Transferring APX from UTM firewall to Sophos Central


yesterday I ran into trouble while trying to move an APX120 from Sophos SG/UTM (FW 9.718-5) to Sophos Central Wireless.

Currently my APs are connected to LAN (VLAN1) on L2 Switches, those are connected to local Sophos XGS firewalls, via IPSEC-VPNs to the HQ Sophos XGS-firewall and behind that the old Sophos SG/UTM which is currently only working for WLAN. No zone on the local or HQ Sophos XGS is enabled for Wireless.

The complete internet traffic is routed through the VPNs, the APs in VLAN1 find the Sophos SG/UTM via DHCP option 234.

Now I wanted to move one AP from local LAN to local MGMT (management network with VLAN20). I changed the access VLAN on the switchport, dis- and re-enabled PoE and wanted the AP to be connected to Sophos Central Wireless. On that VLAN20, no DHCP option is set, the traffic should be routed through VPN to the HQ firewall and since it has not enabled Wireless for VPN zone my thought was, it should be able to connect to Sophos Central Wireless.

But they never arrived there. I could only see NTP connections, both on the local and the HQ firewall. no HTTP, HTTPS or anything else.

Today I had an idea. I enabled Wireless for the management zone on the local firewall but configured no SSIDs. I registered the AP to the local firewall, waited for it to be updated and reconnected again and then I deleted it on the local firewall as well as I deactivated Wireless for the MGMT zone. The AP was rebooted and connected without any issues to Sophos Central.

Trying it the other way around back from Sophos Central to the SG/UTM went without any issues after changing the access VLAN on the L2 switch back to VLAN1.

Is that an expected behaviour or is there maybe something wrong with the firmware on Sophos UTMs?
Currently I am only testing things, but it is planned to move about 50 APX120 and 10 APX320X (in exchange for current AP100X models) to Sophos Central Wireless.

Edited TAGs
[edited by: Raphael Alganes at 2:22 PM (GMT -8) on 1 Feb 2024]