Copyright © 2024 Sophos Ltd

Troubleshooting Remote
Ethernet Devices on
Sophos Firewall

Sophos Firewall
Version: 20.0v2

[Additional Information]

Sophos Firewall
FW3045: Troubleshooting Remote Ethernet Devices on Sophos Firewall

May 2024
Version: 20.0v2

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 1

Copyright
Copyright ©
© 2024
2023 Sophos
Sophos Ltd
Ltd

Troubleshooting Remote Ethernet Devices on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to troubleshoot common issues ✓ How to deploy a RED on Sophos Firewall
with Remote Ethernet Devices
on Sophos Firewall.

DURATION 5 minutes

In this chapter you will learn how to troubleshoot common issues with Remote Ethernet Devices on
Sophos Firewall.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 2

Copyright © 2024 Sophos Ltd

Log Files
/log/csc.log /log/red.log

Fri Jul 24 05:25:25 2020 REDD INFO:

########## Package: red::reddevice server: (Re-)loading device
********** reddevice Read through ORM configurations
MESSAGE Jul 24 05:54:21 Fri Jul 24 05:26:35 2020 REDD INFO:
[worker:40309]: server: New connection from
{"request":{"method":"opcode","name":"r ##.###.###.# with ID A3400E##########
eadobject","version":"1.2","type":"json (cipher ECDHE-RSA-AES256-GCM-SHA384),
","length":99,"data":{"Entity":"reddevi rev1
ce","filter":[["type","=",["red_firewal Reading REDv2 key from STDIN:
l_client","red_firewall_client_legacy"] Reading REDv2 key from STDIN:
]]}}} Fri Jul 24 05:27:34 2020 REDD INFO: Red
devices: Connected: 1 Disconnected 0
Enabled: 1 Disabled: 0

There are two log files on the Sophos Firewall that should be checked when troubleshooting issues
with RED: /log/csc.log and /log/red.log.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 3

Copyright © 2024 Sophos Ltd

Cannot Enable RED on Sophos Firewall 1

In this example RED cannot be enabled on the Sophos Firewall. The error indicates a problem
accessing the provisioning service on port 3400.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 4

Copyright © 2024 Sophos Ltd

Cannot Enable RED on Sophos Firewall 2

/log/csc.log

* connect to 184.72.39.13 port 3400 failed: Connection timed out

* Failed to connect to red.astaro.com port 3400: Connection timed out
* Closing connection 0
Fri Jul 24 04:39:17 2020 REDD ERROR: Failed to register appliance on rps: Curl
command to register appliance on rps failed with error 1792
REDD: Red::Backend->enable_feature_event failed; result 513
WARNING Jul 24 04:39:17 [apiInterface:17548]: action with nofail failed

This error can also be seen in the csc.log.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 5

Copyright © 2024 Sophos Ltd

Cannot Enable RED on Sophos Firewall 2

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# telnet red.astaro.com 3400

Trying 184.72.39.13... Port TCP:3400
telnet: connect to address 184.72.39.13: Connection timed out blocked

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# telnet red.astro.com 3400 DNS cannot resolve

telnet: red.astro.com: Name or service not known red.astaro.com
red.astro.com: Unknown host

To troubleshoot this issue, you need to test the connectivity from the Sophos Firewall to the
provisioning server, red.astaro.com. This can be done from the Advanced Shell using telnet.

Run the command: telnet red.astaro.com 3400

If you see a ‘Connection timed out’ error, this indicates that something is blocking access to port 3400,
most likely an upstream router or gateway.

If you see a ‘Name or service not known’ error, this indicates there may be an issue with the DNS
configuration on the Sophos Firewall.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 6

Copyright © 2024 Sophos Ltd

Cannot Enable RED on Sophos Firewall 3

In this example the Sophos Firewall DNS had been misconfigured. Once corrected RED could be
enabled.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 7

Copyright © 2024 Sophos Ltd

RED Cannot Connect 1

Here you can see a RED that is disconnected from the Sophos Firewall. Troubleshooting a RED that
cannot connect may require someone at the remote location, but we will start with the steps that can
be completed on the Sophos Firewall.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 8

Copyright © 2024 Sophos Ltd

RED Cannot Connect 2

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# service -S | grep red

red_client RUNNING
red RUNNING
redis-av RUNNING
redis-modified- RUNNING
redis-original- RUNNING
redis-quota RUNNING
redis-resume-se RUNNING
redis-resume-ti RUNNING
redis-appcache RUNNING

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# service red:start –ds nosync

On the Advanced Shell, check that the RED services are running. If they are not, try to start them.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 9

Copyright © 2024 Sophos Ltd

RED Cannot Connect 2

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# ps | grep red_server

red_server.pl 23337 3012 root 21440 17400 S {red_server.pl}
/usr/bin/perl /bin/red_server.pl
grep 24308 17027 root 21148 2736 S grep red_server

If the services are running, verify that the red_server process is running with the command ps | grep
red_server.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 10

Copyright © 2024 Sophos Ltd

RED Cannot Connect 2

The next step is to perform a packet capture for traffic on port 3400 to see if the RED has been able to
reach the Sophos Firewall.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 11

Copyright © 2024 Sophos Ltd

RED Cannot Connect 2

Complete these steps at the remote location of the RED

# telnet red.astaro.com 3400 RED uses the following ports:

▪ TCP port 3400
# telnet <Sophos FIREWALL FQDN/IP ADDRESS> 3400 ▪ UDP port 3410

The next steps should be completed at the remote location of the RED.

Test that there is access to the provisioning server, red.astaro.com, and the Sophos Firewall on port
3400. If the RED configuration uses the hostname of the Sophos Firewall, be sure to use that in your
test to check that it can be resolved at the remote site.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 12

Copyright © 2024 Sophos Ltd
Additional information in

RED Cannot Connect the notes 2

SD-RED 20 and 60 Operating Guide

https://docs.sophos.com/nsg/sophos-
red/quickstart/en-us/sophos-operating-
instructions-sd-red-20-60.pdf

There is information in the operating guide for SD-RED 20 and 60 devices that covers the startup
process of the RED and what the lights and messages shown mean. This can be used to further
identify possible causes for being unable to connect.

[Additional Information]
https://docs.sophos.com/nsg/sophos-red/quickstart/en-us/sophos-operating-instructions-sd-red-20-
60.pdf

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 13

Copyright © 2024 Sophos Ltd

RED Cannot Connect 3

In this example the issues was caused by port 3400 being blocked by the firewall at that site.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 14

Copyright © 2024 Sophos Ltd

Chapter Review

When troubleshooting RED issues, you should check the csc.log and red.log on Sophos Firewall.

Remote Ethernet Devices contact the provisioning server red.astaro.com using TCP port 3400.

The lights on the front of the RED can indicate where the connection is failing. These can be looked up on
the Sophos website.

Here are the three main things you learned in this chapter.

When troubleshooting RED issues, you should check the csc.log and red.log on Sophos Firewall.

Remote Ethernet Devices contact the provisioning server red.astaro.com using TCP port 3400.

The lights on the front of the RED can indicate where the connection is failing. These can be looked up
on the Sophos website.

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 20

Copyright © 2024 Sophos Ltd

Troubleshooting Remote Ethernet Devices on Sophos Firewall - 21