Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 869 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Module Subscription blocked all WAF services

Janek Haessler

Hello,

yesterday I encountered a problem that the mailserver could not be reached neither from internal or external. The Server itself was fine but outlook couldn't establish a connection and OWA page could not be reached. After several hours of investigation I found out that several Sophos XG modules where in status "deactivated" (including web server protection). I don't know why. Expiration date is in 2023.

After 2 or 3 try's on "synchronize" everything went back to normal without any configuration change.

Question:

- How can this happen? 100 colleagues couldn't get any mails for 3 hours
- How can I prevent this in the future
- Is it possible for the administrator to get an message if this happen again (could find any in the settings)

Best Regards

Janek



This thread was automatically locked due to age.
  • 0

    Hi : Thank you for reaching out to the Sophos community team, Based on the provided information the license was in deactivated status. To check why it was deactivated you may check licensing.log and based on the error observed you may confirm more to prevent it further in the future.

    Sophos Firewall: Logfile details

    support.sophos.com/.../KB-000038142

  • 0

    The license deactivate after 90 days without communication to the licensing backend servers.https://support.sophos.com/support/s/article/KB-000036879?language=en_US

    You should check the licensing.log, if you find the reason. 

  • 0 in reply to Vishal_R

    Hello all, I checked the log:

    As you see, until 14:02:31 the hostname couldn't be resolved

    But 14:06 (without any changes at any system at all) it worked.


    ERROR     Aug 24 14:02:31 [4154033216]: curl_easy_perform(6) failed: Couldn't resolve host name
    ERROR     Aug 24 14:02:31 [4154033216]: licensing_do_licensecheck() : send post failed.
    INFO      Aug 24 14:06:01 [4153324608]: --requestType = 2
    INFO      Aug 24 14:06:01 [4153324608]: --lastCheckCode = 557a799a-4f0c-xxxxxxxxxxx
    INFO      Aug 24 14:06:01 [4153324608]: --cert = /content/licensing/lic_csr.pem
    INFO      Aug 24 14:06:01 [4153324608]: --token = Token-Id:C2xxxxxxxxxxxxx
    INFO      Aug 24 14:06:01 [4153324608]: --key = /content/licensing/lic_csr.key
    INFO      Aug 24 14:06:01 [4153324608]: URL : eu-prod-utm.soa.sophos.com/.../license
    INFO      Aug 24 14:06:08 [4153324608]: response : {"errorCode":"ITSERVICELAYER_CLIENT_AUTHENTICATION_ERROR", "message":"IIS error: HTTP 403.0 - Forbidden", "statusCode": 403}
    ERROR     Aug 24 14:06:08 [4153324608]: license_check failed : IIS error: HTTP 403.0 - Forbidden
    ERROR     Aug 24 14:06:08 [4153324608]: licensing_do_licensecheck() :parsing response failed...
    ####################################################
    generate certificate signing request (CSR)  Tue Aug 24 14:06:09 BST 2021


    Tue Aug 24 14:06:10 BST 2021 certificate signing request generated with status :: 0


    ####################################################

    Fine, 

    but yesterday:

    INFO      Aug 25 11:08:58 [4153721920]: --requestType = 2
    INFO      Aug 25 11:08:58 [4153721920]: --lastCheckCode = a100b7e6-5037-xxxxxxxxxx
    INFO      Aug 25 11:08:58 [4153721920]: --cert = /content/licensing/lic_csr.pem
    INFO      Aug 25 11:08:58 [4153721920]: --token = Token-Id:Cxxxxxxxxxx
    INFO      Aug 25 11:08:58 [4153721920]: --key = /content/licensing/lic_csr.key
    INFO      Aug 25 11:08:58 [4153721920]: URL : eu-prod-utm.soa.sophos.com/.../license
    ERROR     Aug 25 11:09:08 [4153721920]: curl_easy_perform(6) failed: Couldn't resolve host name
    ERROR     Aug 25 11:09:08 [4153721920]: licensing_do_licensecheck() : send post failed.

    same again. Ok, problem is - hostname cannot be resolved. But it worked when I do it manually.

    Maybe its DNS (because its always DNS). Currently I setup DNS 1 and 2 internal and DNS 3 127.0.0.1. Should I change it?

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    thats what I write in my last sentence. What is best practice here for Sophos DNS settings