Update - internal server error

Hi Tomas Beran,

Thank you for reaching out to the Community! 

I see the same logs on my LAB firewall running on 17.5 MR14. 

Do you have any upstream firewall with IPS or web filtering configured on it? 

Can you provide the last few lines of the following commands? 

• grep -i "Response code : 200" u2d.log
• grep -i "Response code : 500" u2d.log

On my firewall, I see a response code 500 when the firewall cannot connect to the update server.

Thanks,

Hi,

originally I thought it is an issue fixed in v18.
NC-58229 [Authentication] Sophos AV and Avira AV Pattern updates failing

https://community.sophos.com/xg-firewall/b/blog/posts/xg-firewall-v18-mr3

Yes, the XG now behind another FW, but not inspected. Just firewall. I've not noticed any DROPs in it's log.

The statistics for October 29:
192 - all connections
143 - response code 200
49   - response code 500

So this is one problem - almost 25% connections fails.

The second is that even if connection is sufficient, the response from servers is that there is no any update. For example Avira was updated last time on October 29, 19:30.

...
Wed Oct 28 10:59:33 2020 New updated patterns are now at /content/savi_1.00/1.0.16233
Wed Oct 28 12:15:46 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411503
Wed Oct 28 12:16:20 2020 pt_dload_checker: New updated patterns are now at /content/geoip_1.00/2.0.002
Wed Oct 28 12:16:30 2020 pt_dload_checker: New updated patterns are now at /content/ips_16.0/18.17.57
Wed Oct 28 12:19:15 2020 pt_dload_checker: New updated patterns are now at /content/sslvpn_1.01/1.0.008
Wed Oct 28 12:32:33 2020 pt_manual_install: New updated patterns are now at /content/apfw_1.00/11.0.014
Wed Oct 28 21:10:30 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411516
Thu Oct 29 03:28:30 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411520
Thu Oct 29 12:31:29 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411527
Thu Oct 29 14:02:29 2020 pt_dload_checker: New updated patterns are now at /content/savi_1.00/1.0.16237
Thu Oct 29 14:47:29 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411528
Thu Oct 29 15:02:30 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411529
Thu Oct 29 15:47:30 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411530
Thu Oct 29 16:48:31 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411531
Thu Oct 29 16:49:11 2020 pt_dload_checker: New updated patterns are now at /content/ips_16.0/18.17.58
Thu Oct 29 17:03:32 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411532
Thu Oct 29 17:33:30 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411533
Thu Oct 29 19:04:29 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411534
Thu Oct 29 19:34:32 2020 pt_dload_checker: New updated patterns are now at /content/avira_4.00/1.0.411535
Fri Oct 30 05:23:30 2020 pt_dload_checker: New updated patterns are now at /content/savi_1.00/1.0.16239
END

Thanks

Thank you! And is this a cosmetical issue? I ask because as written earlier, this is happening only in relation to the "big" firmware upgrade <File name="HW-18.0.3_MR-3.SF300-457.sig"> from this URL d3tusa5dvomhzy.cloudfront.net/.../HW-18.0.3_MR-3.SF300-457.sig

DEBUG     Dec 16 13:53:44 [5593]: --serial = C4207xxxxxx
DEBUG     Dec 16 13:53:44 [5593]: --deviceid = 6d848b4deb5xxxxxxxxxxxxxxx
DEBUG     Dec 16 13:53:44 [5593]: --fwversion = 18.0.1.396
DEBUG     Dec 16 13:53:44 [5593]: --productcode = CN
DEBUG     Dec 16 13:53:44 [5593]: --model = XG430
DEBUG     Dec 16 13:53:44 [5593]: --vendor = WP02
DEBUG     Dec 16 13:53:44 [5593]: --pkg_ips_version = 18.17.71
DEBUG     Dec 16 13:53:44 [5593]: --pkg_ips_cv = 15.0
DEBUG     Dec 16 13:53:44 [5593]: --pkg_atp_version = 1.0.0333
DEBUG     Dec 16 13:53:44 [5593]: --pkg_atp_cv = 1.00
DEBUG     Dec 16 13:53:44 [5593]: --pkg_savi_version = 1.0.16369
DEBUG     Dec 16 13:53:44 [5593]: --pkg_savi_cv = 1.00
DEBUG     Dec 16 13:53:44 [5593]: --pkg_avira_version = 1.0.412546
DEBUG     Dec 16 13:53:44 [5593]: --pkg_avira_cv = 4.00
DEBUG     Dec 16 13:53:44 [5593]: --pkg_apfw_version = 11.0.012
DEBUG     Dec 16 13:53:44 [5593]: --pkg_apfw_cv = 1.00
DEBUG     Dec 16 13:53:44 [5593]: --pkg_sslvpn_version = 1.0.007
DEBUG     Dec 16 13:53:44 [5593]: --pkg_sslvpn_cv = 1.00
DEBUG     Dec 16 13:53:44 [5593]: --pkg_ipsec_version = 2.0.001
DEBUG     Dec 16 13:53:44 [5593]: --pkg_ipsec_cv = 1.00
DEBUG     Dec 16 13:53:44 [5593]: --pkg_geoip_version = 2.0.003
DEBUG     Dec 16 13:53:44 [5593]: --pkg_geoip_cv = 1.00
DEBUG     Dec 16 13:53:44 [5593]: --pkg_clientauth_version = 1.0.0019
DEBUG     Dec 16 13:53:44 [5593]: --pkg_clientauth_cv = 2.00
DEBUG     Dec 16 13:53:44 [5593]: --pkg_redfw_version = 3.0.002
DEBUG     Dec 16 13:53:44 [5593]: --pkg_redfw_cv = 2.00
DEBUG     Dec 16 13:53:44 [5593]: --oem = Sophos
DEBUG     Dec 16 13:53:44 [5593]: --server = u2d.sophos.com
DEBUG     Dec 16 13:53:44 [5593]: --port = 443
DEBUG     Dec 16 13:53:44 [5593]: Added new server : Host - u2d.sophos.com, Port - 443
DEBUG     Dec 16 13:53:44 [5593]: Final query string is :
?&serialkey=C4207xxxxxx&deviceid=6d848b4deb5xxxxxxxxxxxxxxx&fwversion=18.0.1.396&productcode=CN&appmodel=XG430&appvendor=WP02&useragent=SF&oem=Sophos&pkg_ips_version=18.17.71&pkg_ips_cv=15.0&pkg_atp_version=1.0.0333&pkg_atp_cv=1.00&pkg_savi_version=1.0.16369&pkg_savi_patch=2&pkg_savi_cv=1.00&pkg_avira_version=1.0.412546&pkg_avira_patch=2&pkg_avira_cv=4.00&pkg_geoip_version=2.0.003&pkg_geoip_cv=1.00&pkg_clientauth_version=1.0.0019&pkg_clientauth_cv=2.00&pkg_apfw_version=11.0.012&pkg_apfw_cv=1.00&pkg_redfw_version=3.0.002&pkg_redfw_cv=2.00&pkg_sslvpn_version=1.0.007&pkg_sslvpn_cv=1.00&pkg_ipsec_version=2.0.001&pkg_ipsec_cv=1.00
DEBUG     Dec 16 13:53:45 [5593]: Response code : 200
DEBUG     Dec 16 13:53:45 [5593]: Response body :
<Up2Date>
  <Package u2dtype="firmware" requiresMandatoryUpdate="1">
    <File name="HW-18.0.3_MR-3.SF300-457.sig">
      <location>https://d3tusa5dvomhzy.cloudfront.net/HW/HW-18.0.3_MR-3.SF300-457.sig</location>
      <version>SFOS 18.0.3-457</version>
      <fwversion>18.0.3.457</fwversion>
      <appmodel>XG430</appmodel>
      <appvendor>WP02</appvendor>
      <productcode>CN</productcode>
      <size>399932970</size>
      <md5sum>895386850bc6f4a3056f76ac4e51e6bf</md5sum>
      <release>GA</release>
      <releasenotes>https://d3tusa5dvomhzy.cloudfront.net/CHANGELOG/18.0.3.457.releasenotes</releasenotes>
      <message>Sophos Firewall MR Release</message>
      <releasedate>2020-10-13</releasedate>
    </File>
  </Package>
</Up2Date>

DEBUG     Dec 16 13:53:45 [5593]: Response length : 749
DEBUG     Dec 16 13:53:45 [5593]: Received requiresMandatoryUpdate = 1
DEBUG     Dec 16 13:53:45 [5593]: Received name : HW-18.0.3_MR-3.SF300-457.sig
DEBUG     Dec 16 13:53:45 [5593]: Received location : https://d3tusa5dvomhzy.cloudfront.net/HW/HW-18.0.3_MR-3.SF300-457.sig
DEBUG     Dec 16 13:53:45 [5593]: Received version : SFOS 18.0.3-457
DEBUG     Dec 16 13:53:45 [5593]: Received fwversion : 18.0.3.457
DEBUG     Dec 16 13:53:45 [5593]: Received appmodel : XG430
DEBUG     Dec 16 13:53:45 [5593]: Received appvendor : WP02
DEBUG     Dec 16 13:53:45 [5593]: Received productcode : CN
DEBUG     Dec 16 13:53:45 [5593]: Received size : 399932970
DEBUG     Dec 16 13:53:45 [5593]: Received md5sum : 895386850bc6f4a3056f76ac4e51e6bf
DEBUG     Dec 16 13:53:45 [5593]: Received release : GA
DEBUG     Dec 16 13:53:45 [5593]: Received releasenotes : https://d3tusa5dvomhzy.cloudfront.net/CHANGELOG/18.0.3.457.releasenotes
DEBUG     Dec 16 13:53:45 [5593]: Received message : Sophos Firewall MR Release
DEBUG     Dec 16 13:53:45 [5593]: Received releasedate : 2020-10-13
DEBUG     Dec 16 14:01:13 [17548]: --serial = C4207xxxxxx
DEBUG     Dec 16 14:01:13 [17548]: --deviceid = 6d848b4deb5xxxxxxxxxxxxxxx
DEBUG     Dec 16 14:01:13 [17548]: --fwversion = 18.0.1.396
DEBUG     Dec 16 14:01:13 [17548]: --productcode = CN
DEBUG     Dec 16 14:01:13 [17548]: --model = XG430
DEBUG     Dec 16 14:01:13 [17548]: --vendor = WP02
DEBUG     Dec 16 14:01:13 [17548]: --pkg_sysupdate_version = 11
DEBUG     Dec 16 14:01:13 [17548]: Added new server : Host - us-west-2.u2d.sophos.com., Port - 443
DEBUG     Dec 16 14:01:13 [17548]: Added new server : Host - ap-northeast-1.u2d.sophos.com., Port - 443
DEBUG     Dec 16 14:01:13 [17548]: Added new server : Host - eu-west-1.u2d.sophos.com., Port - 443
DEBUG     Dec 16 14:01:13 [17548]: Final query string is :
?&serialkey=C4207xxxxxx&deviceid=6d848b4deb5xxxxxxxxxxxxxxx&fwversion=18.0.1.396&productcode=CN&appmodel=XG430&appvendor=WP02&useragent=SF&oem=&pkg_sysupdate_version=11
DEBUG     Dec 16 14:01:15 [17548]: Response code : 500
DEBUG     Dec 16 14:01:15 [17548]: Response body :
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>500 - Internal Server Error</title>
 </head>
 <body>
  <h1>500 - Internal Server Error</h1>
 </body>
</html>

Hi,

I have 18.0.3.
Just addition to my previous comments. Noticed that for me from 14th afternoon the Avira signatures are not updated anymore - only ips and savi.

In 18.0.4 release notes there is some note about fix in up2date client. So I will recheck the behavior later on with this version and then maybe raise the ticket. Just waiting the fix to be available in GUI - so probably in January.

Neither ATP nor Avira have updated since the 14th Dec 2020 on my mr-4 XG.

Ian

Thanks Tomas Beran and rfcat_vk for providing your Firmware versions here. Hope the L1 support from case 03331743  acknowledges it finnaly and raises it to further levels.

Hi Tomas Beran,

The issue you reported with Avira signatures are not updating from 14th December is currently being investigated with internal ID NC-66996. If you have an open support case, please provide the support case and I will follow up with your support case.

This issue is also reported on the following Community thread.

Avira AV pattern not updated 

Hi,

so the issue described with error 500 is NC-64992

and the avira thing is NC-66996

please keep the avira postings in the other thread.

Hi Tomas Beran,

The issue you reported with Avira signatures are not updating from 14th December is now resolved with internal ID NC-66996.

Hi Patel,
thanks for info. It seems as some problem with update server(s) in general as it sometimes woks and sometimes not. It's about this 500 error and signature update problem in general in another threats. Let's see how it goes in time.

Hi, good that the Avira thing has been fixed. Please unmark

-> The issue you reported with Avira signatures are not updating from 14th December is now resolved with internal ID NC-66996.

as answer because it does'nt fix the issue described here.

Tomas Beran said:

It seems as some problem with update server(s) in general as it sometimes woks and sometimes not

Thomas, can you please check your u2d log if the 500 error on your machine is also only throwing this error on the same file request? In my case it is always HW-18.0.3_MR-3.SF300-457.sig

I would except an other file on your side as your are above my Firmware version.

Tomas Beran said:

It seems as some problem with update server(s) in general as it sometimes woks and sometimes not

Thomas, can you please check your u2d log if the 500 error on your machine is also only throwing this error on the same file request? In my case it is always HW-18.0.3_MR-3.SF300-457.sig

I would except an other file on your side as your are above my Firmware version.

I do not see any file or download of anything. It just connects and got 500 error code.

Just noted interesting thing in my case. The 500 error code follows 1 or 2 minutes after 200 code - does not matter if something was updated or not.