Hi Community,
Sophos is aware of an issue affecting a small subset of XG v18 users using SSL VPN, where the device will continually reboot.
Impact
This issue can cause the XG to reboot, leading to an unexpected outage. This issue is affecting XG devices on v18 that have SSL VPN users connected.
Current status
RCA has been performed and the fix will be included in SFOS v18 MR1.
A manual patch is available through support. Please follow the instructions below to confirm if you are affected.
What to do
To confirm if you are affected, please follow the steps below:
- Confirm if the device has SSL VPN users connected
- Connect via console to the appliance and verify if there is a kernel dump when the appliance is reboots
[ 326.524790] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 326.548297] IP: 0xffffffffa07c2126
[ 326.558529] PGD 80000003f85b2067 P4D 80000003f85b2067 PUD 3a8045067 PMD 0
[ 326.579153] Oops: 0000 [#1] SMP PTI
[ 326.589650] Modules linked in: nfnetmap_queue(O) nf_conntrack_ipslb xt_svp xt_xfrmpolicy ah4 xt_addrtype xt_CT nf_nat_ftp nf_conntrack_ftp ebtable_filter ebtable_nat ebtables ip6t_MASQUERADE xt_muser xt_conntrack xt_LBS ip6table_filter iptable_filter xt_DNAT xt_SNAT nf_nat_masquerade_ipv6 xt_nat_lookup xt_UST xt_ust xt_firewall nat_rules sfos_rules_framework firewall ip_set_hash_mlmwsticky ip_set_hash_sslvpn iptable_mangle ip_set_hash_mac ip_set_hash_bw nf_conntrack_dns nf_nat_sip nf_conntrack_sip nf_nat_irc nf_conntrack_irc nf_nat_tftp nf_conntrack_tftp nf_nat_h323 nf_conntrack_h323 nf_nat_pptp nf_conntrack_pptp cfg80211 pw_nar_wdt usbhid hid_generic hid ohci_pci ohci_hcd xhci_pci xhci_hcd uhci_hcd ehci_pci ehci_hcd fw_handle_ngfw_notification fp2sp_api fp_notifier bonding lzo lzo_compress lzo_decompress
[ 326.803327] cifs red red2 appdev nf_conntrack_netlink nf_nat_proto_gre nf_conntrack_proto_gre set_sessiontbl sessiontbl ip_gre gre ipcomp xfrm_ipcomp esp4 xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel xfrm_user af_key xfrm_algo aesni_intel glue_helper aes_x86_64 crypto_simd cryptd cls_u32 act_mirred sch_ingress ifb sch_hfsc sch_leafprio sch_headprio sch_sfq sch_htb xt_MULTISET xt_MLM xt_SRCNETMAP xt_MARKROUTE xt_CONTINUE xt_LOGDROP xt_ULOG xt_TCPMSS xt_REDIRECT nf_nat_redirect ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_OUT_OUTDEV ip6t_rpfilter ipt_rpfilter ebt_nflog ebt_pkttype xt_serviceset xt_appset xt_hostset xt_pkttype xt_recent xt_state xt_status xt_cet xt_OUTDEV xt_iprange xt_limit xt_hashlimit xt_tcpudp xt_multiport nf_conntrack_relate xt_IPMACFILTER xt_RANGENAT xt_VHDNAT ip_set_bitmap_vhost
[ 327.016560] xt_FWSET xt_set ip_set_hash_maciface_fp ip_set_hash_ipiface_fp ip_set_bitmap_hotspotuser ip_set_hash_hotspotmac ip_set_bitmap_tlsrule ip_set_bitmap_appset ip_set_bitmap_fwrule ip_set_bitmap_ctrxss ip_set_bitmap_user sp2fp_api ip_set_bitmap_userpolicy ip_set_hash_ipuser ip_set_bitmap_service ip_set_bitmap_host ip_set_hash_ipmaciface ip_set_hash_l2mac ip_set_hash_ipmac ip_set_hash_ip ip_set arptable_filter arp_tables network_bypass(O) e1000e_nm(O) igb_nm(O) i2c_algo_bit ixgbe_nm(O) i40e_nm(O) vxlan udp_tunnel ip6_udp_tunnel ptp pps_core mdio i2c_i801 i2c_dev i2c_core netmap(O) ip6table_nat nf_nat_ipv6 ip6table_mangle ip6table_raw iptable_nat iptable_raw nf_nat_ipv4 xt_dscp nf_nat ip6_tables ip_tables tun af_packet 8021q nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 ip6_tunnel tunnel6
[ 327.228818] sit ip_tunnel tunnel4 ppdev parport_pc parport nf_conntrack lineartable bitmap_api br_netfilter bridge nf_defrag_ipv4 ipv6 stp llc x_tables nfnetlink button evdev [last unloaded: nfnetmap_queue]
[ 327.284091] CPU: 3 PID: 14551 Comm: sslvpn Tainted: G O 4.14.38 #2
If the logs match, please raise a support case and reference this KBA for a manual patch to be applied.
Next update
This article will be updated if more information becomes available.
Related information
This thread was automatically locked due to age.
