Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 2095 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 310 dropping connections from Unifi Access Points

strategytrainer

About a year ago we swapped firewalls from Meraki to Sophos XG.  Since we made this change we have had frequent email alerts generated since some of the Unifi access points are not able to properly communicate with the controller which is located in the cloud (AWS). The access points eventually reconnect to the cloud controller. We have a mix of Unifi AP HD, Unifi AP-LR, and Unifi AP-AC Mesh

The Access points are still online as I can ping them and can log into them using ssh.  This issue started right away with one of our locations when we swapped out but recently a couple other locations are now doing the same thing even though before we didn't have this issue after we swapped firewalls.

I have tried several different things to fully resolve this:

1. Created a firewall rule to allow traffic from the access points to the URL of the cloud controller.

2. Created an exception to IPS for SID 40145 and applied to firewall rule created above.  https://community.ui.com/questions/L3-Adoption-issues-Server-Reject/f0272c12-21bf-45e1-ad1a-d21e237248cd

3. Removed several access points from the controller and factory reset the access point. Then re-adopt the access point through SSH using the set-inform option. This works for a while but eventually the access point will start doing the same thing

4. Bypassed stateful inspection from the Access Point network to the IP address of the cloud controller as well as bypassed stateful inspection from the cloud controller to the network with the access points - This actually made things worse as all access points were showing as offline on the controller after I made this change, so I deleted both of these and the access points came back.

Has anyone else run into this issue with Sophos XG and Unifi equipment? Usually I will see two or maybe three devices at a time show offline but they will eventually reconnect.

For this firewall, I am running 18 MR3 but will update to 18 MR4 soon.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    which ports have you allwed out, my Unifi devices use 8080 and don't use SL/TLS (DPI) on the rule.

    Ian

  • 0 in reply to rfcat_vk

    Yes 8080 is allowed out. Originally I didn't have DPI enabled on the rule but had the same issue. I'll remove the DPI portion again.

  • 0 in reply to strategytrainer

    Hi,

    further looking at my rules shows 5514, STUN, ICMP, 10001 required to talk to the controller.

    Ian

  • 0 in reply to rfcat_vk

    Yes all the required ports are allowed. for troubleshooting I have any from LAN to WAN going to our controller URL allowed with any protocol.

    The access points connect, just some can't connect for a period of time, then can magically reconnect.  For the sites affected, I usually have two or three devices not connecting at a time. I have around 20 access points per site.

  • 0 in reply to strategytrainer

    Hi,

    what do see in logviewer if you refine the search to one of the failing APs IP address?

    Ian

  • 0 in reply to rfcat_vk

    This is what I am seeing now for one of the disconected APs.

    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="148" fw_rule_id="9" nat_rule_id="2" policy_type="1" user="SOURCEIPADDRESS" user_group="Clientless Open Group" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="Port2" out_display_interface="WANPORT" src_mac="MACADDRESS" dst_mac="MACADDRESS" src_ip="SOURCEIPADDRESS" src_country="R1" dst_ip="DESTIPADDRESS" dst_country="USA" protocol="TCP" src_port="43484" dst_port="8080" packets_sent="5" packets_received="0" bytes_sent="300" bytes_received="0" src_trans_ip="TRANSLATIONIP" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="3797764288" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    So it is being allowed and I currently not seeing any denied messages from that source IP but the controller is showing that is is offline now.

Reply
  • 0 in reply to rfcat_vk

    This is what I am seeing now for one of the disconected APs.

    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="148" fw_rule_id="9" nat_rule_id="2" policy_type="1" user="SOURCEIPADDRESS" user_group="Clientless Open Group" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="Port2" out_display_interface="WANPORT" src_mac="MACADDRESS" dst_mac="MACADDRESS" src_ip="SOURCEIPADDRESS" src_country="R1" dst_ip="DESTIPADDRESS" dst_country="USA" protocol="TCP" src_port="43484" dst_port="8080" packets_sent="5" packets_received="0" bytes_sent="300" bytes_received="0" src_trans_ip="TRANSLATIONIP" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="3797764288" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    So it is being allowed and I currently not seeing any denied messages from that source IP but the controller is showing that is is offline now.

Children