I have an APX320 that has never been used, but had been lying in spare for quite some time.
Whenever I boot the device I see an error message in the SSL/TLS inspection log viewer for traffic going to wifi.cloud.sophos.com with error message: TLS handshake fatal alert: unknown CA(48)
This is even without any SSL inspection enabled on the system. Trying to exclude this message from the logging does not work either.
I have tried to enable wireless on the XGS and see whether or not the access point shows up there as pending, but it does not. Also when completely disabling wireless and trying to add the AP in Sophos Central it just times out after some time.
On the access point itself, connecting it with a Console cable I can see it booting, but soon after getting an IP-adres the led turns steady red.
Upon booting the AP I see the following messages in the console:
Starting kernel ...
Press the [f] key and hit [enter] to enter failsafe mode
Press the , ,  or  key and hit [enter] to select the debug level
Please press Enter to activate this console.
Booting. (Version: 126.96.36.199-5)
Starting network configuration for ethernet interface over DHCP.
dnsserver entries are missing
UTM certificate validation pending.
Cloud certificate validation pending.
dnsserver entries are missing
Ethernet autoconfiguration (bound): IP:192.168.3.101/24, gateway:192.168.3.254, nameservers:188.8.131.52
Ethernet link state changed to: up, Speed: 1000, Duplex: full
[cloudclient] Last AP reboot was triggered by: Unknown.
Since the AP has been lying here for quite some time, the fimware is probably really old. Could that be part of the issue?
Does anyone have a clue on how to get this going either through Sophos Central or through XGS116?
yes, I had some AP100X that lay here for 2 years, now brought online. That could not register to cental without beeing updated by our local XG first. They connected to wifi.cloud.sophos.com without success. After the upgrade they connected to something like
wifi-cloudstation-eu-central-1.prod.hydra.sophos.com CNAME wifi-spinnaker-1416972346.eu-central-1.elb.amazonaws.com
I think thex use other URL and certificates today.
when you tcpdump it with -nvv parameter, where does it want to go? you should see the DNS requests. Is all that traffic allowed?
Nevertheless it should be possible to add it to your local machine when Wifi Controller is enabled (Wireless -> Global settings -> Enable wireless protection) and you have wireless protection enabled in Device Access on that zone.
TLS handshake fatal alert: unknown CA(48) is the message, when the requesting device does not trust XGS's Proxy Cert. So XGS still trying to decrypt?
Hi, unfortunately I was not able to solve this and have send the access points to the Sophos partner where we ordered them.
In the meantime they have tried adding them to several different firewalls (including some older UTM versions) but they did also not manage to add them and have now consulted Sophos for a solution.
Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
thanks for posting that here. that's a real time muncher. I hope Sophos sends you an RMA.