Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 30 subscribers
  • Views 2477 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG210 - Upgrade from 17.5.12 MR-12 to 18.0.1 MR-1-Build396 - major problems

Shaun Dwyer

Hi,

Attempted an upgrade as per subject for a client.

We experience the following issues:

1. Random issues with traffic flow. Some servers could ping across the router to the internet randomly.

-- This turned out to be fixed by disabling hardware acceleration.

 

2. IPSEC Site-to-site VPN with policy routing (to AWS)

-- No traffic would flow across the IPSEC link until i enabled NAT. Using conntrack to identify the sessions - it looked correct and matched. Firewall policy test evaluated as expected. I tested with ping from the firewall, and that got through to the remote network ok.

 

3. Remote users connecting in with L2TP VPN

-- On V17, this was rock solid. On V18 the VPNs were randomly dropping. There were LCP errors in the log as well.

 

4. Voice quality - Phones connect (routed) across the Sophos between two local LAN segments.

-- On V17, this was fine. On V18, it sounded like there was constant very low packetloss, or perhaps the occasional packet experiencing jitter. It sounded like there were weird compression artifacts or something.

 

We've given upSophos engineer rolled back to V17 and all these problems seemed to go away.

 

Googling around shows we're not the only ones experiencing these weird problems.

 

 

Is this typical for the 'upgrade pain' to V18?

Is V18 ready for production use?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    you have advised latest release, but which version?
    ian

  • 0 in reply to rfcat_vk

    Hi,

     

    I just updated the post - SFOS 18.0.1 MR-1-Build396

     

    Cheers!

    Shaun

  • 0 in reply to Shaun Dwyer

    We went the same upgrade-path on XG430 last weekend and it all started with a HA cluster failure. The slave upgraded to 18 but master remained on 17.5. The master displayed the slave as faulty but the slave thought it was also the master.

    Because of new communication protocols between them, they could not communicate over HA link anymore, in fact they sent us thousands of mails for HAuser over HA link attemting to login incorrectly and that the source IP has been blocked for 5 minutes. GREAT work!

    In the end we deleted and re-imaged the original master to v18 and tried to restore the backup from v17.5. There we noticed it is required to re-register a machine after restore against Sophos again - something that is not possible, when you do not have WAN. Why you do not allow to rebuild a machine and join it to a cluster without need to register and have internet access? We have access WAN over a LAG and several VLANs and it would take lots of time to rebuild everything manually just to register.

    In the end it took us more than 3 hours to get the cluster nodes back together because of other weird things. Quick Pairing and interactive Pairing failed several times.

  • 0 in reply to LHerzog

    @LHezrog

     

    Wow! that sounds horrific. So other than your HA nightmare during the upgrade, did you experience any other weird issues on v18?

    Not having a compatible cluster protocol, or at least something that fails cleanly is a massive oversight.

    I also detest the idea of being forced to "register" a device just so you can get it configured. Disabling the device's functionality until you've registered it sounds like the vendor is pigheadedly trying to protect their revenue at the expense of the customer experience. Sure, validate the licence, but perhaps a 30 day grace period from when you bring it online initially so you can get your comms going? Perhaps just a really annoying nag message with a 30 second wait when you first login?

    In any case, it seems like migrating to v18 is problematic for many of us. As much as i like the Sophos XG, it'll be hard for me to recommend it to anyone whilst these problems and issues persist.

Reply
  • 0 in reply to LHerzog

    @LHezrog

     

    Wow! that sounds horrific. So other than your HA nightmare during the upgrade, did you experience any other weird issues on v18?

    Not having a compatible cluster protocol, or at least something that fails cleanly is a massive oversight.

    I also detest the idea of being forced to "register" a device just so you can get it configured. Disabling the device's functionality until you've registered it sounds like the vendor is pigheadedly trying to protect their revenue at the expense of the customer experience. Sure, validate the licence, but perhaps a 30 day grace period from when you bring it online initially so you can get your comms going? Perhaps just a really annoying nag message with a 30 second wait when you first login?

    In any case, it seems like migrating to v18 is problematic for many of us. As much as i like the Sophos XG, it'll be hard for me to recommend it to anyone whilst these problems and issues persist.

Children
No Data