What does the message in the post mean?

There should be an alert in Central itself. Check the Central console about the appliance affected. 

Basically this means, one of your firewall has an old version running, which will be not supported due the EOL Announcement earlier this year: see: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/end-of-life-eol-announcement-for-sophos-xg-firewall-os-firmware-v17-5

Hi,

the error message does not make sense, I only have one firewall registered in CM and that is running the latest version of XG. Yes, I checked that article. CM continually shows an expired licence and has done for sometime.

Ian

Interesting. Did you rejoin Central in the last months or is it one connection for ages? Because the certificate needs to be renewed and this error should only pop up, if this process failed or cannot be done. 
So to fix this, you could rejoin Central Management, it should generate a new certificate and everything should be fine. 

Hi,

the expired licences are for a trial that ended in Nov 2019.

The error message has to do with heartbeat intermediate CA having expired. I don't have heartbeat licence but it gets activated when using CM as a management tool. Not even sure where the CA lives?

Ian

I am talking about the CA. This is a backend certificate, which is not shown on the appliance. It does not have any relationship to any license. 

If it does not have anything to do with a licence or a software version, how do I update it?
ian

Try a rejoin to Central. Simply deregister the firewall. Wait for one minute and rejoin with Central Credentials. This will create a new Certificate for your firewall. 

I have removed the XG from the CM twice. The second time I waited 30 minutes before reregistering the XG and still receive a notification in CM about the failure of the auto update process.

ian

Seems to be something wrong on your appliance. Check the /log/ for the applied Central Logs (https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogFileDetails/index.html#database ) 

Then check for indications of the renew process. 

I will check, the service is showing dead in the GUI.

Maybe a restart might shake it up a bit. I will try when I have exclusive access.

Ian

I will check, the service is showing dead in the GUI.

Maybe a restart might shake it up a bit. I will try when I have exclusive access.

Ian

I restarted the XG, no change but GUI performance is very slow. I had not made any changes to the configuration recently, so which one of the automatic updates has upset my XG?

Ian

Great, I rolled back to the previous version of V18.5.1 and broke the CM registration. Tried to reregister and that failed. Also the heartbeat service is still broken. Rolled forward and the registration restored automatically and heartbeat is still broken.

Also the GUI is not updating correctly or quickly, so which of the firmware updates broke my XG.

Looks like I might need to rebuild the XG, what a pain. Not happy.

Ian

Update:- 5 minutes after rollback the CM registration failed.

How old is your installation? Check the logs. 

The current version had been up for over 50 days before yesterday's restart.

Ian

I mean the history of this appliance. 

The hardware is about 5 years old. The logs don't show much in the way of useful details.

Hey Ian,

Could you share the access-ID via DM so that I can take a look at the appliance logs and see what's happening there?

Hi DeveshhM,

I will via a PM. I am in the middle of building a replacement int with all new hardware and use the latest ISO. I will be building all the configuration using exported components from the current XG and usng  different network setup.

Pease let me know when you have finished your examination and if you want me to wait before implementing then new XG?

Ian

Hi,

the new build is a failure from my attempt to use a 10gb/s chip. So I need to find a 10gb/s compatible chip for the XG.

ian