Release of v17 MR-2?

Hej,

now that MR-1 has appeared, I wanted to ask when MR-2 will appear? The problems and instabilities of IPSec in v17 (especially in connection with V16.5) are very annoying.

  • In reply to dna:

    Great.  Thanks for the info dna.

     

    -Scott

  • I'm having IPsec Issues here, too.

     

    Cisco VPN with iOS. The log viewer shows the following error:

    IKE_SA timed out before it could be established

     

    Reverted back to MR1 for today...

     

    Best Regards

    Dom Nik

  • In reply to Scott_D_L:

    Hi Scott,

    Scott_D_L
    See my comment above about custom IPSEC policies.  It appears that custom ipsec policies are not showing up as selectable.  If you go to modify that VPN connection you will not be able to select your IKEv2_KeyNegTries_Unlimited Policy I'm betting (it wont be in list)

    The policies shown in this dropdown are dependent on several factors. There is already a ticket open to improve the situation, because it is not obvious which policies can be expected in the list. It depends on Gatewaytype (initiator/responder) as well as options in the policy, mainly 'When Peer Unreachable' setting.

    You have a sophos support ticket open regarding this issue, may i ask you for the ticket number?

    Kind Regards,

    Afschin

  • In reply to dna:

    Thanks Afschin,

     

    Case ID# is Case 7778728  .  I'm on another call at the moment, but feel free to use the access ID I gave in ticket to take a look. (this is system is in production, so please be aware of that )

     

    Thanks for your help!

     

    -Scott

  • In reply to rrosson:

    rrosson
    Rodrigo Pereira
    NC-19881 [Mail Proxy] Whitelist and blacklist for e-mail/domains in WebAdmin. 

    Are we sure this made it into MR2?

    Hi Ron,

    according to the internal ticket system it made it into MR2. I'd suggest having a testrun/testsetup to be sure it matches your expectations.

    Best Regards,

    Afschin

  • I just upgraded a HA cluster to MR2. The auxiliary is updated and i'm logged into the primary, but both units say HA is disabled and the primary (the one i'm logged into) hasn't yet updated...

    I normally check that HA is working and that both units are online before I start an update and I didn't this time, but both units have the MR2 release loaded onto them, one is running the new one, the other is still on GA, so the HA must have been working or my manual upload of the firmware wouldn't have loaded onto both.

    I'm not sure what to do now. I think it's just stuck but i'm worried if i touch it it might completely break.

    James

  • In reply to Big_Buck:

    Hello Big_Buck,

    I really cannot agree with you. I tried to define a completely new IPsec tunnel.  First test IPsec tunnel had an IPsec policy DefaultHeadOffice (IKEv1) and the second IPsec tunnel had the IPsec policy IKEv2 (IKEv2) and in both cases the IPsec tunnel was correctly established.

    Both appliances were today upgraded to MR2, one appliance I upgraded from v17.0.MR1 and second appliance was upgraded from v16.5.MR8 directly to v17.0.MR2. One appliance has, in addition to the test tunnel, another fully functional IPsec tunnel connected to another appliance with installed UTM v9.506. And this other tunnel is fully functional after updating the XG appliance to v17.0.MR2 too.

    Could you send your IPsec policy screen and I can test your IPsec policy on my test installation. Could not be a problem in the same definition of IPsec policy at the endpoints of the tunnel? Most problems are just the correct definition of IPsec policy and IPsec tunnel (correct IP networks, among others).

    My experience.

    Regards

    alda

  • In reply to alda:

    Hello alda

    Thank god your config is not too sensitive ...  I have a question.  Why would anyone setup a VPN with the 20 (+) years old technology IKEv1 is ?  Now, compare DefaultHeadOffice and DefaultBranchOffice IPSec profiles and you will notice few parameters do not match.  Key Life Phase 1 and Key Life Phase 2 namely.  When I first setup a firewall with CheckPoint in 1991, it was clear in all instructions I read these parameters were supposed to be the same at both end points.  That'S an IPSec requirement.  For one.  One Sophos Senior Support engineer has fixed that on our sites few weeks ago.  He matched every parameters.  I will not argue with an engineer of that caliber.  

    DefaultHeadOffice and DefaultBranchOffice profiles worked in our lab but failed when connected in real life.

    Very basic IKEv2 works with MR1 but once upgraded to MR2 fails.

    Milage may vary they say.

    PJR

    Update:  Reconstructing all VPNs from scratch made them work again.

  • Steppenwolf,

    MR-2 is out! Check it out...

  • In reply to jamesharper:

    This actually happened to one of our clusters as well (during upgrade from V16.05.8 to V17 GA... firmware was loaded to both appliances but no upgrade ever occurred on either, instead the Auxiliary locked up and the HA was disabled.  Configuration stayed on both appliances when HA was disabled so when I rebooted the auxiliary to get back into it, it took the network down as both appliances were fighting for the ARP requests.  I had to default the Aux appliance and rebuild the HA from scratch..........

  • In reply to Rodrigo Pereira:

    • NC-22793 [IPsec] Cisco VPN connection with cert auth not working on iOS using config from userportal.

    i still have issues with this wondering whether someone else can test it to make sure not something i am doing wrong.

  • In reply to hjherron6:

    In my case it was exactly like HA had been disabled. I left it as it was as I was now operating out of the maintenance window, and then re-enabled HA after hours. This was an update from 17GA to 17MR2.

    Another update I did today was from V16 (don't know exactly what level) to V17GA and it dropped all my licensing and said it expired 2 years ago. I disabled HA, found that the auxiliary unit had never had an eval on it, re-enabled HA, swapped primary and auxiliary, disabled HA, enabled eval, then finally enabled HA again. So now i'm up and running and have 30 days for Sophos to please explain and fix the license issue (i was on hold with support for 30 minutes and never got through to talk to anyone)

    James

  • In reply to Rodrigo Pereira:

    Hej,

    IPSec VPNs are working again. So far, I've only discovered one thing wrong:

    • Self-defined IKEv1 policies are not selectable in Gateway Type" Responde Only

    Does anyone else have the same problem?

  • In reply to Steppenwolf:

    Hi Steppenwolf,

    i tried to explain current situations in some previous post. Hope this clarifies it a little.

    https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/98067/release-of-v17-mr-2/358149#358149

    Kind Regards,

    Afschhin

  • I'm super annoyed by MR1 and MR2. Every since I upgraded firewalls from GA release to those, we've had nothing but issues with VPNs disconnecting or not connecting at all. Worked with Sophos Support, but no resolution at all. Instead I'm being asked to have the other side look at their end... great help! I'm dealing with vendors that are not the easiest people to work with that I can just call up like "hey check our VPN and tell me what you see in the logs". The fact that the firmware update started this clearly shows there's something wrong on the XG side, not the other end.

    This needs to be addresses ASAP.

    I recommend NOT UPGRADING TO MR1 or MR2. Stick with V17 GA or anything older.