Thread Info
  • Locked Locked
  • Replies 11 replies
  • Subscribers 27 subscribers
  • Views 14211 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New release MR-3 comments

Dominic Russell

Hello,

Yesterday my XG Firewall decided to upgrade itself to the new MR-3 release, on a reboot, even if I clicked each time before not to upgrade yet.  After the upgrade, the IPSec Site-to-Site to an OpenWRT router was not working right.  Looking at the logs in the OpenWRT router, I saw that tunnels keep creating themselves, and after seeing hundreds of them, the link between the site was too slow to be workable, I had to revert to MR-2, where this issue is not present.

I am a new user of Sophos.  I was impressed with XG firewall and installed it at my place and at one of my friend, but I was less impressed with the MR-3 release.  How could a bug like this go through?  Anyway, if I can be of any help to find and fix this bug, I'll be glad to help.

Another small bug present in both versions; the notification emails, to tell that the VPN link is down or up, is not always sending an email on a status change, especially when the link is back up.

Best regards,

Dominic



This thread was automatically locked due to age.
Parents

  • Hi Dominic, 

    In order to investigate further, we would need to do further testing while you're on MR-3. Are you able to setup a test environment so that it doesn't affect your live network?

    First, try recreating the IPsec tunnel on MR-3 and see if the issue persists. If so, please provide output of your IPsec VPN logs from the XG for review.

    To confirm, tunnel comes up but traffic does not flow?

    Thanks,
    Karlos

  • in reply to Karlos

    I can reproduce easily, and the log on OpenWRT was much easier to follow on what was going on.  Tunnels keep being opened at a fast rate, and when too much tunnels were opened, traffic could not flow anymore (it would be slower and slower), as the routers were just too busy with creating and deleting hundreds of tunnels.

    This behavior is not present with MR2.  I would prefer that you build the test environment, as no one will pay for my time, and I do not want to take personal time on this, I already spent a night without much sleeping on it.  I do not want to put any more time, but I can asnwer any questions you may have.

  • in reply to Dominic Russell

    Hi Dominic,

    Unfortunately, we're not able to recreate your environment. We have successful IPsec site-to-site VPN's on MR-3 in test environments, so it seems specific to your setup or configuration. But don't hesitate to reach out again if you would like help troubleshooting this in the future. 

    Cheers,
    Karlos

  • in reply to Karlos

    You have tried with an OpenWRT router at the other end?  No one will look into the code to catch this?  I think it should be easy to catch, since it is a change between MR2 and MR3.

    At the end, I do not really care that you fix it, since they are other products competing with yours.  I found Sophos in an article comparing it to PFSense, and the article mentioned it was easier to setup.  I play with routers every day, so I know my way around, but I'm tired fighting with buggy hardware and software all around.

    I have been impressed with the ease of Sophos-XG, but MR3 makes it loose its edge.  I think you have a good potential product, customer support still need some work.  Wish you a great year.

  • in reply to Dominic Russell

    Hi Dominic,

    Sophos seems to ignore the problem, but V17 is not stable regarding VPN IPSEC and pppoe connexions...

    Back to V16.5 MR8 will be a beter choice for now.

    @karlos please listen to the complain of your custumers instead of ignoring it !

    https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/98067/release-of-v17-mr-2/360770#360770

  • in reply to guillaume bottollier

    Hi  &  

    We definitely value feedback and possible bug reports on new firmware releases on the Community. In fact, it is one of the biggest sources for bug identification.

    The difficulty is that our Support team is limited in our ability to be able to test with 3rd party products (OpenWRT, for example). That requires escalation to our Development team. In order for us to do that, we would need to work within our customer's environments and pull logs/information that we can then send over for investigation.

    Therefore, for users with licenses, we urge you to call in to our Support Line so that a case could be created and escalated. For non-licensed users, providing us your log output would be valuable.

    I will update this thread, including the one you linked, once we have further information on these VPN issues seen on MR-3.

    Best,

    Karlos

Reply
  • in reply to guillaume bottollier

    Hi  &  

    We definitely value feedback and possible bug reports on new firmware releases on the Community. In fact, it is one of the biggest sources for bug identification.

    The difficulty is that our Support team is limited in our ability to be able to test with 3rd party products (OpenWRT, for example). That requires escalation to our Development team. In order for us to do that, we would need to work within our customer's environments and pull logs/information that we can then send over for investigation.

    Therefore, for users with licenses, we urge you to call in to our Support Line so that a case could be created and escalated. For non-licensed users, providing us your log output would be valuable.

    I will update this thread, including the one you linked, once we have further information on these VPN issues seen on MR-3.

    Best,

    Karlos

Children