Problems setting up new APX

Hello Mateusz Bender,

Thank you for reaching out to the community, the error may indicate a handful of problems:

1) A power injector issue, if used
2) A switch PoE issue, if used
3) Defective cable
4) AP hardware issue

In order to rule out the first points, please try to:

1) Use a different power injector
2) Connect the AP to a different switch, or use a power injector
3) Use a different cable

FYI: Another AP has been used on the same port using the same power injector. Granted, it was a "lesser" device (AP55), but still.

1) If the AP starts up and chimes in correctly at the start can it really be a power issue? Additionally another Sophos AP on this PoE injector worked correctly.
2) N/A
3) If another AP on the same port (using the same cable) works, can this be a cable issue?
4) Quite possibly? Any other logs?

I can also add that I if I did not set up the VLAN on the AP then it registered correctly and I assume I would be able to set up new WiFi networks then. Unfortunately we need the VLAN configuration...

Have you tried a VLAN config by directly connecting the cable from UTM VLAN interface to directly to access point without a switch in between ?

No, and quite frankly I don't think I can without being very disruptive to everyone at work. Plus I'm not sure what that rules out. If you're suggesting the issue is with the Cisco switch in the middle then my counter is that another AP (AP55) worked in that exact same spot previously without issues (same config). Also of note - we have one OTHER Sophos AP on another port on the same switch with the same configuration and the same model of PoE injector working just fine.

If the AP needs more power than AP55 and APX320 (which is our other Sophos AP) then it could very well be the PoE brick. However it's worth noting that I've also tried to just assign the new AP to a VLAN without assigning any WiFi networks...

No, and quite frankly I don't think I can without being very disruptive to everyone at work. Plus I'm not sure what that rules out. If you're suggesting the issue is with the Cisco switch in the middle then my counter is that another AP (AP55) worked in that exact same spot previously without issues (same config). Also of note - we have one OTHER Sophos AP on another port on the same switch with the same configuration and the same model of PoE injector working just fine.

If the AP needs more power than AP55 and APX320 (which is our other Sophos AP) then it could very well be the PoE brick. However it's worth noting that I've also tried to just assign the new AP to a VLAN without assigning any WiFi networks...

So, does the AP get the IP address from the DHCP ? And any registration issue for the AP ?

Initially, yes. It was able to grab an IP from our own DHCP without issues. At that point the AP shows up as an unauthorized device in URM web interface.

Following that I was able to authorize it without setting any networks and changing the VLAN config.

After changing the VLAN config in UTM web interface the device appears to go through the re-config process but fails with the error provided in the original post, and from that moment it's "gone". It never receives a new IP from the new VLAN (DHCP for VLAN 11 is handled by the UTM itself).

And the DHCP server is configured on UTM 9 or on the windows ?

DHCP on VLAN 1 is a Windows Server DHCP. DHCP on VLAN 11 is on UTM.

Did you try to enable AP-Vlan-Tagging and setting AP-Vlan at AP-Level and AP-Group-Level already?

Also, I would try to set VLAN1 as Tagged VLAN at the switch-port while the AP is "lost".

May be the following article can help: https://support.sophos.com/support/s/article/KB-000034799?language=en_US

dirkkotte
The AP-VLAN-Tagging is the setting that seems to "break" the AP. I've also tried setting VLAN 1 as tagged when it's lost.

Vivek Jagad
The problem isn't with AP registration. As stated, if I don't switch the VLAN, I can register the AP. Unfortunately we need VLAN tagging for everything to work, and that's where the device fails.

EDIT:

Correction. Even without setting a different VLAN it seems the AP fails to register. It only briefly shows up as a valid "unassigned" AP in UTMs AP list; after refreshing the AP shows as inactive with a warning triangle. Otherwise it keeps throwing the same messages in the Wireless log every 2 minutes:

2022:10:18-12:21:50 firewall awed[20335]: [P120082JG9XB4E8] APX530 from 10.150.4.96:42249 identified as P120082JG9XB4E8 
2022:10:18-12:21:50 firewall awed[20335]: [P120082JG9XB4E8] (Re-)loaded identity and/or configuration 
2022:10:18-12:21:51 firewall awed[20335]: [P120082JG9XB4E8] ll_read: short read or connection error: 
2022:10:18-12:21:51 firewall awed[20335]: [P120082JG9XB4E8] disconnected. Close socket and kill process.

Even if you didn't assign the AP to a group or enable VLAN at the AP ... you will never see the AP as connected?
(if the AP connects without VLAN, the AP may get a new firmware and would connect later without problems)

As stated - no. It'll keep cycling with the error message provided in the original question, and will never really appear as "unassigned" (i.e. registered and ready for further config).

Well, this is awkward. I've scheduled the latest UTM patch installation yesterday and that took place last night. Today I found the new APX active and waiting to be used like it should.

Either the new UTM patch had an undocumented fix (I saw nothing related in the patch notes) or an UTM reboot helped. If someone else has a similar issue in the future - a reboot doesn't hurt and could very well solve the issue. ;)