Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 3868 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pattern/Firmware update check not working v18

Martin Petrov

Hi,

Sophos XG Home user here, SFOS 18.0.0 GA-Build379.HF050620.1

I have an very strange issue for the last 2 weeks which i still am not able to resolve. The problem is that the device refuses to connect to the official Sophos servers for the different services. For example, every time i try to link the device to Sophos Central, initiate Sync of License, initiate Pattern update or Firmware update i receive a connection error.

Below is the specific error from the u2d.log, regarding pattern updates:

DEBUG May 07 14:00:01 [27219]: --serial = MY_SERIAL (hidden)
DEBUG May 07 14:00:01 [27219]: --deviceid = MY_DEVICE_ID (hidden)
DEBUG May 07 14:00:01 [27219]: --fwversion = 18.0.0.379
DEBUG May 07 14:00:01 [27219]: --productcode = CN
DEBUG May 07 14:00:01 [27219]: --model = SF01V
DEBUG May 07 14:00:01 [27219]: --vendor = VM01
DEBUG May 07 14:00:01 [27219]: --pkg_sysupdate_version = 2
DEBUG May 07 14:00:01 [27219]: Added new server : Host - eu-west-1.u2d.sophos.com., Port - 443
DEBUG May 07 14:00:01 [27219]: Added new server : Host - us-west-2.u2d.sophos.com., Port - 443
DEBUG May 07 14:00:01 [27219]: Added new server : Host - ap-northeast-1.u2d.sophos.com., Port - 443
DEBUG May 07 14:00:01 [27219]: Final query string is : ?&serialkey=OUR_SERIAL&deviceid=OUR_DEVICE_ID&fwversion=18.0.0.379&productcode=CN&appmodel=SF01V&appvendor=VM01&useragent=SF&oem=&pkg_sysupdate_version=2
DEBUG May 07 14:00:01 [27219]: Response code : 502
DEBUG May 07 14:00:01 [27219]: Response body :

<!doctype html>
<html>
<head>
<meta charset='utf-8'>
<title></title><style type='text/css'> @charset 'utf-8';
html, body { height: 100%; margin: 0; }
body { font-family: 'Helvetica Neue','Helvetica','Segoe UI', Arial, sans-serif; color:#5c5c5c; background: #fafafa}
a { text-decoration: none; color: #169ad5; }
a:focus { outline: none; }
a:hover { color: #878b97; text-decoration: none; }
a:hover .button { background-color:#0E9FF4; }
.buttonrow { float: left; width: 100%; }
.customcontent { float: left; width: 100%; margin-bottom: 1em; }
.button { float: left; font-size: 0.8em; background-color: #0985ce; color: #fff; padding: .7em 1em; border-radius: .25em; margin-right: 1.25em; margin-bottom:1em; }
.greenbg { background-color: #71a865; }
a:hover .greenbg { background-color: #80d483; }
.content { margin-left: 330px; max-width: 450px;}

h1 { font-size: 1.7em; }
h1, h4, a { font-weight: normal; }
h4 { font-size: 1.0em; line-height: 1.4em; }
h5 { margin-top: 2em; margin-bottom: 0.5em; }
h5 a { font-weight: bold; }
ul { margin-top: 0.2em; }

.accessdeniedtextfont { font-size: 1em; font-weight: normal;}
.accessdeniedcategoryfont { fo ...

DEBUG May 07 14:00:01 [27219]: Response length : 72886
ERROR May 07 14:00:01 [27219]: Response not parsed successfully.
ERROR May 07 14:00:01 [27219]: FATAL : Error in parsing response, exiting.

If I configure Sophos Firewall Manager as my default Update provider (Administration->Central Management->Update Management), everything works lika a charm regarding the updates. The other connections to the Sophos official servers still do not work, though. The SFM is behind this very same device with the same IP. 

Restart doesnt fix it. I updated the device to 18.0.1 and reverted back to 18.0.0, still no go.

Any suggestions?

Regards,

Martin



This thread was automatically locked due to age.
Parents
  • +1

    Hi  

    Here from the logs "Response code : 502" is coming which seems connectivity issue between appliance and u2d server.

    If you have multiple ISP then try by adding the static route of IP for below domain on specific ISP one by one and confirm the issue status. ( This is for time being to confirm the issue status and it is not required to keep static route permanently)

    ==============================

    eu-west-1.u2d.sophos.com

    us-west-2.u2d.sophos.com

    ap-northeast-1.u2d.sophos.com

    You may also capture the PCAP and may confirm the communication flow.

    How to capture packets and download the Packet Capture:

    https://community.sophos.com/kb/en-us/127647

  • 0 in reply to Vishal_R

    5857.tcpdump (3).zip

    Hi Vishal Ranpariya,

    Unfortunately, I have only single ISP. Still, i dont think this is the case, because, as i said, the SFM is part of the Internal LAN behind this XG and has any problems what so ever updating using the same WAN IP.

    Attached is the PCAP. In this tcpdump i tried 2 times Pattern updates and then 2 times Firmware Update.

    Regards,

    Martin

  • 0 in reply to Martin Petrov

    Hi  

    Thanks for sharing the PCAP.

    Below is the observation :

    All 4 times the communication between server and XG has been terminated with "Encryption Alert" and then [FIN ACK] or [RST]



    Also in entire PCAP not able to see any packet initiated by firewall.Entire communication is from 34.255.X.X to 84.40.X.X and no reverse way packet or communication found. It is quite strange..! Due to that it is not containing any SYN packet from 84.40.X.X to server so not able to confirm what parameter negotiated in 3-way handshake. 



    Have you tried to filter few of the packets from captured PCAP and then uploaded that filter PCAP here ? or the pcap has been uploaded without any changes or modification?

    Please share the string or command used to capture the PCAP. 

    What is your WAN ISP type ? Static or PPPoE or etc? 

  • 0 in reply to Vishal_R

    Hi Vishal,

     

    Thank you for your time helping me resolve this issue!

    This is the raw PCAP i got from the Firewall. No modification whats so ever on the file. 

    The command I used to capture the PCAP is "tcpdump filedump 'host eu-west-1.u2d.sophos.com -s0

    My WAN is Static type.

     

    I'm considering starting from scratch. I really believe something went terribly wrong after the "Asnarök" exploit.

     

    Regards,

    Martin

  • 0 in reply to Martin Petrov

    Hi  

    If you get a chance to collect PCAP again then will you collect it on resolved IP rather then domain and share it here with us if the issue still present.

  • 0 in reply to Vishal_R

    Hi Vishal,

    Attached please find the capture using resolved IP. At first glance they look absolutely the same as the preveious.

     

    1781.tcpdump (6).zip

  • 0 in reply to Martin Petrov

    Hi  

    Yes its quite similar observation to previous one.

  • 0 in reply to Vishal_R

    Hi Vishal,

    Yesterday I installed brand new VM with SFOS v18.0.0-379. It was doing perfectly fine until i restored the configuration. The problem is clearly not in the connection but something internal in the OS.

    Regards,

    Martin

  • 0 in reply to Martin Petrov

    Hi  

    When you restore the configuration, from which firmware the backup has been taken? We didn't find any issue with v18 for pattern updates. It may be possible to have an issue with backup. When you try to update pattern without restoring, what are your observation?

Reply Children
No Data