Setting Up and Troubleshooting Sophos SD-RED

A Sophos SD-RED can be used to connect remote offices, branches, or smaller home office locations to a Sophos Firewall. The RED establishes an encrypted tunnel to the firewall and provides a network at the remote location that is centrally managed through the firewall.

The practical advantage: On-site, there is usually no need for complex VPN configuration. The SD-RED connects to the internet, downloads its configuration via the Sophos RED Provisioning Service, and then establishes the tunnel to the Sophos Firewall. However, the tunnel alone does not solve everything. Zones, firewall rules, DHCP, VLANs, routing, DNS, and firmware status must also be correct.

Context: SD-RED, RED Tunnel, and SFOS 22

In new projects, it is important to clearly distinguish between current SD-RED locations and old site-to-site RED configurations. Legacy RED server/client configurations are not supported in SFOS 22.0 and newer. Such legacy configurations should be reviewed and migrated before an upgrade.

For current SD-RED devices, RED remains a relevant site topic. With SFOS 21.5, higher scalability for SD-RED and site-to-site RED tunnels was documented. For admins, this means: New locations should be planned cleanly with the current SD-RED logic, while old legacy RED tunnels must be consciously reviewed before SFOS-22 upgrades.

Requirements at the Main Site

Before connecting the RED, the following points should be clear on the Sophos Firewall:

RED Service is enabled on the firewall.
Public IP address or DNS/DynDNS name of the firewall is reachable.
RED connections to the firewall are allowed on the WAN side.
RED is allowed under Administration > Device access for the appropriate WAN zone or specifically allowed via Local Service ACL.
RED interface, zone, and IP configuration are planned.
Firewall rules from the RED network to the target networks are provided.
DHCP, DHCP Relay, or static addressing for clients behind the RED is clarified.
RED Firmware Pattern on the firewall is up to date.
Backup and firmware status of the firewall are documented before major changes.

For RED communication, TCP 3400, UDP 3410, and NTP 123 are particularly relevant. These connections must not be blocked by provider routers, upstream firewalls, or security gateways.

Requirements at the Remote Site

At the remote site, the SD-RED needs a stable internet connection. Not only bandwidth is crucial, but especially stability, latency, packet loss, and whether the provider allows the required connections.

Check:

Internet connection is stable.
WAN port of the RED receives an address via DHCP or has a correct static configuration.
Default gateway is reachable.
DNS works.
NTP is reachable.
TCP 3400, UDP 3410, and NTP 123 are not blocked.
Provider router or upstream firewall does not perform unexpected filtering.
For VLANs, it is clear which port operates as tagged, untagged, or hybrid.

For simple locations, a small connection is often sufficient. In practice, however, packet loss, unstable consumer routers, CGNAT, DNS issues, or restrictive provider firewalls are more often the cause than pure bandwidth.

Sophos SD-RED 20 with status LEDs on the front — The LEDs of the SD-RED indicate boot status, router connection, internet connection, and tunnel status.

Connecting the SD-RED

Typical procedure:

Connect the WAN port of the SD-RED to the provider router or modem.
Connect the LAN port to a test client, switch, or local network.
Power the SD-RED.
Wait for the RED to start, check the gateway and internet, load the configuration, and establish the tunnel.
Check on the Sophos Firewall if the RED interface is active.
Connect a test client behind the RED and check IP, DNS, gateway, and target access.

If all relevant LEDs are green, the technical tunnel is established. Then the actual network check begins: zone, DHCP, firewall rules, return routing, DNS, and VLANs if needed.

Understanding LED Status

The status LEDs are often the quickest entry point for RED troubleshooting, as they indicate where the startup process is stuck.

Legend:

⚫ off
🟢 solid green
🟢 blinking green
🔴 solid red
🔴 blinking red

Depending on the viewing angle, photo, or ambient light, an LED may appear yellowish or orange. For diagnosis, what matters is which LED is on or blinking and whether it is green or red.

Normal Boot Process

System	Router	Internet	Tunnel	Meaning
🟢 blinking	⚫	⚫	⚫	SD-RED is starting.
🟢	⚫	⚫	⚫	Boot process completed.
🟢	🟢 blinking	⚫	⚫	Connection to gateway or router is being established.
🟢	🟢	⚫	⚫	Default gateway is reachable.
🟢	🟢	🟢 blinking	⚫	Internet connection is being checked.
🟢	🟢	🟢	⚫	Internet connection is established.
🟢	🟢	🟢	🟢 blinking	Tunnel to Sophos Firewall is being established.
🟢	🟢	🟢	🟢	Tunnel to Sophos Firewall is established.
🟢 blinking	🟢 blinking	🟢 blinking	🟢 blinking	Firmware is being installed. Do not turn off the device.

If all four LEDs are green but no traffic works, the problem is usually not with the tunnel setup. Then firewall rules, DHCP, VLANs, DNS, NAT, or routing are more likely.

Error Codes

System	Router	Internet	Tunnel	Meaning	Next Check
🔴	⚫	⚫	⚫	DHCP or static IP configuration failed	DHCP, WAN cable, static IP, gateway
🔴	🟢	⚫	⚫	Internet not reachable	DNS, NTP, provider, upstream firewall
🔴	🟢	🟢	⚫	No connection to Sophos Firewall	RED Service, TCP 3400, UDP 3410, FQDN, Unlock Code
🔴	🟢	🟢	🟢	No configuration or firmware problem	Provisioning, RED Firmware Pattern, Unlock Code, support case

3G/4G Failover

For SD-RED models with 3G/4G failover or corresponding module, additional patterns may occur.

System	Router	Internet	Tunnel	Meaning
🔴 blinking	🟢 blinking	⚫	⚫	3G/4G failover is active.
🔴 blinking	🟢	🟢 blinking	⚫	Gateway reachable, internet connection is being established.
🔴 blinking	🟢	🟢	🟢 blinking	Internet is up, tunnel is being established.
🔴 blinking	🟢 blinking	🟢 blinking	🟢 blinking	Tunnel is up via failover connection.

Controlling Firmware Updates

If the LEDs blink together, the RED is currently installing firmware. During this phase, the device should not be turned off or disconnected from the internet. An update can take several minutes.

On the Sophos Firewall, you should also check:

Backup & firmware > Pattern updates

The RED Firmware Pattern must be up to date there. If a RED is stuck in a loop or does not start cleanly after a firewall update, an outdated RED Firmware Pattern is a sensible check.

A related operational request is described in Sophos Firewall Feature Request 2024: For RED and Access Point firmware updates, directly visible release notes are often missing in the backend. For productive environments, updates should therefore be planned consciously and not installed uncoordinated during critical operating times.

Checking RED Interface, Zone, and Rules

After a successful tunnel setup, the RED needs a clean firewall configuration.

Typical checkpoints:

RED interface is active under Network > Interfaces.
Interface is in the correct zone.
DHCP Server or DHCP Relay is correctly set up.
Clients receive IP address, gateway, and DNS.
Firewall rules allow only the necessary targets.
Return routing to the RED network works.
NAT is only used if it is consciously planned.
VLAN configuration matches the RED mode and the switch port.

For rule basics, see Understanding and Configuring Sophos Firewall Rules. If the tunnel is up but traffic does not flow, you should combine Log Viewer and Packet Capture.

Upgrade and Migration Pitfalls

Check Legacy Site-to-Site RED Before SFOS 22

Before upgrading to SFOS 22 or newer, you should check if there are still legacy firewall RED server/client configurations. These legacy site-to-site RED configurations are not supported in SFOS 22.0 and newer.

Practically, this means:

Inventory RED and VPN configurations before the upgrade.
Identify legacy RED server/client configurations.
Plan migration to supported RED site-to-site or VPN variants.
After migration, check firewall rules, zones, routing, and DHCP.
Only perform the upgrade when site connections are tested.

For larger upgrade planning, see Properly Planning Sophos Firewall Firmware Updates.

RED System Hosts After SFOS 21.5 MR1

Since SFOS 21.5 MR1, RED system host objects receive the correct /32 subnet mask. If such automatically generated RED system objects were previously used in rules or other configurations for more than one host IP, traffic may match differently after the update.

After an upgrade, you should check:

Are RED system hosts used in firewall rules?
Does a rule mistakenly expect a network instead of a single host?
Do IP Host or Network Host objects need to be replaced?
Do rule matches in the Log Viewer still match?

Troubleshooting

RED Does Not Receive an IP Address

If the RED gets stuck at the router step or the error code points to DHCP or gateway, the cause is usually at the remote site.

Check:

Does the provider router issue an IP address via DHCP?
Is the network cable correctly plugged into the WAN port?
Is the default gateway reachable?
Was a static IP address fully entered?
Do IP address, subnet mask, gateway, and DNS match?
Does an upstream device block the traffic?

If DHCP does not work at the remote site, the RED can end up in a restart loop.

RED Does Not Reach the Internet

If the router or gateway is reachable but the internet LED does not turn solid green, the problem is usually behind the local router.

Check:

Does the internet connection work with a normal client?
Does DNS work?
Is NTP reachable?
Are TCP 3400, UDP 3410, or NTP 123 blocked?
Is there a proxy or firewall between RED and the internet?
Is the provider connection stable enough?

For RED provisioning, the RED must reach the Sophos Provisioning Service. In many environments, red.astaro.com on TCP 3400 is relevant.

RED Does Not Reach the Sophos Firewall

If the internet is reachable but the tunnel is not established, check the firewall side.

Check:

Is the RED Service enabled on the Sophos Firewall?
Is the RED correctly set up?
Do RED ID and Unlock Code match?
Is the public IP or FQDN of the firewall reachable?
Is Administration > Device access for RED allowed in the appropriate WAN zone?
Does a Local Service ACL allow access from the remote site?
Do TCP 3400 and UDP 3410 reach the firewall?

In the Advanced Shell, you can check if RED traffic arrives:

tcpdump -ni any port 3400 or port 3410

If nothing arrives, the problem is usually before the firewall: provider router, NAT, upstream firewall, incorrect public IP, FQDN, or port blockade.

RED Keeps Restarting

A restart loop can have several causes:

unstable power supply
defective power supply unit
no IP address via DHCP
incorrect static IP configuration
blocked ports
outdated RED Firmware Pattern
incorrect Unlock Code
corrupted or incorrect RED configuration

First, check power supply, cables, and DHCP. Then check RED Firmware Pattern, port reachability, and configuration. If the RED is newly set up or reset, RED ID and Unlock Code must be documented beforehand.

Tunnel is Green, but No Traffic Flows

This case is particularly common. The RED is connected, but clients cannot reach internal systems or the internet.

Possible causes:

Firewall rule is missing or too low.
RED interface is in the wrong zone.
DHCP distributes incorrect gateway or DNS servers.
Return routing to the RED network is missing.
NAT translates traffic unexpectedly.
VLAN tagging does not match.
Security feature blocks the traffic.

Check sequence:

Check client IP, gateway, and DNS.
Filter Log Viewer on the source IP of the RED client.
Check firewall rule match.
Perform Packet Capture on RED interface and target interface.
Check return path from the target system or target network.
Check NAT and routing.

For unclear rule matches, see Testing Firewall Rules with Log Viewer, Policy Test, and Packet Capture.

VLAN Traffic Does Not Work

With SD-RED 60, VLAN scenarios are possible, but port mode, VLAN ID, and RED mode must match.

Check:

VLAN IDs match on firewall, RED, and switch.
RED port is configured as Access, Hybrid, or Tagged Trunk appropriately.
Switch port at the remote site is correctly tagged or untagged.
DHCP and DNS are planned per VLAN.
Firewall rules exist for the respective VLAN networks.
The chosen RED mode supports the desired VLAN scenario.

For troubleshooting, a simple untagged test network is helpful. If this works, the cause is usually with VLAN ID, tagging, port mode, or switch configuration.

RED Access Points Remain Inactive

If RED Access Points or Wi-Fi functions in VLAN scenarios remain inactive, DHCP Option 234 may be relevant. This mainly affects cases where RED or Access Point communication runs over VLAN interfaces.

This option should only be set if the specific scenario fits and it is clear which firewall interface IP the devices should reach. For general RED connection problems, DHCP Option 234 is not the first step.

Offline Provisioning is Overwritten

If a RED was first provisioned online and later provisioned offline via USB, an old online configuration may remain on the Sophos Provisioning Server. If the RED does not reach the firewall, it may provision online again and overwrite the USB configuration.

Then the RED must be provisioned offline again. Additionally, the old online configuration should be removed via Sophos Support.

Diagnostic Points on the Sophos Firewall

For RED issues, these points are helpful:

Network > Interfaces for RED interface and status
Administration > Device access for RED service permissions
Rules and policies > Firewall rules for traffic from the RED network
Diagnostics > Packet capture for path checking
Log viewer with RED, firewall, and system events
Backup & firmware > Pattern updates for RED Firmware Pattern
Advanced Shell with tcpdump

For log files and service assignment, see Sophos Firewall Troubleshooting: Services and Logs.

Operational Checklist

Before rollout:

RED ID and Unlock Code documented.
Public firewall address or FQDN checked.
TCP 3400, UDP 3410, and NTP 123 checked.
RED Service and Device Access planned on the firewall.
Zone, DHCP, routing, and firewall rules defined.
VLAN mode tested in advance if needed.

After connecting:

LEDs indicate successful tunnel setup.
RED interface is active.
Client receives IP, gateway, and DNS.
Log Viewer shows expected firewall rule.
Internal target systems and internet path work as planned.
Firmware Pattern is up to date.

In operation:

Regularly check RED firmware pattern.
Test site connections after firewall upgrades.
Remove or migrate legacy site-to-site RED before SFOS 22.
Check RED system hosts for /32 impacts after SFOS 21.5 MR1.
Include RED sites in monitoring, backup, and emergency planning.

FAQ

Which ports does Sophos SD-RED need?

For RED communication, TCP 3400, UDP 3410, and NTP 123 are important. Depending on the network, additional DNS and other connections for provisioning, time, and operation may be relevant.

Why is the RED tunnel green, but clients reach nothing?

Then the tunnel is up, but the network configuration behind it is probably incorrect. Often firewall rules are missing, DHCP is wrong, the RED interface is in the wrong zone, routing or NAT is faulty, or VLAN tagging does not match.

What should be checked before SFOS 22 with RED?

Before SFOS 22, it must be checked whether there are still legacy firewall RED server/client configurations. These legacy site-to-site RED configurations are not supported in SFOS 22.0 and newer.

Why are RED system hosts relevant after an upgrade?

Since SFOS 21.5 MR1, RED system host objects receive the correct /32 subnet mask. If such objects were previously used like network objects, firewall rules may match differently after the update.

Should an SD-RED be turned off during a firmware update?

No. If the LEDs indicate a firmware update, the SD-RED should not be turned off and not disconnected from the internet. Afterwards, you should check if the RED Firmware Pattern on the firewall is up to date.