This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems setting up new APX

Hi,

We have a serious issue with a new AP we just received. The AP in question is the APX530. It's hooked up to a port on our Cisco switch which is a VLAN Trunk-type port, able to connect to all of our VLANs (more on this later), with the standard VLAN 1 as default.

Initially the AP grabs an IP from our main DHCP on VLAN 1 (this DHCP is our own, not UTMs) and chimes in as an unauthorized AP. When adding it, I specify that it needs to operate on VLAN 11 (which is where our other APs already work on). This is where the trouble starts. After setting this, the last thing I see in the logs is:

2022:10:18-09:54:17 firewall awed[27105]: [P120082JG9XB4E8] APX530 from 10.150.4.84:53916 identified as P120082JG9XB4E8
2022:10:18-09:54:17 firewall awed[27105]: [P120082JG9XB4E8] (Re-)loaded identity and/or configuration
2022:10:18-09:54:18 firewall awed[27105]: [P120082JG9XB4E8] ll_read: short read or connection error:
2022:10:18-09:54:18 firewall awed[27105]: [P120082JG9XB4E8] disconnected. Close socket and kill process.

It seems like the AP has issues switching to a different VLAN - it SHOULD grab a new IP (this time from the UTM), but it never does. Our other Sophos AP on lease works fine on the same switch port, so it seems to be something with the AP itself.

Any suggestions what the issue might be?



This thread was automatically locked due to age.
Parents
  • Hello ,

    Thank you for reaching out to the community, the error may indicate a handful of problems:

    1) A power injector issue, if used
    2) A switch PoE issue, if used
    3) Defective cable
    4) AP hardware issue

    In order to rule out the first points, please try to:

    1) Use a different power injector
    2) Connect the AP to a different switch, or use a power injector
    3) Use a different cable

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • FYI: Another AP has been used on the same port using the same power injector. Granted, it was a "lesser" device (AP55), but still.

    1) If the AP starts up and chimes in correctly at the start can it really be a power issue? Additionally another Sophos AP on this PoE injector worked correctly.
    2) N/A
    3) If another AP on the same port (using the same cable) works, can this be a cable issue?
    4) Quite possibly? Any other logs?

    I can also add that I if I did not set up the VLAN on the AP then it registered correctly and I assume I would be able to set up new WiFi networks then. Unfortunately we need the VLAN configuration...

  • Have you tried a VLAN config by directly connecting the cable from UTM VLAN interface to directly to access point without a switch in between ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • No, and quite frankly I don't think I can without being very disruptive to everyone at work. Plus I'm not sure what that rules out. If you're suggesting the issue is with the Cisco switch in the middle then my counter is that another AP (AP55) worked in that exact same spot previously without issues (same config). Also of note - we have one OTHER Sophos AP on another port on the same switch with the same configuration and the same model of PoE injector working just fine.

    If the AP needs more power than AP55 and APX320 (which is our other Sophos AP) then it could very well be the PoE brick. However it's worth noting that I've also tried to just assign the new AP to a VLAN without assigning any WiFi networks...

  • So, does the AP get the IP address from the DHCP ? And any registration issue for the AP ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Initially, yes. It was able to grab an IP from our own DHCP without issues. At that point the AP shows up as an unauthorized device in URM web interface.

    Following that I was able to authorize it without setting any networks and changing the VLAN config.

    After changing the VLAN config in UTM web interface the device appears to go through the re-config process but fails with the error provided in the original post, and from that moment it's "gone". It never receives a new IP from the new VLAN (DHCP for VLAN 11 is handled by the UTM itself).

  • And the DHCP server is configured on UTM 9 or on the windows ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • DHCP on VLAN 1 is a Windows Server DHCP. DHCP on VLAN 11 is on UTM.

  • Did you try to enable AP-Vlan-Tagging and setting AP-Vlan at AP-Level and AP-Group-Level already?

    Also, I would try to set VLAN1 as Tagged VLAN at the switch-port while the AP is "lost".


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • Did you try to enable AP-Vlan-Tagging and setting AP-Vlan at AP-Level and AP-Group-Level already?

    Also, I would try to set VLAN1 as Tagged VLAN at the switch-port while the AP is "lost".


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children

  • The AP-VLAN-Tagging is the setting that seems to "break" the AP. I've also tried setting VLAN 1 as tagged when it's lost.



    The problem isn't with AP registration. As stated, if I don't switch the VLAN, I can register the AP. Unfortunately we need VLAN tagging for everything to work, and that's where the device fails.

    EDIT:

    Correction. Even without setting a different VLAN it seems the AP fails to register. It only briefly shows up as a valid "unassigned" AP in UTMs AP list; after refreshing the AP shows as inactive with a warning triangle. Otherwise it keeps throwing the same messages in the Wireless log every 2 minutes:

    2022:10:18-12:21:50 firewall awed[20335]: [P120082JG9XB4E8] APX530 from 10.150.4.96:42249 identified as P120082JG9XB4E8 
    2022:10:18-12:21:50 firewall awed[20335]: [P120082JG9XB4E8] (Re-)loaded identity and/or configuration
    2022:10:18-12:21:51 firewall awed[20335]: [P120082JG9XB4E8] ll_read: short read or connection error:
    2022:10:18-12:21:51 firewall awed[20335]: [P120082JG9XB4E8] disconnected. Close socket and kill process.
  • Even if you didn't assign the AP to a group or enable VLAN at the AP ... you will never see the AP as connected?
    (if the AP connects without VLAN, the AP may get a new firmware and would connect later without problems)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • As stated - no. It'll keep cycling with the error message provided in the original question, and will never really appear as "unassigned" (i.e. registered and ready for further config).

  • Well, this is awkward. I've scheduled the latest UTM patch installation yesterday and that took place last night. Today I found the new APX active and waiting to be used like it should.

    Either the new UTM patch had an undocumented fix (I saw nothing related in the patch notes) or an UTM reboot helped. If someone else has a similar issue in the future - a reboot doesn't hurt and could very well solve the issue. ;)