    UBI: VID header offset: 2048 (aligned 2048)
    UBI: data offset: 4096
    UBI: attached mtd2 to ubi0
    UBI: MTD device name: "mtd=0"
    UBI: MTD device size: 512 MiB
    UBI: number of good PEBs: 4092
    UBI: number of bad PEBs: 4
    UBI: max. allowed volumes: 128
    UBI: wear-leveling threshold: 4096
    UBI: number of internal volumes: 1
    UBI: number of user volumes: 4
    UBI: available PEBs: 2064
    UBI: total number of reserved PEBs: 2028
    UBI: number of PEBs reserved for bad PEB handling: 40
    UBI: max/mean erase counter: 13/2
    SF: Detected GD25Q32 with page size 4 KiB, total 4 MiB
    Hit any key to stop autoboot: 0
    Read 0 bytes from volume image to 88000000
    No size specified -> Using max size (67170304)
    ## Booting kernel from FIT Image at 88000000 ...
    Using 'config@1' configuration
    Trying 'kernel@1' kernel subimage
    Description: ARM OpenWrt Linux-3.14.43
    Type: Kernel Image
    Compression: uncompressed
    Data Start: 0x880000e4
    Data Size: 16041892 Bytes = 15.3 MiB
    Architecture: ARM
    OS: Linux
    Load Address: 0x80208000
    Entry Point: 0x80208000
    node name: signature@1
    Sign algo: sha256,rsa4096
    Sign value: a11b5f5810600af8ca4e537aca9412242ea22751286e65984f044608f4c179fd2b32ac7ab753fdb6ad257cfeed2ba3b626b3e91ef66b8782df8cf29510038546325745eabb1d3bb1bd9e767669347ba46e9e04e25dbd56654bf01ae4a2594d0852c97e41c9ba503505eae98686dcb3fdb48d25db015aca198cade0a90896b5e5c5a17df66c2286e3728fef7a2f93f62daff1661192aa601b347cb45b4d7a131bc55939175050cd9a5ff221b140440165ca8b9e72f928ff9b3ea486c851c6693978893704ee46ca3cf1d3615e528ff5fc26ae3444288ce2c51f4ec376908e3cccf91b1928b42b52e221d2f55c16d27390831c6fa37f1903a602475416e31f9f15de784763fbf07beda9f86fba160734b23f2085b8291b2569370f19592f2be1a303b56daf265774c2db11aa601a368dc23bd526e9a426b0dd2b1f38e4fe51d0952ce3448538cb9e7eb6ebd1b5cd831358acdb96cef457bba4578cb1ae7a0fcbb6e6f9b438805f81e3a4843123a191af1d67cc355a215cc146f8d41caf7453a5362766a52c5982fee7868fb254cf52161699e28edd6b577ce74a3590ec8b8690514f4534d20642aa0ce068b1229f35c0bff4a5bb2e8d79868adee6106fc9ee7614cd5f9cc09621143691214eb7a29bee2a6a8d83a6df34963eb36fb4bbd2b30efd00567c2606effa11b2900ade94061604de945d48a25943fc92a3cc5b14be04b2
    Verifying Hash Integrity ... sha256+ OK
    ## Flattened Device Tree from FIT Image at 88000000
    Using 'config@1' configuration
    Trying 'fdt@1' FDT blob subimage
    Description: ARM OpenWrt Sophos-APX device tree blob
    Type: Flat Device Tree
    Compression: uncompressed
    Data Start: 0x88f4cbcc
    Data Size: 35149 Bytes = 34.3 KiB
    Architecture: ARM
    node name: signature@1
    Sign algo: sha256,rsa4096
    Sign value: 99f91f7dc7567667f228d9cb47bf977f660b452317c2d86671d50e890369fa56dc7122c40700713e4cd2bc77b0f879ff3307855be8f43f1f8e7116e419f62fbee38ba643dfeaaa1d5208f3697de5bdedadc97a23aa031220e0d37087e6f631b8865f2a4b4e5d636eedab5afed950d0c68fa29b3b4d28e80afa8312055cf03cadaf80dabf608adac87d8bef5815c838dff7d939ce4b68306495ff5f6a11edff98952a4eda578b758b255882a10c197f9f0654b8822e54c2c6de28db3ffb004307833e521acc543c476b92c8815576737201e873d27ce98f756ce10bac5adbe418f290376504b89047cff6fb410c632bb705956400c34361c7f6a0ac5a08bacc84dcbc26491d628e31c1fb1d9354b3ed34d947c5d7e80def8d3f84a9784b399e5d244d6ef9a52be5bd78204c8574e80ec221221fba108fe218495c8d6d4381ae76f14500450d14afcf5f0c5f1ad917c3038e11d03879d2c122fed97a4cef2875c0c6f3ac3732b9aa41b7b045435e124da0c4c8c207bca4ef102f405887eda148d94af4c20ad7c4c9996c73089ca621ac1fadc08c2418ba6549d01e6780b64fde13b4a3b79b1f36849d6396c30840584910a1b2a888bd9309ba5bab8c8163b36eb234cbd276438d084c56a5959da84203fb86c49e36d828276fb1778de536a4343f01f515c829d03f0b98f13d4381f919bfc6fdec5dbcd7c63361b757349810c054
    Verifying Hash Integrity ... sha256+ OK
    Booting using the fdt blob at 0x88f4cbcc
    Loading Kernel Image ... OK
    OK
    Loading Device Tree to 871e3000, end 871ee94c ... OK
    Using machid 0x8010006 from environment

    Starting kernel ...

    _____________________________________________________________________________________________________________


    I am unsure about the rules that allows traffic from the APX to WAN



    When i try tcpdump i get:
    XG115_XN03_SFOS 18.0.4 MR-4# tcpdump -nei any host wifi.cloud.sophos.com
    tcpdump: unknown host 'wifi.cloud.sophos.com'
    XG115_XN03_SFOS 18.0.4 MR-4#


    And also nothing happens when i try the other command in device console



    This is the added URL's in Sophos XG Firewall categories

    Which was added to a "User Activity"

     

    Which was added to the "Default Policy"

  • Central Wireless needs HTTP, HTTPS and NTP to connect to the internet. Did you try to give the AP a IP and allow everything from this IP to the internet? 

    __________________________________________________________________________________________________________________

  • Hello LuCar.
    Thank you for your reply

    Can you please explain further how i can give the AP an IP if i can't register it in Sophos Central?

  • APX managed by Central will still require a on prem DHCP server. This can be XG. But you need to verify, the AP gets a IP address by somebody. 

    __________________________________________________________________________________________________________________

  • How do i verify that? 
    XG Firewall Network:

    EDIT:

    It looks like the APX is n IP 192.168.100.100

  • So you need to allow HTTPs, NTP and SSH to Central (or WAN in general) for this IP. 

    __________________________________________________________________________________________________________________

Reply Children