DO NOT INSTALL 9.703!!!

DO NOT INSTALL 9.703!!!

My lab system was Up2Dated to 9.703-2 Thursday evening at 10PM CDT (UTC -0500) and all connection with the outside world immediately stopped.  My local connection would work normally a few minutes at a time and then everything would lock up for a few minutes.  I could not identify the problem with top, but did see a lot of zombie confd processes.  I lost the entire day of Friday because my wife has a big project due next week and was working via Microsoft Teams all day with her colleagues.

I will suggest to Sophos that the file be removed from the ftp site. Grumble.

Cheers - Bob

  • In reply to twister5800:

    Here they are, these are from the SG210 that jumped to unusual 55% percent CPU usage, while being in lox 7%-15% range normally.
    I see strange ntpd things, why is this creating interfaces all the day?

     

    system-logfiles_20200416125538.zipfallback-logfiles_20200416125737.zip

  • In reply to jprusch:

    Definately something going on with your interfaces, mine does not have all theese:

     

    2020:04:16-00:15:29 fw ntpd[5124]: Listen normally on 69 eth3 xxx.xxx.xxx.xxx:123
    2020:04:16-00:15:29 fw ntpd[5124]: Deleting interface #68 eth3, xxx.xxx.xxx.xxx#123, interface stats: received=0, sent=0, dropped=0, active_time=32 secs
    2020:04:16-00:15:29 fw ntpd[5124]: new interface(s) found: waking up resolver

     

    What does Self monitoring show?

  • In reply to twister5800:

    Selfmonitoring as of  today (complete log)

    2020:04:16-10:34:39 fw selfmonng[4722]: I check Failed increment afc_running counter 1 - 3
    2020:04:16-14:24:35 fw selfmonng[4722]: T Global skip state now 'ON'
    2020:04:16-14:26:15 fw selfmonng[4561]: T Selfmonitor Daemon successfully started
    2020:04:16-14:26:15 fw selfmonng[4561]: T Loading Selfmonitoring Checks complete  new=93 failed=0 retained=0 dropped=0
    2020:04:16-14:26:30 fw selfmonng[4561]: I check Failed increment dnsresolver_running counter 1 - 3
    2020:04:16-14:26:45 fw selfmonng[4561]: T read config file '/etc/selfmonng.conf'
    2020:04:16-14:26:45 fw selfmonng[4561]: I check Failed increment service_monitor_running counter 1 - 3
    2020:04:16-14:26:50 fw selfmonng[4561]: I check Failed increment pluto_running counter 1 - 15
    2020:04:16-14:26:50 fw selfmonng[4561]: I check Failed increment starter_running counter 1 - 3

  • In reply to jprusch:

    The 198.19.250.x/24 network range is linked to HA, are you using HA? if not try disable this. By default I think it is set to zeroconf.  If you could post the high availability logs it may have more details there

     

    2020:04:16-00:00:27 fw ntpd[5124]: Listen normally on 41 eth3 198.19.250.x:123
    2020:04:16-00:00:27 fw ntpd[5124]: Deleting interface #40 eth3, 198.19.250.x#123, interface stats: received=0, sent=0, dropped=0, active_time=64 secs
    2020:04:16-00:00:27 fw ntpd[5124]: new interface(s) found: waking up resolver

     

    if you cannot get to the web admin but have serial/shell access as root you can run this command to check the status and disable

    cc get ha status

    cc set ha status off

  • Hi,

     

    I had to reinstall my UTM in my home environment after upgrading to 9.703002. :-(

    No login was possible to WebAdmin-GUI and the internal and external Lan connection was broken.

     

    Unfortunately I didn't read this warning before.

  • In reply to Draco:

    Hello Draco,

    I know, but neither is there something configured for HA, nor is something connected to port eth3.

    HA was set to "automatic", I turned to "OFF" now and watch what happens.

  • Looks like its been pulled from the SG230 and Sg310's, one of my SG210s did keep t his installed so might have missed the pull window....seems to be OK though.

  • In reply to maxsecobj:

    Sophos has pulled this update, due to critical issues, do not install for now:

     

    https://community.sophos.com/kb/en-us/135383

  • In reply to twister5800:

    and the moral of the story?

     

    Do not install any update until someone else has a critical issue, then Sophos will investigate further, pull the update and get the patch properly programmed, then release it again.

     

    and to be really cynical, really fix the problem six months later!

  • In reply to twister5800:

    What about the brave/unlucky/dumb people who have been installing that 9.703 update manually? Do they receive that particular pattern update as well?

  • In reply to jprusch:

    Reformat with 9.702 iso and restore backup file :-/

  • In reply to twister5800:

    OK - lesson learned.

  • In reply to jprusch:

    It seams Sophos Ltd hires to much M$ Developers

  • Am I reading that both latest updates of XG and UTM introduced this same issue? I thought these were two completely different products lines?

  • In reply to myparadigm:

    Yes, that is eye-catching...