My gateway is not connecting

Hi,

is there any solution as I´m experiencing the same issue?

My ZNTA Gateway doens´t show up in Central/ I can´t approve (button is greyed out).

DNS is working with specified A-Record.

Cheers

Hi,

is there any solution as I´m experiencing the same issue?

My ZNTA Gateway doens´t show up in Central/ I can´t approve (button is greyed out).

DNS is working with specified A-Record.

Cheers

Hi 

Check your ESIX deployment if you are using VMWare . The VM should have an ip 10.* showing on your console . Also check the ISO image is always connected . Follow these steps

1. Create your gateway in central 

2. Download your image 

3. Add the VM 

4. Attach the image

5. Before you start verify the ISO is attached

6. Start the VM . 

7. Give it 5 min and see if the ip that i mentioned is showing . if not check if your ESIX server has internet connectivity

8. Give an hour for the gateway to sync and approve button to be enabled

Hi,

thx for your reply. I doublechecked everything mentioned.

If it takes an our to sync seems that I only have to wait...

But why should the VM have an ip 10.x.x.x?

It should be also possible to have an ip for example 192.x.x.x as I´ve a 192.x.x.x setup.

Yes that is the ip you have setup , and the one i have setup has a ip of 192.x.x.x also . 10.x is an internal thing to gateway and a way for you to know things are going fine

Hi Matthias, Couple of questions. Previously, the gateways were in a connected state, right? Were there any changes done such that the gateway became disconnected? And, are the time sync settings correct? And, finally are the below URLs whitelisted on the upstream firewall: https://docs.sophos.com/central/ZTNA/startup/en-us/setup/Requirements/index.html#active-directory

Hi Tejas,

my gateway deployment was never in a connected state. Time settings are in sync. 

I think indeed there is a problem on the upstreaming firewall.

I can reach everything except:

1. *.amazonaws.com

2. production.cloudflare.docker.com

3. ztna.apu.sophos.com:22

I try to get in contact with someone who can whitelist those URLs.

After that get back to you.

Thx

Sure thing. 

I did a seperate rule on my sophos xg for allowing https services from LAN and my ZTNA IP to WAN.

Am I right? Or do I have to put those URLs into my exceptions listings within web protection?

As long as the above mentioned URLs are reachable from the ZTNA gateway, that should be fine. 

Above mentoined URLs are all white listed as per Protect -> Web->  Exceptions and tested per Diagnostics -> Policy Test.

There is a firewall rule allowing Source zone LAN with Source network and devices IP address of ZTNA-Gateway all the time

traffic to Destination zone WAN Destination Network any with services HTTPS.

My ZTNA Gateway gets desired IP Address and MAC, ZTNA Gateway is reachable via ping, nslookup is fine so DNS is working too.

But it doesn´t show up in Central, so that I can´t approve deployment.