This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No local internet connection via Wifi on RED15W(standard/split) after UTM 9.500-9 upgrade on SG310

Hallo, since our upgrade to UTM 9.500-9 last week Friday following problem occurs:
- We use a Sophos SG310 now with UTM 9.500-9. Connected via RED are several branches in Europe and one branch in the US all with a Sophos RED15W in standard/split mode.
Since the upgrade, in the branches it is not possible to get a local internet connection via the wifi that is provided through the RED devices. The people there are able to connect to wifi and can reach our resources in the HQ through RED vpn tunnel, the internet connection that should be provided through local WAN is not possible through it. Interesting point is that, if the remote colleagues are able to use both services (vpn and internet) if they connect directy to the RED with a LAN cable on one of the ethernet ports. For me that seems to be a problem with the wifi on the REDS.
Is this issues possibly connected with one of the following bugfixes in the last upgrade:

NUTM-6749 [Access & Identity] RED15w does not send split DNS traffic over RED tunnel
NUTM-5638 [WiFi] RED15w - integrated AP isn't shown as pending in transparent / split mode
NUTM-5786 [WiFi] RED15w - if more then one SSID is configured only one is working correctly?

I attach a picture where you can see how the situation is.

Summarised:

Connection SG310 to RED15W in standard/split -> WIFI connection: vpn tunnel is OK, Internet is not working
Connection SG310 to RED15W in standard/split -> LAN connection: vpn tunnel is OK, Internet is OK



This thread was automatically locked due to age.
  • I wonder if this isn't related to the problem folks have been having with the SG 1x5w local WiFi where the upgrade broke /etc/modules by failing to include the appropriate driver name.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi, 

    I got message from Sophos support. They know the bug and are working on it.

    NUTM-7962 is the ID.

     

  • Thank you, I encountered the same problem and thought it was a feature and not an actual bug.

  • Guido, did they tell you what the bug is?  There's no information anywhere about NUTM-7962.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    sadly not. They only told me that their development team is on it and that I have to call the hotline to ask for the status...

    "Guten Tag,

    es handelt sich hierbei um den bereits bekannten BUG mit der ID: NUTM-7962 .
    Unsere Entwicklung arbeitet bereits an einer Lösung für das Problem wobei aktuell noch kein Zeitpunkt für einen Fix oder ein Update welches diesen enthält genannt werden kann.

    Über den aktuellen Stand der BUG-ID können Sie sich gerne telefonisch bei uns im Haus erkundigen.

    Vielen Dank im Voraus.

    Mit freundlichen Grüßen,

    Sophos Technischer Support"

     

    Greetings - Guido

  • In other words, "Yes, we know there's a bug, but we have no idea what's causing the problem." ;-)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I just got an Up2Date notice for the 9.501005 package as of today, but the recent NUTM-7962 bug isn't mentioned in the package description.


    Up2Date 9.501005 package description:

    Remarks:
     System will be rebooted
     Configuration will be upgraded
     Connected REDs will perform firmware upgrade
     Connected Wifi APs will perform firmware upgrade

    News:
     Maintenance Release

    Bugfixes:
     Fix [NUTM-6868]: [AWS, REST API] Missing trailing slash in Swagger URLs
     Fix [NUTM-6908]: [AWS, REST API] [RESTD] Consistent authentication look and feel
     Fix [NUTM-7173]: [AWS, REST API] [RESTD] Selfmon cannot (re)start restd
     Fix [NUTM-7633]: [AWS, REST API] Authentication with umlauts and some special characters not working
     Fix [NUTM-6727]: [AWS] AWS_CONVERSION_PRE_CHECK_FAILED (Pre-check failed: 127.)
     Fix [NUTM-7374]: [AWS] Link to RESTful API documentation
     Fix [NUTM-7497]: [AWS] selfmon complains about missing awslogsd during Up2Date
     Fix [NUTM-7658]: [AWS] Swagger UI XSS vulnerability
     Fix [NUTM-7442]: [Access & Identity, RED] [RED] 3G Failback with RED15(w) not working if DHCP server is shutting down
     Fix [NUTM-6504]: [Access & Identity] OpenVPN 2.4.0 deprecated option "tls-remote"
     Fix [NUTM-6606]: [Access & Identity] Re-occuring issues with the Sophos UTM Support access
     Fix [NUTM-7111]: [Access & Identity] Multiple open vulnerabilities in libvncserver
     Fix [NUTM-7157]: [Access & Identity] VPN users not being created when backend AD group is used
     Fix [NUTM-7295]: [Access & Identity] HTML5 VPN: Comma not working on Portuguese (Brazil) keyboard
     Fix [NUTM-7350]: [Access & Identity] [RED] USB stick E3372 does not work with RED 15
     Fix [NUTM-7377]: [Access & Identity] Remote Access tab won't load after selecting the OTP Token tab in the User Portal
     Fix [NUTM-7448]: [Access & Identity] SSLVPN: download of configuration for windows should use tls-remote option
     Fix [NUTM-7774]: [Access & Identity] HTML5 - Mouse not working on Touch Devices
     Fix [NUTM-7874]: [Access & Identity] Openvpn: DoS due to Exhaustion of Packet-ID counter (CVE-2017-7479)
     Fix [NUTM-6956]: [Basesystem] Hardware LCD screen: IP address of ports other than eth0 cannot be changed through LCD
     Fix [NUTM-7067]: [Basesystem] Update OpenSSH to openssh-6.6p1
     Fix [NUTM-7069]: [Basesystem] Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read()
     Fix [NUTM-7626]: [Basesystem] BIND Security update (CVE-2017-3136, CVE-2017-3137)
     Fix [NUTM-7646]: [Basesystem] NTP Security update (CVE-2017-6458, CVE-2017-6460)
     Fix [NUTM-7742]: [Basesystem] Update Appctrl (4.4.1.21)
     Fix [NUTM-6978]: [Confd] Configuration backups do not properly sanitize information
     Fix [NUTM-7160]: [Confd] "&" sign in RADIUS secret will be converted into "&"
     Fix [NUTM-7636]: [Confd] If changing name in REF_DefaultSuperAdmin 'Admin reset password' page is not presented
     Fix [NUTM-3513]: [Email] MIME type filter doesn't detect real mime type
     Fix [NUTM-3516]: [Email] POP3 prefetch sometimes stops working
     Fix [NUTM-3669]: [Email] SMTP Proxy vulnerable by TLS renegotiation (CVE-2011-1473)
     Fix [NUTM-3671]: [Email] SPX encrypted messages are vulnerable to access without proper authentication
     Fix [NUTM-3677]: [Email] Maildrop locked for account_id
     Fix [NUTM-4324]: [Email] Changing Email Protection settings fails with Sandstorm enabled and trial expired
     Fix [NUTM-5388]: [Email] Individual SMTP profiles not updated with changed global settings
     Fix [NUTM-5545]: [Email] Quarantine report can't be enabled under some circumstances
     Fix [NUTM-6379]: [Email] Frequent cssd coredumps
     Fix [NUTM-6986]: [Email] Sender blacklist doesn't allow '&' sign within the email address
     Fix [NUTM-7220]: [Email] WAF reporting virus found when AV engine on the UTM is updating
     Fix [NUTM-7625]: [Email] SMTP DLP expressions do not trigger under specific condition
     Fix [NUTM-7722]: [Email] mailbox_size_limit is smaller than message_size_limit in notifier log
     Fix [NUTM-3170]: [Network] Time-base access for wireless is dropping ipsec-routes and not creating them again
     Fix [NUTM-6992]: [Network] OSPF re-announcing static routes
     Fix [NUTM-7044]: [Network] Disable a VLAN associated with the WAN interface breaks the complete communication
     Fix [NUTM-7439]: [Network] nf_ct_dns: dropping packet: DNS packet of insuffient length: 25
     Fix [NUTM-7395]: [RED] [RED] Split networks/domains fields not shown when editing RED10/15
     Fix [NUTM-7491]: [RED] WARNING: CPU: 0 PID: x at net/core/dst.c:293 dst_release+0x30/0x51()
     Fix [NUTM-7060]: [Reporting] Search in reports doesn't work if the username contains only numbers
     Fix [NUTM-6651]: [Sandboxd] All sandstorm tagged mails get stuck in "Sandstorm scan pending"
     Fix [NUTM-4804]: [WAF] Redirect to original requested path after form-based auth
     Fix [NUTM-6930]: [WAF] WAF not responding after reboot of the AWS UTM
     Fix [NUTM-7178]: [WAF] Segmentation fault in mod_xml2enc for multi-byte charsets
     Fix [NUTM-7362]: [WAF] Fix localization strings in Confd
     Fix [NUTM-7698]: [WAF] WAF URL redirection and Site path routing can be configured for the same path
     Fix [NUTM-7806]: [WAF] WAF - inconsistency with two or more site path routes for '/'
     Fix [NUTM-7857]: [WAF] Changing the order of real webservers in the virtual webserver edit form isn't working
     Fix [NUTM-6617]: [WebAdmin] Search for Network Definitions breaks in Chrome with over 1000 objects
     Fix [NUTM-7652]: [WebAdmin] Not possible to download different SSL VPN User Profiles in one Firefox Session
     Fix [NUTM-7870]: [WebAdmin] Comment not displayed for Time Period definition
     Fix [NUTM-5794]: [Web] IPv6 fallback to IPv4 doesn't work
     Fix [NUTM-6502]: [Web] HTTP Proxy coredumping with EC CA certificate
     Fix [NUTM-6532]: [Web] AD Users are prefetched in lowercase letters
     Fix [NUTM-6809]: [Web] URL category name "Potiental Unwanted Programs" spelling mistake on sophostest.com
     Fix [NUTM-6848]: [Web] HTTPS warn behaviour when "Block all content, except..." is selected
     Fix [NUTM-6867]: [Web] New httpproxy coredumps after update to v9.411 - ReleaseToCentralCache
     Fix [NUTM-7076]: [Web] UTM not updating AD group definition
     Fix [NUTM-7167]: [Web] OTP Using AD Backend Membership - duplicates user when capital letters are used in the username
     Fix [NUTM-7321]: [Web] Non existent or non proxy users are able to create SSL webfilter exceptions
     Fix [NUTM-7367]: [Web] Difference between web_filter templates and default templates in web filter
     Fix [NUTM-5612]: [WiFi] Manual channel selection not possible in both bands for SG W appliances

  • I just updated to the new soft release. Bug fixed. Works like a charm a the moment.

    See the very last entry.

    Up2Date 9.502004 package description:

    Remarks:
    System will be rebooted
    Configuration will be upgraded
    Connected REDs will perform firmware upgrade
    Connected Wifi APs will perform firmware upgrade

    News:
    Maintenance Release

    Bugfixes:
    Fix [NUTM-8127]: [AWS] Link to CloudFormation console during cloudupdate is not working
    Fix [NUTM-3213]: [Access & Identity] Inconsistent behaviour/state when deleting a user cert
    Fix [NUTM-3283]: [Access & Identity] IPSec: VPN ID shall not include blanks
    Fix [NUTM-3294]: [Access & Identity] Menu option (keyboard layout) background not rendered properly in IE (version 11.0.9600.17728)
    Fix [NUTM-6972]: [Access & Identity] SSLVPN disconnection: backend AD sync
    Fix [NUTM-7897]: [Access & Identity] Argos doesn't start in HA setup without IP address
    Fix [NUTM-7940]: [Access & Identity] Client Authentication daemon crashes in HA scenario
    Fix [NUTM-7982]: [Access & Identity] SSL VPN connection not possible since v9.5 if organisation name contains umlauts
    Fix [NUTM-7996]: [Access & Identity] Devices authenticated via SAA are no longer associated with multiple user network objects in UTM 9.5
    Fix [NUTM-8122]: [Access & Identity] L2TP connections with separate DHCP server does not work
    Fix [NUTM-8146]: [Access & Identity] PPTP fails to connect when Assign IP addresses by is set to DHCP Server
    Fix [NUTM-8147]: [Access & Identity] OpenVPN vulnerabilities
    Fix [NUTM-8161]: [Access & Identity] OpenVPN vulnerabilities (client part)
    Fix [NUTM-8280]: [Access & Identity] High confd load through UMA
    Fix [NUTM-8130]: [Basesystem] Linux vulnerability 'The Stack Clash'
    Fix [NUTM-8156]: [Basesystem] Apache httpd vulnerability (CVE-2017-3169)
    Fix [NUTM-7235]: [Confd] READONLY user can download support package
    Fix [NUTM-7425]: [Email] Emailenc causing high load - permanently 100% CPU usage
    Fix [NUTM-7790]: [Email] Restrict long regular expression in WebAdmin
    Fix [NUTM-7876]: [Email] POP3 Proxy stops working after some time
    Fix [NUTM-7889]: [Email] Sandbox scan doesn't work - worker_do_get_file req content parsing error or missing parameters
    Fix [NUTM-6116]: [Network] Service_monitor sets wrong IP address for availability group
    Fix [NUTM-7647]: [Network] WAN random disconnects
    Fix [NUTM-7735]: [Network] ATP doesn't work with "Send anonymous application accuracy telemetry data" disabled.
    Fix [NUTM-7950]: [Network] Dhcp client not running - restarted
    Fix [NUTM-8015]: [Network] Main interface IP address swapped by additional address for DHCP setup
    Fix [NUTM-7543]: [Reporting] Calculate correct malware count for ExecReport
    Fix [NUTM-7609]: [Reporting] Websec-reporter is constantly restarting
    Fix [NUTM-7725]: [Reporting] High latency while navigating through WebAdmin after trying to display Web Reports
    Fix [NUTM-7878]: [WAF] Segfault for HTTP 1.0 requests when cookie rewriting is enabled
    Fix [NUTM-6845]: [Web] https://sslvpn.goodix.com does not loads through UTM PROXY
    Fix [NUTM-7467]: [Web] Sandstorm communication issues in some configurations
    Fix [NUTM-7697]: [Web] httpproxy.ConfdReload - core dump generated during configuration reload
    Fix [NUTM-7895]: [Web] Enable SMB2 in Samba
    Fix [NUTM-7939]: [Web] Chrome v58 and higher fail verification with HTTPS scanning enabled
    Fix [NUTM-7967]: [Web] httpproxy coredump
    Fix [NUTM-6950]: [WiFi] APs displayed as inactive in WebAdmin while clients connect to SSIDs which are still being broadcasted
    Fix [NUTM-7495]: [WiFi] Wireless client IP in Webadmin not updated after changing the SSID
    Fix [NUTM-7962]: [WiFi] Split traffic not working for wireless clients on RED15w after upgrade to v9.5