Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 797 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS2300 (SFOS 18.5.1 MR-1-Build326) Crash / Unrepsonsive Firewall in HA when changing RED Interface

HolgerWachter

Hi,

I got an brand new XGS2300 Cluster (active-passive)at on of our customers which six SD-RED 60 connected. When making changes to one of the RED tunnels (every tunnel has two VLANs in access mode, drop tagged associated) the update of the interface will make the web interface and everything else unresponsive (the firewall will work though).

When connecting via SSH I can disable HA and get to the webinterface again but whenever I restart the device it will get stuck completely (display is lit with nothing on it) and only plugging the power cable will work.

Shutting down the auxiliary device before changing anything on the RED interfaces will work without problems, so I have to shut down the auxiliary every time when making changes to a RED interface.

Is this a known problem or is there a way to get the restart working without pulling the power in such a situation?



This thread was automatically locked due to age.
  • 0

    If i remember correctly, this is a known issue. Do you have REDs currently offline? 

  • 0 in reply to LuCar Toni

    No they are all online now. I'm keeping the auxiliary firewall turned off while doing configuration changes and restart it when I'm done. The only way it works right now.

  • 0

    Hi,

    this is something that is currently fixed in 18.0 MR6 only

    You will have to wait for 18.5 MR2

    Eventually you can get a private pre-fix from support. They installed the pre-fix for us as we were on 18.0 MR5 and MR6 has not yet been released.

    "der Fix für NC-70783 wird in der 18.5 MR2 enthalten sein. Diese ist für Ende November/Anfang Dezember vorgesehen (Änderungen vorbehalten)."

    You can refer to our Case Number 03540279

    Workaround is to restart the HA SLAVE immediately after the RED change

  • 0 in reply to LHerzog

    Thanks for the information, I will wait for the MR2 release then.

  • 0 in reply to LHerzog

    Can you tell me when NC-70783 was created ?

    we have had the same issue on a pair of XG230 A/S.  Sophos support was not able to find out the root cause (they did not even try..) and we eventually were force to reduce the deployment to standalone. Currently the second box runs cold standby. 

    Can you share the pre-fix?

  • 0 in reply to Samuel Heinrich

    the NC it has been mentioned for the fist time in March 2021. The case has been created in mid January 2021.

    Von: Sophos Support <support@sophos.com>
    Gesendet: Freitag, 19. März 2021 15:17
    An: xxxxx
    Betreff: RE: AW: [WARNING : MESSAGE ENCRYPTED] AW: AW: AW: Firewall issue [ ref:_00D301GN6a._5003Z1BDnpK:ref ]

     

    Hello xxxx,

    Your issue has been escalated to our development team with the above reference number

    Development reference number: NC-70783
    Current Status: Escalated to Development
    Issue type: Investigation

    .

    About your question for the prefix:

    I cannot provide the fix, maybe you get it from support. It was a single file with copy and paste replacement via remote access.

    Von: Sophos Support <support@sophos.com>
    Gesendet: Mittwoch, 28. Juli 2021 03:02
    An: xxxx
    Betreff: RE: AW: AW: AW: AW: AW: AW: Firewall issue [ ref:_00D301GN6a._5003Z1BDnpK:ref ]

     

    Hello xxx,

    Our Dev team has provided a prefix for the 18.0.5 MR-5-Build586 firmware version. After applying the prefix we need to reboot the Firewll. First, we need to apply a prefix on the Aux device and reboot it. Once it is up, we need to apply the prefix on the Primary device and reboot it.

  • 0 in reply to LHerzog

    if you're already on a v18, I'd simply upgrade to MR6.