Troubleshooting Unit Acquisition in Capture Security Center (CSC)
03/26/2020 105 12138
Cloud GMS is failing unit acquisition with the error: "Could not access the unit. The unit or the network could be down."
This happens when the firewall for AMERICAS location attempts to resolve "cloudgms.sonicwall.com". For EUROPE (AMS) colo, its "cloudgmsams.sonicwall.com".
In case or North America colo, "cloudgms.sonicwall.com" resolves to 126.96.36.199 and for EUROPE (AMS) colo, "cloudgmsams.sonicwall.com" resolves to 188.8.131.52; The firewall automatically creates an address object and access rule to allow traffic from the resolved IP address. This is a problem because CGMS 2.0 uses a range of IP addresses for unit management. If CGMS 2.0 attempts to login to the firewall from any IP that doesn't match the resolved address, the login will be blocked:
CGMS 2.0 (North America Colo) uses a range of IP address from 184.108.40.206 to 220.127.116.11 for unit management and CGMS 2.0 (Europe AMS Colo) uses a range of IP address from 18.104.22.168 to 22.214.171.124, it can attempt to login from any IP in this range. To allow CGMS 2.0 to login from an address other than the resolved IP for cloudgms.sonicwall.com, we must do the following:
1. Create an address object
Name - *Can be anything of your choosing*
ZONE - WAN
TYPE - Range
Starting IP - 126.96.36.199 ( For Europe AMS Colo: 188.8.131.52)
Ending IP - 184.108.40.206 (For Europe AMS Colo: 220.127.116.11)
2. Create an access rule
Action - Allow
From - WAN
To - WAN
Service - HTTPS Management
Source - *Name of custom address object created in step 1*
Destination - All X1 Management IP
3. After creating the access rule, use the "modify unit" action in CGMS 2.0 to restart unit acquisition.
After some time, unit acquisition should complete successfully.