V17 MR5 and failures

To add to this the following are having issues : 

1. SNMP - with the previous version SNMP used to work , now NMS is not picking up any SNMP traffic from XG , snmpwalk does not even return details 

2. Control Center shows CPU , Memory and Traffic as zero (though we have internet) 

3. Logging daemon has stopped 

Will be reverting to old firmware the wait and see for any feedback on the new firmware.

After using the hotspot on my iphone with the mac to talk to the internet. I tested access to the Apple store and it connected, then tried again through the XG and the mac book connected. Restarted the Mac book and tried the connection again and again it connected without error. So what is wrong with the XG mr5 that stops the initial contact?

Ian

Perhaps related to this fqdn bug where the initial connection sometimes fails till the resolution is completed by the dns server and subsequent tries work as expected. https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/97805/first-fqdn-host-resolution-happens-to-late-when-used-in-fw-rule I am not sure if they fixed it or not. I can't keep up with all the quirks. Still running MR3 which has been pretty stable for me since I don't use ipsec vpn. Although it has a remote code execution exploit when using WAF which was patched in MR4. I use UTM9 for WAF.

The list of fixes is long in MR5 which scares me a little so I am going to wait for other people to start testing/complaining and I may skip it again till MR6 which from the release notes doesn't seem too far off.

Edit: I am guessing that sophos is not going to update the linux kernel for spectre and meltdown bugs and take the calculated risk that everything will be fine on a firewall if no user is actively installing programs[:D] Can't say that I blame them... reissuing throughput  guidance for all their patched appliances will surely be messy specially if you were already pushing your box to the limit. 

All other lookups worked. I tried 4 different Apple devices and all failed to connect to the Apple store. I spent a lot of time investigating and fixing the Apple access, then Apple released a fix in 10.13.3 and 10.13.4 beta, then Sophos broke it again.

I updated the bios on my Xg and did not notice any difference in performance.

Ian

Hi Ian,

in my case, iPhone at the first glance it connected to AP but no internet traffic at all was allowed. Disconnecting and reconnecting the mobile to Wi-Fi did the trick. Also look at the traffic graph:

Active Firewall Rules.....:-)

Good day Ian,

I have several Macs, PCs, iPads and iPhones on my home network along with ATVs and Android boxes.  After upgrading to MR5 last night, I've had no issues other than the longer than expected reboot time for the XG.  

For me, IPv6 appears to have been improved in MR5 at least for my Apple devices which all connect seamlessly via IPv6 now.

It would be helpful giving a few details about the configuration in use for those who have had issues resulting from an upgrade, or issues resolved from an upgrade.

We know that web filtering was previously causing issues with Microsoft and Apple Updates because of the way they download updates.  So, it would be helpful when someone reports an issue, or resolution whether they are using web filtering or not in the policy.  It would also be helpful if web filtering is enabled and causing issues, to attempt disabling it and see if the same issue occurs.  If disabling web filtering is still the workaround, then this should be reported to support so the final issues can be resolved with web filtering in the next release. 

We still don't have any production units on v17 yet, I'm mainly concerned about the IPSec VPN stability issues reported, though I think for the sites that don't require VPN it would be stable enough at this point for us.  I am going to use MR 5 on our test box first before going into production.  I want to see the IPSec VPN's stability in our test environment before I would be comfortable upgrading.  Fortunately we don't use web or email filtering with the XG, which is where most of the non-VPN reported issues seem to be.

The Apple rules. These worked before MR5. What I did find was that I had to leave the Apple Services out, but after the Apple upgrade I added the Apple service back. I have tried removing it but that had no effect. I also disabled the rule, that had no affect.

Ian

Thanks for sharing that information, unfortunately I don't have Apple devices to confirm the issue with MR 5.  It's helpful to know however you are still having issues without any web filtering enabled.  It sounds like the Apple issue may be a little more complicated with changes being made from both vendors.

Has anyone noticed any internet speed issues?  I have a Sophos XG 115 test box on v17 MR 5, and on a 100meg down connection I am barely measuring 5megs for a speedtest.  I bypass the Sophos XG and get over 90megs, can anyone please confirm speed issues with MR 5?

As mentioned above, everything works for my Apple and PC products with v17 MR5.  I do not have any special rules for Apple or other devices (other than a rule to block all outgoing connection attempts from my security cameras).  I do have Scan HTTP, Intrusion Prevention, Web Policy and a rule to block Google Analytics.

For reference, I've attached my general firewall rule for LAN to WAN (IPv4) traffic.