Trouble adding APX 320 to Sophos Central

Hi Mark, Thanks for reaching out to Sophos Community.

To get the console output, You need to set the BAUD to 115200 for the APXs.

Also, Ensure that the XG 115 has all the rules configured to allow traffic from the APX's IP to WAN for port 80 443 and 123 (NTP). You can take a tcpdump on the XG to verify this. Take the tcpdump on the resolved IPs of the domain: "wifi.cloud.sophos.com" or directly on the domain.

The command would be --> tcpdump -nei any host wifi.cloud.sophos.com

You can also try to check for the drop packets from the XG's console --> (Option 4 > Device Console) > drop-packet-capture 'host wifi.cloud.sophos.com

Here are the prerequisites for central Wireless AP : Sophos Central Wireless: Network requirements

Make sure to restart the APX320 before each attempt as once booting (and not configured) It tries to connect to Central first and then attempts to connect to XG on Magic IP (1.2.3.4).

Hello Davesh

I set the BAUD to what you said and it worked, and i can type in the console but after a few seconds it reboots over and over again.

It keeps saying No Direct-Attach Chipsets found.

CONSOLE LOG:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00108
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Reset status Config, 0x00000010
S - Core 0 Frequency, 0 MHz
B - 262 - PBL, Start
B - 1343 - bootable_media_detect_entry, Start
B - 1686 - bootable_media_detect_success, Start
B - 1700 - elf_loader_entry, Start
B - 5135 - auth_hash_seg_entry, Start
B - 7316 - auth_hash_seg_exit, Start
B - 589413 - elf_segs_hash_verify_entry, Start
B - 707917 - PBL, End
B - 707941 - SBL1, Start
B - 798489 - pm_device_init, Start
D - 7 - pm_device_init, Delta
B - 800032 - boot_flash_init, Start
D - 58086 - boot_flash_init, Delta
B - 862277 - boot_config_data_table_init, Start
D - 3882 - boot_config_data_table_init, Delta - (419 Bytes)
B - 869490 - clock_init, Start
D - 7571 - clock_init, Delta
B - 881567 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:6
B - 884980 - sbl1_ddr_set_params, Start
B - 890076 - cpr_init, Start
D - 2 - cpr_init, Delta
B - 894459 - Pre_DDR_clock_init, Start
D - 4 - Pre_DDR_clock_init, Delta
D - 13175 - sbl1_ddr_set_params, Delta
B - 907771 - pm_driver_init, Start
D - 3 - pm_driver_init, Delta
B - 978398 - sbl1_wait_for_ddr_training, Start
D - 27 - sbl1_wait_for_ddr_training, Delta
B - 994570 - Image Load, Start
D - 138310 - QSEE Image Loaded, Delta - (269176 Bytes)
B - 1133314 - Image Load, Start
D - 1435 - SEC Image Loaded, Delta - (2048 Bytes)
B - 1143602 - Image Load, Start
D - 219953 - APPSBL Image Loaded, Delta - (450356 Bytes)
B - 1363952 - QSEE Execution, Start
D - 60 - QSEE Execution, Delta
B - 1370184 - SBL1, End
D - 664321 - SBL1, Delta
S - Flash Throughput, 2008 KB/s (721999 Bytes, 359533 us)
S - DDR Frequency, 672 MHz

U-Boot 2012.07 (Dec 05 2017 - 16:05:06)

smem ram ptable found: ver: 1 len: 3
DRAM: 512 MiB
machid : 0x8010006
NAND: ONFI device found
ID = 9590dcc2
Vendor = c2
Device = dc
SF: Detected GD25Q32 with page size 4 KiB, total 4 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x400000
516 MiB
In: serial
Out: serial
Err: serial
machid: 8010006
flash_type: 0
Configurate GPIO setting
Configurate TPM reset from low to high.
Configurate BLE reset from low to high.
Net:
PHY ID = 0x4dd072, eth0 found AR8035 PHY
MAC0 addr:7c:5a:1c:4:64:38
eth0
Creating 1 MTD partitions on "nand0":
0x000000000000-0x000020000000 : "mtd=0"
UBI: attaching mtd2 to ubi0
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: attached mtd2 to ubi0
UBI: MTD device name: "mtd=0"
UBI: MTD device size: 512 MiB
UBI: number of good PEBs: 4092
UBI: number of bad PEBs: 4
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 4
UBI: available PEBs: 2064
UBI: total number of reserved PEBs: 2028
UBI: number of PEBs reserved for bad PEB handling: 40
UBI: max/mean erase counter: 13/2
SF: Detected GD25Q32 with page size 4 KiB, total 4 MiB
Hit any key to stop autoboot: 0
Read 0 bytes from volume image to 88000000
No size specified -> Using max size (67170304)
## Booting kernel from FIT Image at 88000000 ...
Using 'config@1' configuration
Trying 'kernel@1' kernel subimage
Description: ARM OpenWrt Linux-3.14.43
Type: Kernel Image
Compression: uncompressed
Data Start: 0x880000e4
Data Size: 16041892 Bytes = 15.3 MiB
Architecture: ARM
OS: Linux
Load Address: 0x80208000
Entry Point: 0x80208000
node name: signature@1
Sign algo: sha256,rsa4096
Sign value: a11b5f5810600af8ca4e537aca9412242ea22751286e65984f044608f4c179fd2b32ac7ab753fdb6ad257cfeed2ba3b626b3e91ef66b8782df8cf29510038546325745eabb1d3bb1bd9e767669347ba46e9e04e25dbd56654bf01ae4a2594d0852c97e41c9ba503505eae98686dcb3fdb48d25db015aca198cade0a90896b5e5c5a17df66c2286e3728fef7a2f93f62daff1661192aa601b347cb45b4d7a131bc55939175050cd9a5ff221b140440165ca8b9e72f928ff9b3ea486c851c6693978893704ee46ca3cf1d3615e528ff5fc26ae3444288ce2c51f4ec376908e3cccf91b1928b42b52e221d2f55c16d27390831c6fa37f1903a602475416e31f9f15de784763fbf07beda9f86fba160734b23f2085b8291b2569370f19592f2be1a303b56daf265774c2db11aa601a368dc23bd526e9a426b0dd2b1f38e4fe51d0952ce3448538cb9e7eb6ebd1b5cd831358acdb96cef457bba4578cb1ae7a0fcbb6e6f9b438805f81e3a4843123a191af1d67cc355a215cc146f8d41caf7453a5362766a52c5982fee7868fb254cf52161699e28edd6b577ce74a3590ec8b8690514f4534d20642aa0ce068b1229f35c0bff4a5bb2e8d79868adee6106fc9ee7614cd5f9cc09621143691214eb7a29bee2a6a8d83a6df34963eb36fb4bbd2b30efd00567c2606effa11b2900ade94061604de945d48a25943fc92a3cc5b14be04b2
Verifying Hash Integrity ... sha256+ OK
## Flattened Device Tree from FIT Image at 88000000
Using 'config@1' configuration
Trying 'fdt@1' FDT blob subimage
Description: ARM OpenWrt Sophos-APX device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x88f4cbcc
Data Size: 35149 Bytes = 34.3 KiB
Architecture: ARM
node name: signature@1
Sign algo: sha256,rsa4096
Sign value: 99f91f7dc7567667f228d9cb47bf977f660b452317c2d86671d50e890369fa56dc7122c40700713e4cd2bc77b0f879ff3307855be8f43f1f8e7116e419f62fbee38ba643dfeaaa1d5208f3697de5bdedadc97a23aa031220e0d37087e6f631b8865f2a4b4e5d636eedab5afed950d0c68fa29b3b4d28e80afa8312055cf03cadaf80dabf608adac87d8bef5815c838dff7d939ce4b68306495ff5f6a11edff98952a4eda578b758b255882a10c197f9f0654b8822e54c2c6de28db3ffb004307833e521acc543c476b92c8815576737201e873d27ce98f756ce10bac5adbe418f290376504b89047cff6fb410c632bb705956400c34361c7f6a0ac5a08bacc84dcbc26491d628e31c1fb1d9354b3ed34d947c5d7e80def8d3f84a9784b399e5d244d6ef9a52be5bd78204c8574e80ec221221fba108fe218495c8d6d4381ae76f14500450d14afcf5f0c5f1ad917c3038e11d03879d2c122fed97a4cef2875c0c6f3ac3732b9aa41b7b045435e124da0c4c8c207bca4ef102f405887eda148d94af4c20ad7c4c9996c73089ca621ac1fadc08c2418ba6549d01e6780b64fde13b4a3b79b1f36849d6396c30840584910a1b2a888bd9309ba5bab8c8163b36eb234cbd276438d084c56a5959da84203fb86c49e36d828276fb1778de536a4343f01f515c829d03f0b98f13d4381f919bfc6fdec5dbcd7c63361b757349810c054
Verifying Hash Integrity ... sha256+ OK
Booting using the fdt blob at 0x88f4cbcc
Loading Kernel Image ... OK
OK
Loading Device Tree to 871e3000, end 871ee94c ... OK
Using machid 0x8010006 from environment

Starting kernel ...

_____________________________________________________________________________________________________________

I am unsure about the rules that allows traffic from the APX to WAN

When i try tcpdump i get:
XG115_XN03_SFOS 18.0.4 MR-4# tcpdump -nei any host wifi.cloud.sophos.com
tcpdump: unknown host 'wifi.cloud.sophos.com'
XG115_XN03_SFOS 18.0.4 MR-4#

And also nothing happens when i try the other command in device console

This is the added URL's in Sophos XG Firewall categories

Which was added to a "User Activity"

Which was added to the "Default Policy"

Central Wireless needs HTTP, HTTPS and NTP to connect to the internet. Did you try to give the AP a IP and allow everything from this IP to the internet? 

Hello LuCar.
Thank you for your reply

Can you please explain further how i can give the AP an IP if i can't register it in Sophos Central?

APX managed by Central will still require a on prem DHCP server. This can be XG. But you need to verify, the AP gets a IP address by somebody. 

How do i verify that? 
XG Firewall Network:

EDIT:

It looks like the APX is n IP 192.168.100.100

So you need to allow HTTPs, NTP and SSH to Central (or WAN in general) for this IP. 

So you need to allow HTTPs, NTP and SSH to Central (or WAN in general) for this IP. 

Okay, where do i go to do this in Sophos Central?

This is a Firewall change.

The AP communicate to Central. This needs to be done in XG. 

Ah okay, do i need to create a new firewall rule for this?

Yes, you can create afirewall rule for the APX, which allows the AP direct to communicate to the internet, without a proxy. For tests, you could also deactivate the WEB filter in your firewall rule 5

I deactivated rule 5 in Firewall

But still no AP in Sophos Central or in Sophos XG Firewall 

Do you see it being assigned an IP address in the XG dhcp server?
ian

Hi Ian, thanks for replying.

The AP has been given a IP yes:

172.16.16.17

Hello Mark,

I would recommend you to create a Firewall rule for the IP of the AP and put it on the TOP of the Firewall Rules, without any IPS, AV, and Web Filter.

Regards,