SFM - I built one

My SFM cannot see my XG even thought the test conenction is successful. I have the XG registered in my DYDNS account and this is shown as being conected and up todate.

The SFM runs as a VM client behind a UTM.

Last registered date is the 14th of march 2016, today being the 20th Mar 2016.

What has happened since

1/. the XG was restarted

2/. UTM was upgraded to 9.400-9

3/. the UTM was restarted a number of times while trying to resolve an issue with the AP10.

Any ideas as to how to make the SFM see the XG?

• SFM device page (System Management --> Device Settings --> Managed Device --> Devices)  screenshot
• XG device Central management page (System --> Administration--> Central Management) screenshot
• XG  Admin Console HTTPS Port value (System --> Administration --> Setting Page)  ____  ?
• XG device Serial Number _____?
  

Regards,

Ravi

Hi Ian,

From the  screenshot of SFM and XG ,we are able to derive that configuration part is correct.

As per tcpdump screenshot of XG, there is communication issue between XG device and SFM. Packets from XG is getting out from XG but packets are not coming from SFM side to XG device.

Please check NAT rule of UTM 9 device for 6514 port.Have you configure the NAT rule in UTM  with Full NAT option (Source + Destination) ?

Ravi

After the upgrade completed I am still receiving failed to send messages in the log?

what is required to make this work?

Hi Ravi,

I have been working interstate, that is why the response is a little delayed.

I didn't setup a full NAT on the UTM 9.4. I treated this the same way as I treat the SUM access using specific ports. I will change the SFM nat and advise the results.

Hi Ravi,

I have changed the NAT to a full src/dest NAT. Now the UTM 9.4 shows white log lines of SyN packets only. The SFM does not show the XG.

Please advise further.

Hi Ian,

Please generate ticket in Sophos support by emailing your issue at support@sophos.com to troubleshoot issue further.

Ravi

Hi Ravi,

thank you for the suggestion, but as home user I am not allowed to do that.

2500.Port Communication.docx

Hi Ian,

I am sending you document of  port communication required between XG and SFM when XG is behind NAT.Hope it will help you.

Ravi

Hi Ravi,

thank you for the document. Too late to try it out to night, so will try tomorrow night.

Hi Ravi,

the XG interfaces the internet directly. The packets are arriving at the UTM 9.4 and being translated by the NAT rule and show as white.  There aren't any logs about the SFM in the SFM to assist with the debugging. There are logs about the devices being monitored which are of not much use when debugging SFM connections. The SFM can test access to the XG successfully.

I have tried using 443 and 6514 as the connection port, but neither worked.

Ian,

I do not know if SFM has tcpdump command, but I would like to know if you can share a TCPDUMP output from it and see what is happening!

Thanks.

Ian,

I do not know if SFM has tcpdump command, but I would like to know if you can share a TCPDUMP output from it and see what is happening!

Thanks.

Hi folks,

following some prompting from Luk I did a detailed investigation of my SFM.

1/. VM tools not running or not supported. eventually changed state to unsupported

2/. Reason why my XG originally registered was I had two interfaces operational.

3/. after registration I disabled the 2nd interface on the UTM even though the selected interface had the correct gateway it still goes out the initial interface (confused so you should be)

4/. Unable to edit the VM to remove an interface, fails. can change interface but not delete

5/. the SFM does its own NAT between interfaces which I cannot find a way of disabling.

6/. cannot delete interfaces or disable interfaces in the SFM and all must have IP addresses assigned.

7/. no logging of the SFM,the only way to see what is happening is through the console and tcpdump.

8/. vmtools not being supported means no control of the vmguest from the Vconsole. The SFM never shutsdown found away to trick,, suspend then power  off.

I will re-address some of the interfaces and see if that makes the SFM receive traffic. no affect

My real world experience so far.

edit - added extra information

Ian,

you article make me cry! This is strange that soon I will move to XG and SFM and the product is not ready yet. The trueth is that you are trying it with no support and not enough documentation online. Even on the Sophos Partner Portal, there is no SFM course yet and the SFM product is never touched inside XG Architect course.

My hopeness is to see many improvements on XG v16 and better documentation of SFM. I tried SFM at home on Vmware Workstation and it looks great and finally a  really product for MSP to manage XGs.

Hope you will receive better support from community or maybe some clarifications from whom has already tried the product. I am sure that someone is using XG in production already but maybe they do not even know that this community exist.

May Sachin or other Sophos's staff will reply and help you. For a while I am not able to test the XG and SFM together across internet, otherwise I had already shared my experience.

This report might not seem logical to which I agree.

1/. the UTM cannot see the SFM, tracert show no result, could be becasue there is no real network configuration functions in the SFM to allow for ping or other network debugging tools

2/. the SFM can be accessed from the same LAN as the SUM and other devices are connected to.

3/. I have swapped interface addresses and connections in the VM

4/. the SFM can access the internet and download updates

So, conclusion is there is some sort of firewall in the SFM which I cannot access or disable.

Hi folks,

Luk spent a number of hours late last night my time investigating the issues I am having with SFM. Thank you Luk.

Conclusion - XG Mr2 and SFM do not work together. Mind you the issue I had started before I upgraded to MR2.

Luk has started another thread asking for updates to SFM.

I will close this thread, disable central management on my XG and powerdown the SFM.