Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 26738 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgraded UTM hardware but RED endpoints not coming back up

ittech

I upgraded the UTM to a newer bit of hardware and restored the config just using a backup/restore (without License, passwords, certificates/keys, endpoints) 

when I switch over to the new device everything works fine apart from the RED10 endpoints don't come back up.

I have checked the config for the RED devices and it is identical to the previous firewall so I am guessing that I probably need to copy over a certificate somewhere?

looking at the live log for the RED devices I keep on seeing "Unable to fetch RED ca object"


any ideas?



This thread was automatically locked due to age.
  • 0

    I had a similar issue and ended up with the 'ca_generate_host_key_cert' error (and found this page via a google search).  Here was my fix:

     

    Note all the RED details including unlock codes.

    Turn off the RED capability (RED management - Global Settings - RED status - off).

    Turn RED back on again & it will (tada) create a new certificate on the online service.

    Re-input the RED details.

     

    I think my issue was the RED certificate was generated with a different hostname on the unit (it had an update issue which meant it was rebuilt & restored several times).

    Hope this helps someone.

  • 0 in reply to ittech

    Hi,

    Greetings.

    The issue seems to be related with the CA as per the log lines posted earlier. Can you please DM me your ticket# I will investigate the case further and try to get you an update.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to ittech
    Send me a message with the name of the person that told you that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    OK, well thanks for the advice anyway Bob,
    I called Sophos support and they were no help I was just told to contact the reseller I purchased the equipment from even though I pay for "Premium Support".
  • 0 in reply to ittech
    This is one of those situations where you'd better get some new eyes on your issue - push Sophos Support to get you an answer quickly and then share with us what the problem and solution were.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to ittech
    I tried plan B and deleted the RED interface from the new firewall and then attempted to re deploy,
    although this worked in the old firewall with no errors, with the new firewall I get:

    "The argument of the function ca_generate_host_key_cert must be a X509 certificate with private key object and not empty."

    and I am unable to complete adding the RED to the firewall.
  • 0 in reply to BAlfson
    Is there a way to copy across just the certificates?

    I don't know the original admin password and have changed quite a few settings on the new hardware so don't really want to start again with the config.

    Looking in the config of the new hardware the unlock codes have copied across, but the REDs never come back up.

    Alternatively if I know the unlock codes of the hardware can I just delete and recreate the endpoint in the new hardware (I also don't really want to do this as I have loads of endpoints).

    Many thanks,
    Ben
  • 0
    A full backup would work. The OP stripped out the certificates, which is where his problem lies.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to DrewbleIT
    I just want to confirm since we'll be doing this later in 2016. I was told a full backup and restore to a new appliance was relatively painless.
Unfiltered HTML