Release of v17 MR-2?

Question

Hej, 
 now that MR-1 has appeared, I wanted to ask when MR-2 will appear? The problems and instabilities of IPSec in v17 (especially in connection with V16.5) are very annoying.

Rodrigo Pereira · Accepted Answer

Hi Kiero, 
 MR-2 is avaiable: 
 A new firmware SFOS 17.0.2 MR-2 is available. We strongly recommend that you upgrade the device. 
 
 Version 
 
 SF 17.0 MR2 (17.0.2.116) 
 
 News 
 
 Maintenance Release. 
 
 Bugs 
 
 NC-22609 [Access] Unable to import groups inside multiple OUs from AD. 
 NC-19427 [API] Wrong date in validationError.log. 
 NC-22394 [Authentication] User Portal login is logged as SSL VPN login. 
 NC-22769 [Authentication] When importing from AD, the name of OUs which are inherited by multiple OUs and groups is not shown correctly. 
 NC-23112 [Authentication] Authentication Agent - getting logged out automatically at random time. 
 NC-19665 [Backup-Restore] Downloading backup creates Java exceptions. 
 NC-21785 [Base System] Wizard UI Improvements. 
 NC-22229 [Base System] SG115: pressing power off button does not shutdown appliance. 
 NC-22574 [Base System] Control center misleadingly shows notification of new firmware availability for few minutes after firmware upgrade. 
 NC-22631 [Base System] Typo in fwinstaller. 
 NC-22688 [Base System, Certificates] Missing QuoVadis Root Certificate. 
 NC-22771 [Base System] Export of 16.5 MR8 and import into v17.0 GA fails for configs without hostname. 
 NC-22780 [Base System] Migration from CR to SF failed on CR500ia-10F appliance. 
 NC-22911 [Base System] Blank screen is displayed when user synchronizes license after successful registration. 
 NC-25573 [Base System] Users cannot activate license keys from SFOS. 
 NC-22354 [Certificates] Passphrase box disappears after trying to upload a CA with private-key after upload fails. 
 NC-22734 [Clientless Access] HTML5 VPN: keyboard input not working on Android devices. 
 NC-22751 [Documentation] Japanese translation for LogViewer missing. 
 NC-17413 [Firewall] Business rules created with device destined IP address can't be blocked with network rules. 
 NC-20602 [Firewall] Incorrect validation for local acl and zone where HTTPS is disabled from current login zone. 
 NC-21180 [Firewall] Add "Action" column to firewall rule grouping. 
 NC-21897 [Firewall] Import/Export of firewall rule with dependent entity fails when a VLAN is configured on WAN. 
 NC-22219 [Firewall] Issue with SNAT policy with multiple gateways. 
 NC-22557 [Firewall] Service edit option not working in specific case. 
 NC-22670 [Firewall] Unable to create RED interface. 
 NC-22923 [Firewall] Hostset ERROR: XG stopped Responding. 
 NC-22932 [Firewall] Export/Import fails for every entity after exporting Security Policy entity. 
 NC-22946 [Firewall] Typo in SF API documentation for IP host object. 
 NC-22958 [Firewall, SFM-SCFM] SFM Compatibility v17: DNAT rule cannot be updated in some combinations of forward type. 
 NC-22982 [Firewall] Incorrect position of firewall rule name in Firefox. 
 NC-22424 [Framework(UI)] Close notification button does not work properly. 
 NC-22917 [Framework(UI)] Infomation icon does not show any info text in authentication page. 
 NC-21856 [IPS] In AppFilter policy smart filter values are still displayed after removal. 
 NC-22448 [IPS] Custom IPS signature not working for all keyword supported by snort. 
 NC-22753 [IPS] Application filter is not updated when there is no application matching smart filter. 
 NC-22834 [IPS] Application Filter Policy: All application is showing while editing through firewall rule with "selected individual application". 
 NC-22382 [IPsec] IPsec UI allow to configure incompatible policy resulting in a silent DPD action change in the backend. 
 NC-22383 [IPsec] Typo in IPsec policy list: 'Action on Active Peer'. 
 NC-22489 [IPsec] Incorrect IP routes added for local VPN traffic in case of NAT over IPsec. 
 NC-22502 [IPsec] IPsec PSK secrets files do not contain local VPN IP. 
 NC-22620 [IPsec] DGD can not be disabled. 
 NC-22622 [IPsec] 'Remote ID' value shows blank on UI for IPSEC connection when external cert is used. 
 NC-22633 [IPsec] Activate on save tries to connect to respond only connections. 
 NC-22793 [IPsec] Cisco VPN connection with cert auth not working on iOS using config from userportal. 
 NC-22888 [IPsec] IPsec S2S tunnel with PSK and local/remote ids not working. 
 NC-22892 [IPsec] Aggressive mode IPsec policys are not filtered correctly in UI. 
 NC-22900 [IPsec] Cannot create 2 IPsec RSA connections with same local id to different remote gateways. 
 NC-22914 [IPsec] Connection status for DGD IPsec connections is not shown correctly. 
 NC-23035 [IPsec] DGD table locked - postgres has returned errcode 25P02. 
 NC-23125 [IPsec] "Randomize Re-Keying Margin by" - When setting the value to 0%, UI displays 100% after saving the policy. 
 NC-23186 [IPsec] IPsec status not displayed when too many SAs are established. 
 NC-22549 [Logging] Sandstorm logo displayed in RED for reason "eligible","pending" & "Cloud Malicious". 
 NC-22745 [Logging] Port and protocol information are missing in LogViewer standard view and filter. 
 NC-15612 [Mail Proxy] Update DLP engine and CCL data. 
 NC-19881 [Mail Proxy] Whitelist and blacklist for e-mail/domains in WebAdmin. 
 NC-21366 [Mail Proxy] Spam e-mails pass due to error " X-CTCH-Error: Unable to connect local ctasd". 
 NC-21437 [Mail Proxy] Mail addresses with "systems" or "solutions" as top level domain cannot be added in address groups. 
 NC-21671 [Mail Proxy] Message is not displayed properly in LogViewer. 
 NC-21891 [Mail Proxy] Spam headers displayed in e-mail when sent through reply portal. 
 NC-22271 [Mail Proxy] Issues with mails in spool marked with a firewall ID. 
 NC-22921 [Mail Proxy] Email flow is affected for recipients using TLS1.0. 
 NC-25332 [Mail Proxy] awarrenmta service segfaults when IP reputation is enabled. 
 NC-22504 [Network Services] Unable to assign two static IP mappings for the same host in different DHCP scopes. 
 NC-22163 [Networking] OSPF Neighbors not updated on changing multicast group limit. 
 NC-22539 [Networking] Fail to add vlan when specific DHCP server confiration migrated. 
 NC-22662 [Networking] Unable to make changes in WAN Link Manager for an interface with /31 subnet . 
 NC-21952 [RED] Site-to-Site RED tunnel between XG and UTM does not pass traffic with hardware acceleration enabled. 
 NC-22433 [RED] Generating certificates fails when long company name is used. 
 NC-22174 [Reporting] Missing size verification on custom logo for on-box reporting. 
 NC-22819 [Reporting] Application reports stop working after enabling Sync App Control. 
 NC-22853 [Reporting] Drill down is not working in mail report when "Mail Count" is selected as sortby. 
 NC-22868 [Reporting] Font style mismatch. 
 NC-22364 [SecurityHeartbeat] EP_Certificates table not available error . 
 NC-22778 [SecurityHeartbeat] Heartbeat registration fails with appliance in HA. 
 NC-22151 [SSLVPN] When using special character in Appliance Certificate, SSL VPN connection fails. 
 NC-22116 [Synchronized App Control] Last occurance time of applications in SAC is not consistent between HA nodes. 
 NC-22384 [Synchronized App Control] After de-registration of Heartbeat enhancedappctrl service is still running. 
 NC-22440 [Synchronized App Control] Sort list of categories in SAC customize menu. 
 NC-22766 [Synchronized App Control] Path of a customized app is shortened in SAC customize popup when app path contains slashes. 
 NC-22768 [Synchronized App Control] Uncategorized category is shown twice in the SAC customize popup. 
 NC-22813 [Synchronized App Control] Fixed height for SAC data table. 
 NC-22824 [Synchronized App Control] EP name with special character is not displayed correctly for macOS in SAC list. 
 NC-22962 [Synchronized App Control] Show category in SAC app list. 
 NC-22544 [UI] Incorrect start time displayed in Live Users list. 
 NC-22576 [UI] Disclaimer message is shown without line breaks. 
 NC-25275 [UI] Internet usage time displayed "NaN:NaN" value in Live Users list. 
 NC-22319 [WAF] "Edit Reverse Authentication" dialog contains untranslatable strings. 
 NC-22521 [WAF] Leftover of shm files cause a WAF restart loop. 
 NC-21534 [Web] Certificate error on accessing sites with https scanning enabled. 
 NC-21930 [Web] Incorrect Error message on Captive Portal when the user exceeds the number of simultaneous logins. 
 NC-22023 [Web] Word list files with non-UTF8 or whitespace-only should not be uploaded successfully. 
 NC-22124 [Web] Web Policy rule is converted to "AllWebTraffic" when adding more than one backslash character in the rule. 
 NC-22125 [Web] When maximum limit is reached, web exceptions cannot be updated anymore. 
 NC-22403 [Web] Certificate Error while accessing Outlook with direct proxy. 
 NC-22653 [Web] Policy Tester does not display backslash in policy name correctly. 
 NC-22721 [Web] AVD dies unpredictably when it runs out of memory. 
 NC-22800 [Web] AVD stability fixes. 
 NC-22930 [Web] Server side rbuf not reset for reused request. 
 NC-22954 [Web] Access to Custom Captive Portal does not work. 
 NC-23156 [Web] Not able to access any websites due to malformed ATP data update. 
 NC-23163 [Web] Font color for Initial Setup Wizard changes. 
 NC-12089 [Wireless] Unable to edit alias of "GuestAP" interface. 
 NC-19166 [Wireless] SSID disappears randomly with Dynamic Channel Selection. 
 NC-20761 [Wireless] Wireless Client List shows wrong IP address after network change. 
 NC-21369 [Wireless] VLAN and non VLAN SSIDs can't be selected at the same time for RED15w. 
 NC-22358 [Wireless] SSID is not broadcasted from time to time. 
 NC-22852 [Wireless] Wireless network interface status states being unplugged.

guillaume bottollier · Answer

Hi all 
 I have exactly the same troubles with v17 mrX. 
 I have several xg linking by IPsec vpn through pppoe xDSL connexions. Everything works great in v16.5 mr8. 
 When I update to v17, everything is broken, pppoe connexions never goes up, and/or IPsec vpn never goes up too. 
 I precise that I have deleted everything and recreate from scratch. 
 A downgrade to v16.5 mr8 and everything restarted well. I am fed up with those crappy v17 mrbeta.

guillaume bottollier · Answer

HI all, 
 And finally i've got the WHY..... 
 Sophos has migrated the ipsec engine to https://strongswan.org/ which is free. 
 There is no hazard, and that why every of us was asking by support to completely recreate the ipsec profiles. We know that after recreating everything it's not stable too. 
 Today i upgrade a v15.1 to v16.5.8 and ipsec vpn are still... perfectly STABLE !!! (without recreating anything) 
 I need V17 NOW (dns wildcard objects, IKEV2, object group for firewall) and i won't/can't recreate anything on my configurations. 
 PLEASE SOPHOS just give us a functionnal release !!!!!!

Karlos · Answer

For users continuing to see IPsec site-to-site VPN issues on v17 MR-3, please contact Support and open a ticket to provide logs & report possible BUG. Once you do please provide me with your case ID so I can be sure that the case is escalated. 
 For non-licensed users, please share or DM me the following information: 
 
 logfiles from the time frame when the Problem happens (/log/charon.log) 
 screenshots of the Connection config 
 screenshots of the Policy used in the Connection 
 charon related coredumps from /var/cores (if any) 
 
 We appreciate all your feedback. 
 Thanks, Karlos