Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=system-services-RED-troubleshoot

Troubleshoot RED issues

Troubleshoot issues in your RED setup.

RED device in offline mode doesn't connect to the firewall.

RED devices must update their time to complete the TLS handshake with the firewall but are unable to do so in the following scenarios:

  • They can't connect with the Sophos NTP server pool when they're in offline mode.
  • RED devices then try to establish an HTTPS connection to the firewall over port 4444 to synchronize with the firewall's time. The connection isn't established when the web admin console uses port 4444 and access from the WAN zone is turned off for HTTPS admin services on Administration > Device access.

Failure to synchronize their time can result in a TLS handshake failure due to an invalid certificate period.

Remedy

You can take one of the following actions:

  • Allow internet access for the RED to connect to the Sophos NTP server pool, which is as follows:

    • 0.sophos.pool.ntp.org
    • 1.sophos.pool.ntp.org
    • 2.sophos.pool.ntp.org
    • 3.sophos.pool.ntp.org

  • Go to Administration > Device access and add a Local service ACL exception rule as follows:

    1. Click Add.
    2. Enter a rule name.
    3. Set Source zone to WAN.
    4. Set Source network or host to the RED device's IP address.
    5. Set Destination host to the firewall's WAN port.
    6. Set Services to HTTPS.
    7. Set Action to Accept.
    8. Click Save.
You're unable to connect to the RED provisioning server.

Remedy

Check whether you can reach the RED service through telnet.

On the command line, type as follows:

telnet red.astaro.com 3400

If the result shows Connected to red.astaro.com, a high network load may be preventing you from registering with the provisioning server. Try registering later.

Inactive RED access points

After RED access points in a VLAN restart, Sophos Firewall shows them as Inactive.

Condition

You can configure SD-RED 20, SD-RED 60, and RED 15w as access points. If a RED access point is in a VLAN, and you restart it, Sophos Firewall may show it as Inactive. After 30 retries, the RED gets a LAN IP address from the DHCP server. The RED access point now shows as Active again.

Cause

DHCP option 234 isn't configured for the VLAN interface of the RED. After the RED restarts, it doesn't get an IP address on its VLAN interface.

Remedy

  1. Click Console in the list in the upper-right corner and type 4 for Device Console.

  2. Attach the DHCP option as follows:

    system dhcp dhcp-options binding add dhcpname <dhcp server name> optionname dhcp_magic_ip(234) value <interface ip address>

    Replace <dhcp server name> with your DHCP server's name in the RED access point VLAN. Replace <interface IP address> with the IP address you configured for the RED access point interface connected to the VLAN.

    Within a short time, the RED access point receives an IP address on the VLAN interface.

  3. To check your settings, use the following command:

    system dhcp dhcp-options binding show dhcpname <dhcp server name>

    Replace <dhcp server name> with your DHCP server's name in the RED access point VLAN.