UTM 9.601 - RED issues!

Since upgrading all our customers to 9.601, a bigger part of them are complaining about RED's re/disconnection in a no-pattern way.

It started for all of them just the night we upgraded to 9.601, and they all are on different ISP's and located different places around the country.

Been with Sophos support for 2 hours today, and now they escalated it to higher grounds.

Will return with an update....

Suspicious entries in the log - but all connected REDs do this before connection:

2019:03:06-15:15:38 fw01-2 red_server[17509]: SELF: Cannot do SSL handshake on socket accept from 'xxx.xxx.xxx.xxx': SSL connect accept failed because of handshake problems

2019:03:06-15:15:46 fw01-2 red2ctl[12420]: Missing keepalive from reds3:0, disabling peer xxx.xxx.xxx.xxx

I know the last line is written before the tunnel disconnects, because there was no "PING/PONG" answer...

One customer has 2 x RD 50, one 1 100% stable and the other fluctuates in random intervals - we replaced this with a new RED 50, but the same thing occurs.

  • In reply to twister5800:

    Hi,

    what is the current recommend Setting with UTM Firmware 9.702-1 ?

     

    cc set red use_unified_firmware = 0

    or

    cc set red use_unified_firmware = 1

     

    Thanks,
    Klaus

  • So all RED's are running 9.702-1 and still seeing this SSL drop issue. 

     

    red2ctl[15035]: Overflow happened

    SELF: Cannot do SSL handshake on socket accept from 'x.x.x.x': SSL connect accept failed because of handshake problems

     

    Honestly...

  • In reply to Sophos User287:

    Moved the RED15 from our office in Italy to a customer in Austria.

     

    Got 

    SELF: Cannot do SSL handshake on socket accept from 'x.x.x.x': SSL connect accept failed because of handshake problems

     

     

    Reading the post, I'll try cc set red use_unified_firmware 0 and MTU 1400 tricks.

    Let's see tomorrow...

     

    Good night Sophos. It seems you're in trouble.

     

    G.

  • In reply to Sophos User287:

    I'm still getting this also on a RED 50 running 9.702-1.... quite annoying.

  • In reply to Sophos User287:

    Hello everybody,

    can somebody give me an update how the actual situation is about the connection problems, bootloop problems and unified_firmware problems wit RED ?

    I was strugeling myself at the end of 2019 with the bootloop problem and I`m still looking for a solution to connect a branch to our main office, using the same IP-range.
    I got three RED15 over RMA, but no one worked until I found this post - we gave all of them back but I still have no connection.

    In the main office we`re using a SG210 running 9.605-1, but I could update to 9.702-1.

    What about the RED 20....same problem...?

     

    Greetings..
    Bruno

  • In reply to Bruno Schley:

    Knock on wood, our RED50s have been stable since the upgrade to 9.702.  Before we were losing 1-2 a week out of the 8 we have deployed.

  • In reply to Aaron Leech:

    Hello Aaron,

    thanks for your Info.
    I´m really thinking about giving it a chance...but....
    "Sophos User287" wrote in Mai that he has still the same issues.
    Next problem is, the RED50`s are actually not available because of delivery problems.

    I could get a RED20....has anyone experiences with it....`?

     

    Greetings
    Bruno

  • In reply to Bruno Schley:

    Yes and it's still happening..... Only just last week again! I've even got it in balancing mode now and it still dropped out.

     

    Once the 9.703-3 update becomes available for my units I'll deploy and see what happens but suffice to say, the issue still exists in 9.702-1 for us.

  • In reply to Bruno Schley:

    Unfortunately I can only speak for our organization.

    The RED50 is being replaced by RED60, so you might be able to get those.  The RED20 should be good too if it meets your requirements.

    You just have to have 9.703 installed to be able to configure either one.

  • In reply to Aaron Leech:

    Good morning Aaron,

    yesterday I had a telephone conference with a distributor and his sophos techician.
    They told me that Sophos is going to solve the problem with 9.703-3 but still you have to have to get hands on it.
    Sophos published an image for RED´s and you have to flash the RED`s with it.
    And in combination with 9.703-3 the RED`s should be stabel.
    Before I start another test I asked them to give me more information how that flashing has to be done.
    The image has to be copied on a memory stick and then you have to flash it in a console session.
    But... not all memory sticks are compatible....?!?!
    I let you know if get the informations...

    Greetings
    Bruno