Just tried to add APX320 to the wireless controller on the new UTM 9.7 beta.
I can see it leasing address from the DHCP server (with option 234 set to point to the LAN address of the UTM). However, the AP just finishes booting and ends up with solid red LED. I tried to a factory default reset of the AP with the same result afterwards.
UTM version 9.670-4
OK... so a bit of a development. After almost an hour of the AP just rebooted couple of times and now it is visible in WebAdmin... In shell of the UTM a lively traffic between the AP and Sophos cloud was visible in tcpdump.
So ur APX320 is live now ?Actually it might have old version used in cloud thats why it takes time for auto firmware upgrade to latest cloud and then it will come Under UTM pending AP list.
Yes the APX320 is alive. However it took it about 40 minutes from factory default reset for it to show in the pending AP list. During all that time the LED was solid red.
The APX120 at the other hand, we just disconnected it from the XG and it popped up in the pending list of the UTM shortly after it got its IP from the DHCP (although this process (of just getting the DHCP lease) took it a few minutes as well).
I'm seeing a similar issue. APX320, gets a lease, and just blinks green... not in pending list, no logs for awed show any activity. Been 20 minutes so far. Is there something I'm missing Sophos? Also FWIW this is a recently ordered APX320 (got it about a month ago).
CTO, Convergent Information Security Solutions, LLC
Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
I actually have 4 other APX 320 that were just sitting on the table turned on for entire weekend and didn't popup in the pending list. They failed to do so in the UTM 9.7 Beta, they failed to do so in the XG and they failed to connect to Sophos Central as well.
I did a bit of a digging and it seems that they are trying to contact the controller on a wrong port 2713 instead of 2712 (as they should based on this KB document (and all my Sophos training): https://community.sophos.com/kb/en-us/124397 ).
If I NAT the communication then the controller responds to the APX, however, the connection does not hold and ends up with an error anyway.
So result is I have one APX 320 that is working and 4 that I have filled an RMA request for.
To me this seems as a firmware issue. All 4 non working APX 320s arrived in the same shipment around end of July and were never used before.
Maybe you can try to 'tcpdump' the communication on the UTM and see whether it is not your case as well...
Interesting; this one was purchased from distribution (we are a reseller) in July as well... never been used. Thanks for the info, I'll check it out. Maybe someone messed up flashing these.
You are right -- this is exactly what this APX is doing, trying the wrong port. Factory Resets, etc. do not work. I started a case and also notified our TAM. Seems to me a bad batch got sent out. We'll see.
There was an issue for new APX registration for new hardware/OOB with XG or UTM, due to the cloud end some certification updates. But it has been resolved 3 weeks ago.
Now any brand new APX should come to XG+UTM pending list as far as u plug it and having working internet connection. Is APX has internet ?
Yes, those APX 320 are all OOB and they have unrestricted Internet access. I even plugged one to the internet directly (and provided it with a DHCP in the public subnet) but to no avail. It failed to register with the Sophos central just as the remaining 3.
These "dead" APXs were received in a shipment from Sophos around 22nd of July.
One other APX 320 I have was in a similar state. However after about 45 minutes of not cooperating and simply hanging in the solid red LED state it somehow probably managed to get a firmware update from the cloud and since then it registered with the UTM just fine.
I also have 16 other APX 320 APs that were returned by a customer where they were on a proof of concept testing and those register with the UTM practically immediately after I factory reset them.
The "dead" four have been left turned on and with Internet access for 3 days and they are still dead so at the moment I have pending RMA requests for all of them.
Yeah they did a RMA for mine as well... shipped from distribution Aug 6th. Does seem they got a bad batch.
I got the RMA unit in Friday, and it installed and worked fine; interestingly apparently they do not want the old one back... I guess maybe they can't reflash it?