after upgrade to 19.0.1: logins with admin user no longer possible

Hello LHerzog ,

Thank you for reaching out to the community, can you share the following log, if you can access the appliance via console cable ?
# tail -f /log/garner.log
# csc custom status 

but that would require a successful login..?

So this sort of an error on 2FA right ?

yes, that is the messge I get when trying to change the admin password on webadmin.

isn't there a procedure to reset the password by serial cable?

I am suspecting this to be a known issue: NC-80065
I am not sure, in which version it will be fixed, but I'll check and internally and update !

does this apply to v19 too?

https://support.sophos.com/support/s/article/KB-000035990?language=de

sounds not good - do you have a description to that bug? in the meantime I will pick a serial cable and try to password-reset that thing.

I doubt for the v19 as it offers the following options:

System Settings

1. Set Password for User Admin
2. Set System Date
3. Set Email ID for system notification
4. Reset Default Web Admin Certificate
5. Reset secure storage master key
0. Exit

Yes, "Can not change password in UI for user with Admin Privileges" 

reset via serial should work. of course the HA primary is the one far away.

this is from the aux:

Password:
Authentication failed

Password:

type RESET

Please read carefully before proceeding:
You are about to reset the firewall to factory default configuration.
Depending on the option you choose:
* It will reboot the firewall with factory default settings.
* It will reset password of admin user to the default password.
* If your device is part of HA cluster then the password of this device only will be reset.
* Appliance registration will not be affected.

Main Menu
    1.  Reset configuration
    2.  Reset configuration and signatures
    3.  Reset configuration, signatures and reports
    4.  Reset password for admin user
    0.  Exit

But here we do not want to factory reset the configurations right ? and just the admin password  !

I reset the password, logged in with admin / admin + OTP on webadmin and it worked. I was forced to reset the password then.

So what to do now? Sophos should look at what has happened. an admin password changed can be a security issue. More likely I suspect the Upgrade to 19.0.1 was unable to handle a long and secure passwords with many special characters. Probably the password had been truncated to whatever by the upgrade.

Today was the first login attempt with admin on SSH after the upgrade.

I reset the password, logged in with admin / admin + OTP on webadmin and it worked. I was forced to reset the password then.

So what to do now? Sophos should look at what has happened. an admin password changed can be a security issue. More likely I suspect the Upgrade to 19.0.1 was unable to handle a long and secure passwords with many special characters. Probably the password had been truncated to whatever by the upgrade.

Today was the first login attempt with admin on SSH after the upgrade.

Okay this has been noted !!
Now are you able access the web-admin and ssh flawlessly ?
Any slowness or lag while browsing through the GUI observed ? 

SSH and Webadmin work fine now. SSH without OTP, Webadmin with.  I can also ssh to HA aux device. all just as expected now after the password reset via serial console

Awesome,  MFA doesn't apply to SSH sign-ins, allowing you to recover the account. So, that is how the architect is.  

support case 05903832 / admin user login not working after upgrade to 19.0.1 from 18.5.4

Hey LHerzog , Your service request has already been escalated, can you PM me support access id of your appliance ?

btw there is a new case open: 06084292 with GES

as we had the same issue again in 19.0.1 when the first HA failover happened after the upgrade.

the admin user cannot login on webadmin and ssh - invalid credentials

Thanks for the update, I will follow up with GES internally regarding the reported issue.