After Upgrade to v18.0 MR4 Auxillary Appliances boots in Failsafe Mode - Reason "Unable to apply NAT Rules"

Question

Hi, 
 today i upgraded an Sophos XG Cluster from v18.0 MR 3 to v18.0 MR 4. 
 Everything looked fine, so i did an Failover check, Afterwards not all outgoing WAN Connection possible. 
 After some checks we recognized that the Appliance booted in the Failsafe mode. 
 After another Failover the Primary Appliances booted also in Failsafe Mode so the Problem was persistent. 
 
 So i decided to rebuild the HA Cluster, after i disabled it and rebooted the now Standalone Appliance, everything was working correctly. 
 After a Factory Reset for the Auxillary Device, i rebuild the Cluster. 
 Sadly the now Auxillary Appliance booted again into Failsafe Mode, the Reason is: 
 "Sophos Firmware Version SFOS 18.0.4 MR-4 failsafe> show failure-reason Unable to apply NAT Rules" 
 Has anyone an Idea how i find out more details? 
 
 The Cluster has two WAN Interfaces 
 There are still several auto created and linked NAT Rules and SD-WAN Rules from the Migration from SFOS 17.5 to v18.0 MR3. 
 
 Sincerly 
 Gordon Leisering

Gordon Leisering · Accepted Answer

Hi, 
 The NAT Log was the solution. 
 There was Log entries like: 
 2021-01-05 14:23:43: NAT - executing cmd : /bin/nat add --id 73 --position 11 --state 1 --family 0 --translated-src 445 --dst-vhost-type 4 --translated-dst 506 --original-src 457 --original-dst 456 --original-service 29 --in-interface LAG_2.101,LAG_2.104,LAG_2.120,LAG_2.180,reds1.1020,reds1.1040 2021-01-05 14:23:43: NAT - nat add cmd returned error : Error: Unknown interface reds1.1020 2021-01-05 15:19:17: NAT - executing cmd : /bin/nat update --id 73 --position 11 --state 1 --family 0 --translated-src 445 --dst-vhost-type 4 --translated-dst 506 --original-src 457 --original-dst 456 --original-service 29 --in-interface LAG_2.101,LAG_2.104,LAG_2.120,LAG_2.180 2021-01-05 15:19:17: NAT - nat update cmd returned error : ERROR:Invalid ruleid or family 
 
 So it seems that the Auxillary Appliance has Problems to Build NAT Rules which has some RED VLAN Interfaces involved. 
 In total there was 4 Rules i had to change. 
 Sadly the XG stops building the NAT Rules whenever it first encounters an Problem and turns into Failsafe Mode. 
 The totally explains the behaviour. 
 The Problem is solved.

After Upgrade to v18.0 MR4 Auxillary Appliances boots in Failsafe Mode - Reason "Unable to apply NAT Rules"

Top Replies