Troubleshooting Unit Acquisition in Capture Security Center (CSC)
03/26/2020 106 12146
Cloud GMS is failing unit acquisition with the error: "Could not access the unit. The unit or the network could be down."
This happens when the firewall for AMERICAS location attempts to resolve "cloudgms.sonicwall.com". For EUROPE (AMS) colo, its "cloudgmsams.sonicwall.com".
In case or North America colo, "cloudgms.sonicwall.com" resolves to 220.127.116.11 and for EUROPE (AMS) colo, "cloudgmsams.sonicwall.com" resolves to 18.104.22.168; The firewall automatically creates an address object and access rule to allow traffic from the resolved IP address. This is a problem because CGMS 2.0 uses a range of IP addresses for unit management. If CGMS 2.0 attempts to login to the firewall from any IP that doesn't match the resolved address, the login will be blocked:
CGMS 2.0 (North America Colo) uses a range of IP address from 22.214.171.124 to 126.96.36.199 for unit management and CGMS 2.0 (Europe AMS Colo) uses a range of IP address from 188.8.131.52 to 184.108.40.206, it can attempt to login from any IP in this range. To allow CGMS 2.0 to login from an address other than the resolved IP for cloudgms.sonicwall.com, we must do the following:
1. Create an address object
Name - *Can be anything of your choosing*
ZONE - WAN
TYPE - Range
Starting IP - 220.127.116.11 ( For Europe AMS Colo: 18.104.22.168)
Ending IP - 22.214.171.124 (For Europe AMS Colo: 126.96.36.199)
2. Create an access rule
Action - Allow
From - WAN
To - WAN
Service - HTTPS Management
Source - *Name of custom address object created in step 1*
Destination - All X1 Management IP
3. After creating the access rule, use the "modify unit" action in CGMS 2.0 to restart unit acquisition.
After some time, unit acquisition should complete successfully.