Skip to content

Troubleshooting — VMware vSphere

If the appliance is deployed but isn't behaving as expected, work through the issues below. If it boots but never connects — or the tunnel drops right after it establishes — the cause is usually firewall L7/TLS inspection or NAC, not this platform: see Connectivity Troubleshooting.

The VM boots to a black screen

The OVA ships with EFI firmware and Secure Boot off, so this should not happen on a clean Deploy OVF Template. If you see a black screen, the boot options were changed away from the imported defaults. Open Edit Settings → VM Options → Boot Options and confirm firmware is EFI (not BIOS) and Secure Boot is unchecked. A VM that was recreated with a BIOS motherboard layout cannot be switched to EFI — redeploy the OVA instead.

The VM never connects to the Sophos headend

The appliance needs outbound internet access to bring up its VPN tunnel. Check that the port group you selected has a path to the internet (no firewall blocking outbound TCP/443 to the headend). The appliance does not need any inbound ports open. Open the VM console to read the connectivity status the dashboard reports.

How do I check the appliance's status?

Open the VM console in vSphere Client (Launch Web Console or Launch Remote Console). Because this image is pre-registered, the console shows a live status and troubleshooting dashboard — network interface, VPN tunnel, and connectivity health. Use it to confirm connectivity or reconfigure networking. If the appliance reports a problem it can't resolve, contact your engagement lead with what the dashboard shows.

The NIC is connected but the appliance can't reach targets

Verify the port group carries the correct VLAN and has Layer-2 connectivity to the target network. A NAT or isolated network will not work — the appliance needs to be a first-class L2 peer on the engagement LAN.

The OVA import fails with 'No supported hardware versions'

Your ESXi host is older than virtual hardware version 13 (vSphere 6.5). Upgrade ESXi or ask your engagement lead for a compatibility-downgraded OVA.

The OVA URL has expired

OVA download URLs are time-limited. Ask your engagement lead for a fresh URL.