Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 18 replies
  • Subscribers 2 subscribers
  • Views 44800 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Precaution on Update 9.351 (FTP)

HiRN

Hi folks,


I don't want to blame Sophos, this is just a precaution for people updating from the FTP to version 9.351. I have some massive problems but I do not know where they come from.

First, Interfaces take up to five minutes until the are pingable and allow traffic (timeouts), same problem with some IPsec tunnels, going up, pinging the remote site hosts is possible, then going to timeouts.

And further an AP50 doesn't get an connection to the UTM anymore.

HA cluster (active passive) problem. First I thoight its broken completely, since I now know, interfaces take a long time to get up, so this is maybe the reason for some strange HA cluster behaviour.

This behaviour is on two HA clusters (which I disabled for now) on VMware 6.0 Update 1a and wasn't there with 9.350.

So when you update, be aware you could have problems. Trying to get a clue on this.



This thread was automatically locked due to age.
  • So for the IPsec tunnel problem, i solved it by reapplying the Policies and disabled/enabled the tunnel on both endpoints. So far the tunnels are stable.

    Now I try to reset the AP50 to get it back to work. Problem with long time until interfaces are pingable and reach WebAdmin remains also.

    Administrating:

    • 2x UTM Software HA-Clusters (Active-Passive), Enthusiast Home Lab
    • 1x UTM525 HA-Cluster (Active-Passive), Full Guard, 6x AP15, 2x AP30, 40x RED10, 1x RED50
    • 1x SG230, Full Guard, 6x AP10, 1x AP15
    • 1x UTM220, Full Guard, 16x AP10
    • 1x UTM220, Full Guard
  • Just so you know, the updates on the FTP that you don't see via automatic download on your UTM are Soft Release. That basically means beta releases, that should never be applied to a production system unless 1) The release solves a specific bug that you are experiencing or 2) You enjoy being a Guniea Pig and potentially experiencing more bugs.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • in reply to Scott_Klassen
    I know that these are betas and I do not install them on production systems. Since Sophos bought Astaro I do not even install Up2Date updates by release date anymore.

    So it is not want to talk here about problems with FTP firmwares?

    Administrating:

    • 2x UTM Software HA-Clusters (Active-Passive), Enthusiast Home Lab
    • 1x UTM525 HA-Cluster (Active-Passive), Full Guard, 6x AP15, 2x AP30, 40x RED10, 1x RED50
    • 1x SG230, Full Guard, 6x AP10, 1x AP15
    • 1x UTM220, Full Guard, 16x AP10
    • 1x UTM220, Full Guard

  • The AP50 problem seems to break down to some strange Switch/PoE Adapter problem which occured at nearly the same time I updated to 9.351.

    Administrating:

    • 2x UTM Software HA-Clusters (Active-Passive), Enthusiast Home Lab
    • 1x UTM525 HA-Cluster (Active-Passive), Full Guard, 6x AP15, 2x AP30, 40x RED10, 1x RED50
    • 1x SG230, Full Guard, 6x AP10, 1x AP15
    • 1x UTM220, Full Guard, 16x AP10
    • 1x UTM220, Full Guard
  • So, only one problem left, long time until the internal interfaces is reachable (ping timeouts, WebAdmin not reachable, no traffic passing). Does anyone observed the same behaviour?

    Administrating:

    • 2x UTM Software HA-Clusters (Active-Passive), Enthusiast Home Lab
    • 1x UTM525 HA-Cluster (Active-Passive), Full Guard, 6x AP15, 2x AP30, 40x RED10, 1x RED50
    • 1x SG230, Full Guard, 6x AP10, 1x AP15
    • 1x UTM220, Full Guard, 16x AP10
    • 1x UTM220, Full Guard
  • Another report back, the issue with taking a long time until the interfaces are up is still there. Meanwhile I updated an UTM220 to 9.350 and then 9.351, no issues. Also a virtual software UTM (running on ESXI 5.5 U3), no issues. So, this is maybe a problem with my both software UTM running on ESXi 6.0 U1, and not a general problem with the 9.351.

    Administrating:

    • 2x UTM Software HA-Clusters (Active-Passive), Enthusiast Home Lab
    • 1x UTM525 HA-Cluster (Active-Passive), Full Guard, 6x AP15, 2x AP30, 40x RED10, 1x RED50
    • 1x SG230, Full Guard, 6x AP10, 1x AP15
    • 1x UTM220, Full Guard, 16x AP10
    • 1x UTM220, Full Guard
  • There is a known issue with HA and 9.351. They are working on a release (probably a 9.351-X release) that fixes this. I've seen 9.351 break active / passive HA clusters about 12 hours after application.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • in reply to BrucekConvergent
    Good to know. Is this only in VMware - we have two 425's in HA (Active/Passive).
  • in reply to DrewbleIT
    I've seen this on bare hardware installs as well.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • in reply to BrucekConvergent
    And now (just now) get an email from Sophos support saying they aren't sure it's a confirmed bug... they're going to have to escalate. Yay.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Unfiltered HTML