Is 17.1.2 MR-2 ready for prime time?

Hi.

I set up two XG330s in HA (active-passive), and after the upgrade I lost the subscription licenses.

I had to rollback, disable, and enable the HA again, so that the signature licenses returned.

Regards,

Rhudá Alonso.

Almost stable XG85-XG135, XG2xx. Works fine. IPSec, VPN...

XG85, XG115 high loading.... No idea why.

MR3 is still suffering the same bug with the Garner service. Patch is available from support. Looks like no further maintenance releases are planned until v17.5 in November so everyone is stuck with the bug if running MR2 or MR3

As far as i can tell, the horror of falling VPN have knocked at my door today.  We decommissioned our Cisco Router and performed routing directly in XG few weeks ago, since XG could not go along with it.  It seems it did the job a while, but today, the firewall was unable to communicate with our ISP's modem few times.

I have noted since at least MR1, we were loosing RDP session every 10 minutes ago, but not the VPN connection.

Damit.  I hope this falling VPN nightmare is not coming back.

Paul Jr 

To follow up with this, please see the KBA advisory related to this.

Dom Nik said:

Hi Flo,

thanks for your reply. As I'm a Home User, I can provide you more information/log files etc.

Please let me know, how I can help.

My use case are iOS/macOS Apps which do Certificate Pinning for https connections. I created FW rules with FQDN hosts to allow the access without https scanning for them.

For example, a very common banking app in Germany is "Outbank" (available on iOS and macOS) which tries to phone home to "*.stoegerit.com" and tries to contact all configured banking services with https as well afterwards. The current behavior is as follows:

- Do a FW reboot, FQDN cache is empty

- Open the app - https requests are triggered but will fail

- FW creates the needed FQDN cache entries during first call of the app

- App works 1-2 times afterwards, while the FW chooses the right FW rules with the FQDNs

- After some time the App fails again, while the FW has forgotten the FQDNs for these domains

Thanks and best regards

Dom Nik

Hi Dom Nik

To provide an update for this reported issue:

This is related to the known issue ID: NC-38832 and the fix for this is tentatively scheduled to be included in SFOS v17.5 release.

Please stay tuned, as we will provide more announcements regarding this release when news becomes available.

I had an opportunity to explore at length xg 17.5.  Overall it seems like it's heading in the right direction.  Unfortunately for me, several key features will keep me from leaving UTM.

1) No NTP server
2) No dns proxy - I have a number of local host definitions.  Can't access them if the dhcp is pushing the isp's dns servers.  If I override then everything is super slow while the xg times out before the next dns server is queried.

3) Definition flow- seems definitions are everywhere. In UTM there was one common place for them to be defined.

Hopefully subsequent updates will resolve these shortcomings.

... On the other end, UTM has no IKEv2 ...  Which is a very important issue.  Important enough that if XG do not do the job for you, you should consider migrating to something else quick.

Paul Jr

Hello,

This issue is now fixed with Version 17.5  GA.