Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 2527 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v19 WAN Link Manager: Error when updating Failover Rules

Joshua Drost

I often receive the following error when trying to update a failover rule for one of my gateways:

"Gateway failover rule could not be updated"

I can't find any consistency in how to re-create this. I'm not sure if the problem also existed in v18.x, but it does in v19.0.x. If it happens on a specific interface's gateway, it will always happen on that gateway unless I completely remove it and re-create it. (Done by assigning the Network Zone as "none" in the interface, saving, and then moving it back and adding back in the IP information and gateway name.) I haven't yet found another workaround.

We've seen this behavior in both v19.0.0 and v19.0.1, but I haven't looked at older versions. I've tried using both Chrome and Firefox. This issue will happen on a random WAN interface, with no consistency. We can have a single WAN, two WAN interfaces, or three WAN interfaces, and zero, one, two, or all three will exhibit the behavior. Firewall reboots do not help. This occurs if I try to edit an existing rule, and/or if I try to add a new rule. I can edit and save the "Gateway Detail" section just fine, but no changes save to the "Failover Rules" section due to the error. No related error messages are listed in the Admin, System, or SD-WAN sections of the Log Viewer in the web GUI.

Here's a screenshot of the issue. Note that it doesn't matter what I change the target IP address to, or if I use TCP + Port instead. The IP address was pre-filled to 128.0.0.1 in this instance, but sometimes it is instead pre-filled with another, despite my "template" (at the end of this post) trying to pre-fill it with 8.8.8.8 and 1.1.1.1.

We import a "template" into our firewalls when they are first programmed, in the System > Backup & Firmware > Import Export section. If this is somehow related, here's the relevant interface settings we import.

<Interface transactionid="">
  <IPv4Configuration>Enable</IPv4Configuration>
  <IPv6Configuration>Disable</IPv6Configuration>
  <Hardware>Port2</Hardware>
  <Name>Interface 2 Primary WAN</Name>
  <NetworkZone>WAN</NetworkZone>
  <IPv4Assignment>DHCP</IPv4Assignment>
  <IPv6Assignment/>
  <DHCPRapidCommit>Disable</DHCPRapidCommit>
  <InterfaceSpeed>Auto Negotiate</InterfaceSpeed>
  <MTU>1500</MTU>
  <MSS>
    <OverrideMSS>Disable</OverrideMSS>
    <MSSValue>1460</MSSValue>
  </MSS>
  <Status>Unplugged</Status>
  <MACAddress>Default</MACAddress>
  <GatewayName>Primary WAN Gateway</GatewayName>
  <GatewayIP/>
</Interface>
<GatewayConfiguration transactionid="">
  <GatewayFailoverTimeout>10</GatewayFailoverTimeout>
  <Gateway>
    <Name>Primary WAN Gateway</Name>
    <IPFamily>IPv4</IPFamily>
    <IPAddress/>
    <Type>Active</Type>
    <Weight>100</Weight>
    <FailOverRules>
      <Rule>
        <Protocol>PING</Protocol>
        <IPAddress>8.8.8.8</IPAddress>
        <Port>*</Port>
        <Condition>AND</Condition>
      </Rule>
      <Rule>
        <Protocol>PING</Protocol>
        <IPAddress>1.1.1.1</IPAddress>
        <Port>*</Port>
        <Condition>AND</Condition>
      </Rule>
    </FailOverRules>
  </Gateway>
</GatewayConfiguration>



This thread was automatically locked due to age.
Parents
  • 0

    Hi @Joshua Drost: Thank you for reaching out to the Sophos community team. As per information provided from your end - "We import a "template" into our firewalls when they are first programmed".

    Please help us with below information:

    Exporting of this configuration was done from which firmware and from which firewall device model?

    If it was from XG to XG, was this "Export selective configuration" done by selecting "Include dependent entity" or without selecting "Include dependent entity"?

    Reference snapshot:


    I am suspecting importing action may have not covered up the dependent entity OR not performed properly and due to that, it has created "database inconsistency" which is giving you such errors while saving or updating the database for Gateway. If you have a backup of the previous firewall then ideally you should go with backup restore (as per the matrix) in place of export-import to avoid such issues or errors.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • +1 in reply to Vishal_R

    To create the original template, we took a full export and manually edited the Entities.xml file inside the .tar. This is so that our template was more granular, instead of just replacing everything in the firewall, as would happen with a full backup restore.

    I believe I got to the root of the problem, though I don't know which setting specifically I had to add/modify, or which combination of settings:

    1. Originally, I was not passing any IPAddress value to my WAN interface as it was DHCP, but an export from a known-working firewall showed a blank value instead. ("<IPAddress/>")
    2. I was passing a blank GatewayIP value to my WAN interface, but a known-working export showed it added in an IP address of 128.0.0.1. I believe this is supposed to be 127.0.0.1 instead (localhost), as 128.0.0.1 is an internet-routable address located in the Netherlands. I don't know if DHCP-configured WAN interfaces require this value to be 128.0.0.1, or if they just require a non-null value, but I went ahead and used 128.0.0.1 anyways. The firewall updates the gateway IP on connection with DHCP anyways, but me passing a blank value may have somehow corrupted that somewhere.
    3. I removed my Status value (originally set to "Unplugged") from my WAN interface configuration. I assume this doesn't matter either way as it should update itself based on current connection state, but I can't confirm.
    4. I was passing a blank IPAddress value to my Gateway configuration, but a known-working export also showed this as 128.0.0.1, much like #2. I used the 128.0.0.1 value on my new export.

    Here's the relevant sections of our new template, for anyone who needs it. I have confirmed that after using my new template, I can edit WAN failover rules without error.

    <Interface transactionid="">
      <IPv4Configuration>Enable</IPv4Configuration>
      <IPv6Configuration>Disable</IPv6Configuration>
      <Hardware>Port2</Hardware>
      <Name>Interface 2 Primary WAN</Name>
      <NetworkZone>WAN</NetworkZone>
      <IPv4Assignment>DHCP</IPv4Assignment>
      <IPv6Assignment/>
      <DHCPRapidCommit>Disable</DHCPRapidCommit>
      <InterfaceSpeed>Auto Negotiate</InterfaceSpeed>
      <MTU>1500</MTU>
      <MSS>
        <OverrideMSS>Disable</OverrideMSS>
        <MSSValue>1460</MSSValue>
      </MSS>
      <IPAddress/>
      <MACAddress>Default</MACAddress>
      <GatewayName>Primary WAN Gateway</GatewayName>
      <GatewayIP>128.0.0.1</GatewayIP>
    </Interface>
    <GatewayConfiguration transactionid="">
      <GatewayFailoverTimeout>10</GatewayFailoverTimeout>
      <Gateway>
        <Name>Primary WAN Gateway</Name>
        <IPFamily>IPv4</IPFamily>
        <IPAddress>128.0.0.1</IPAddress>
        <Type>Active</Type>
        <Weight>100</Weight>
        <FailOverRules>
          <Rule>
            <Protocol>PING</Protocol>
            <IPAddress>8.8.8.8</IPAddress>
            <Port>*</Port>
            <Condition>AND</Condition>
          </Rule>
          <Rule>
            <Protocol>PING</Protocol>
            <IPAddress>1.1.1.1</IPAddress>
            <Port>*</Port>
            <Condition>AND</Condition>
          </Rule>
        </FailOverRules>
      </Gateway>
    </GatewayConfiguration>

  • 0 in reply to Joshua Drost

    CAn you please let me know what should be edited in this config file? And how should it be again imported?

Reply Children
  • 0 in reply to ADVAIT GHAISAS

    It's not a config file that just anyone can use. We created our own template by setting up a firewall, then doing an export (NOT a backup). Then we unzipped the .tar file, pruned the Entities.xml file inside it to include only what we need, re-zipped it into a .tar file, and imported that (NOT restored) into new firewalls.

    I had to change our values in the Entities.xml file, as described in steps 1-4.

    If you're not sure what to change, then you're probably best off not using a template for those sections. If you already used a template and you're having this issue, you're best off just deleting the interfaces entirely in the GUI and re-creating them.

  • 0 in reply to Joshua Drost

    Hello Joshua, Advait,

    I believe you might be facing one already reported issue (NC-100250) which is fixed in 19.5-GA which is already released (and 19.0-MR2 which is yet to be released.)

    Would you please upgrade to 19.5-GA and share your feedback?

    Regards,

    Sanket Shah

    Regards,

    Sanket Shah

    Senior Development Manager, Sophos Firewall

  • 0 in reply to sanket.shah

    Hello Sanket,

    I'm already on SFOS 19.5.0 GA-Build197.

  • 0 in reply to ADVAIT GHAISAS

    Hello JoshuaAdvait,

    As Vishal, mentioned earlier, gateway and their monitoring are different but dependent object . If xml is manually edited there is a chance to break the dependency and create inconsistent DB which can break regular UI-workflow. In this particular case, interface update workflow is taken, however gateway update workflow is incorrect which was causing this issue. 

    Even on 19.5, this will be the case. However, correct xml will definitely work. 

    It is advisable to rather use complete import for export rather than manual editing to prevent such mistakes.

  • 0 in reply to Moheed Ahmad

    Hi Advait, Joshua,

    Thank you for reporting this issue. As mentioned by Sanket earlier 'Failover rule update failure'  is due to Jira NC-100250. 

    Additional fix to get issue auto-fixed on migration will be available as part of NC-112370 in future release.

    Pls refer this post as well: community.sophos.com/.../wan-link-manager-shows-wan-down-but-in-reality-its-up

    HTH

    Moheed

Unfiltered HTML