RED remains disconnected/non-functional after XG update and reboot

Hi Tom Kramer,

Thank you for reaching out to the Community! 

Could you please provide a firewall and RED model number and running firmware version on it? 

I would also suggest you open a support case for further investigation and send me the case number via PM so that I can help with the followup. 

Thanks,

Hello,

- XG 210

-> Update from SFOS 17.5.12 MR-12 to SFOS 17.5.13 MR-13. However, the problem already existed in update to SFOS 17.5.12 MR-12.

- RED50

-> Firmware 2.0.019. Now the appliance has been updated to 3.0.002.

-----

We had already used the payed support for our XG in the past. Unfortunately it turned out that it was an absolute waste of working time. Ultimately, after a while, the community provided the solution.

I can confirm this bug. We had this with dozends of REDs after going from 17.5.12 to 18.0.1.

But we already had this when upgrading to 17.5.12.

So this should be nothing new to Sophos.

Thanks ^^

Never heard of this issue nor saw it on my appliances before. 

So you upgrade the firmware of XG, but not the RED Firmware and all your REDs cannot connect until you reload the configuration? 

Can you show us a example configuration of one RED? 

Do you use a DNS Hostname for the RED to find XG? 

In our case IP and at the last RED changes in our topology we noticed it for RED50 with VLANs enabled on the RED side.

Had to edit the settings in the VLAN adapters and click save without changes.

one of the VLANs:

Hello,

"So you upgrade the firmware of XG, but not the RED Firmware and all your REDs cannot connect until you reload the configuration? " 

-> I can now only confirm that two-way network communication was no longer possible until we reloaded the configuration. In order for the RED to notice this reload, at least a connection to our XG must have existed.

Here is our RED-Config

Confirm: connection is up but no traffic flowing until config reloads

So the VLAN is essentially broken, after an update? 

Do you have multiple VLANs configured and is only RED50 the affected ones? Same for RED15/20? 

Which Switch Mode do you use? Is it always VLAN Mode on the ports? 

The VLAN is not functional after update and/or after initial creation.

Last thing was to move a RED50 from a SG to a XG. After everything was set up, no communication was possible until we resaved the VLAN Interfaces on the RED.

Only RED50 devices have VLANs attached in our environment and so the Port is in VLAN mode.

Hello,

now the update to HW-17.5.14_MR-14-1.SF300-714 is ready.

Should I pay attention to special things or collect logs to get closer to the problem?


Best regards

Hello,

now the update to HW-17.5.14_MR-14-1.SF300-714 is ready.

Should I pay attention to special things or collect logs to get closer to the problem?


Best regards

You could do something, as i did not have the time to reproduce this.

The issue could be caused by the RED or the XG. 

After the update, the Interface and all VLANs should be there. The Interface should be plugged. You can verify both via #ifconfig and #ethtool 

You can verify via Tcpdump, if the RED is sending the traffic with VLAN tags or not. See: https://access.redhat.com/solutions/2630851

Update+reboot and it happened again. RED-site not reachable

ifconifg
-> red1s and red-VLANs-adapter appear but only reds1 has an ipv4 address

reds1 Link encap:Ethernet HWaddr 00:AE:04:F3:2B:4D
inet addr:XX.XX.XX.XX Bcast:XX.XX.XX.XX Mask:255.255.255.0
inet6 addr: fe80::2ae:4ff:fef3:2b4d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4200 errors:0 dropped:1 overruns:0 frame:0
TX packets:1323 errors:0 dropped:84 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:646384 (631.2 KiB) TX bytes:127008 (124.0 KiB)

reds1.250 Link encap:Ethernet HWaddr 00:AE:04:F3:2B:4D
inet6 addr: fe80::2ae:4ff:fef3:2b4d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:105 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4830 (4.7 KiB) TX bytes:738 (738.0 B)
...

Tried to reach a target on RED destination (ping and https)

XG210_WP03_SFOS 17.5.14 MR-14-1# tcpdump -i reds1 -nn -e vlan
tcpdump: Starting Packet Dump

<no packages recorded>

XG210_WP03_SFOS 17.5.14 MR-14-1# tcpdump -i reds1.250 -nn -e vlan
tcpdump: WARNING: reds1.250: no IPv4 address assigned
tcpdump: Starting Packet Dump

<no packages recorded>

--------------------------------------------------------------------

After reloading RED config.

ifconfig
-> reds1.250 has ipv4 address

tcpdump recorded a lot of traffic ^^

Destination target is reachable (tested to a device in red VLAN250 destination).

Best regards

nice troubleshooting:

Tom Krämer said:

After reloading RED config.

ifconfig
-> reds1.250 has ipv4 address

Will monitor this when upgrading our boxes next time.

Which Firmware version do you use on XG and do you have only RED60 with this issue? 

Tried it with V18.0 MR1 and a RED20, but this work so far after a standard reboot. 

DEV told me, they actually identified this issue. 
Feel free to open a Case and refer to: NC-63893 to get a reporting on this issue. 

LuCar Toni said:

Feel free to open a Case and refer to: NC-63893 to get a reporting on this issue. 

I tried to do so - created support case 3170443 but Sophos India Support suggest checking release notes of new firmwares.

@lucar-toni Is it possible you put us on a inform list?