Urgent: Sophos XG 18.0.3 MR-3 , RED60 loses connectivity / NO DHCP

Hi,

i need some urgent help.

I had a fine running XG 17.5.14-1 with RED60 Device, connected to Remote Office with Fibre (German Telekom Connect IP).
All was fine.

I upgtrade to XG 18.0.3 MR13 and the AP got some new Firmware, this seems fine for a few hours.

Today the RED60 device in the Remote Office doesn´t assign any DHCP IPv4 Leases to the client.
After a reboot of the RED60 or with a manual IP Assignment to the Remote Office Client all connectivity is lost.

I did´nt change any rules yet, but Remot Office is complaining that they can´t connect to Head Office or internet.

Is there any log i can verify or should i load the old stable 17.5.14-1 ?

Thanks

Jürgen

  • Hi ,

    Thank you for reaching out to the Community! 

    Did you check the red.log file on the firewall for any log entry that might help identify the issue?

    Is there any pending RED firmware update on the firewall? 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Thanks for you responds,

    i only see red logs unter /log/red and the last directory is from 2020-11-10, created on Dec 10 with a single log file inside.

    This log has some PONG and poe chip status messages.

    Thu Dec 10 14:05:27 2020 REDD INFO command '{"data":{"poe_chip_status":{"type":"chip","id":46,"totalPower":2,"totalPowerReg":0,"temperature":57.48,"volt":53.652825,"totalPowerCalc":15,"maxTotalPower":34,"firmware":12}},"type":"STATUS"}'
    Thu Dec 10 14:05:34 2020 REDD INFO command '{"data":{"seq":1108},"type":"PING"}'
    Thu Dec 10 14:05:34 2020 REDD INFO Sending json message {"data":{"seq":1108},"type":"PONG"}

    Red Firmware is 3.0.002

  • Hi,

    can anyone help me with some information?

    What log files should is parse?

    What services do i need to verifiy for RED60/DHCP issue?

    Should i relay the DHCP from HO (192.168.0.0/24) to BO (192.168.10.0/24)?

    Thanks in advance

    And, yes i have opened a case.


    Jürgen 

  • Start with posting some screenshots of the config. Are you using DHCP Relay or DHCP server on XG? Is any VLAN or Bridge involved. 

    __________________________________________________________________________________________________________________

  • DHCP Settings for reds1, device

    RED Config

    After i Reboot the RED60 (off/on) all is fine for a few minutes or 2-3 hours.

    No VLAN, no Bridge.
    Firewall Rules are not touched, these are the RED Setup recommendations.

    And all worked fine with 17.5.14-1 before the upgrade.

    I have this case open 03440168 as critical, but it seems that the supporter is not working on this case?

    In what log files can i view and where would i find some more error for RED60...

  • Hi,

    found the red.log

    i see this information

    Sat Dec 12 18:44:37 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:44:37 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:44:37 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:44:38 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:44:38 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:44:38 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:44:38 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:44:40 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed
    Sat Dec 12 18:44:40 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:44:41 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    Sat Dec 12 18:45:07 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL wants a read first
    Sat Dec 12 18:45:07 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '185.153.199.94': SSL wants a read first
    Reading REDv2 key from STDIN:
    Sat Dec 12 18:47:27 2020 REDD INFO: Red devices: Connected: 1 Disconnected 0 Enabled: 1 Disabled: 0
    Sat Dec 12 18:49:21 2020 REDD INFO: server: (Re-)loading device configurations
    Sat Dec 12 18:49:41 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from 'public RED60 ip': SSL accept attempt failed because of handshake problems
    Sat Dec 12 18:49:42 2020 REDD INFO: server: New connection from 217.239.136.66 with ID R600019JQ44MRB5 (cipher ECDHE-RSA-AES256-GCM-SHA384), rev1

  • Do you use the Beta Firmware on XG for RED? Looks like this RED cannot establish the SSL Channel anymore for some reason. A RED Firmware upgrade to Unified Firmware could be a better approach. 

    Also try to delete and recreate this red. 

    __________________________________________________________________________________________________________________

  • Hi,

    what do you mean Beta? RED60 has 3.0.002

    I had the RED60 withouth Unified fw and it fails,
    so i switched to Unified Firmware. Makes no difference.

    I though XG 18.0.3 MR3 has Unified in a stable realese. GUI says so, the green popup message said Beta..

    I did some more test.

    If i reboot the RED60 all is fine for a while.

    But the tunnel does not fail at all, the tunnel is solid (i think, i can ping the RED60 IP).

    On the HO i can ssh to the XG and can do some testes.

    I can ping the IP of the RED60, this is fine (192.168.10.254)
    I can see the routing table, it shows

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    ...
    192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 reds1

    I have no static route configured for the BO, documentation for RED60 doesn´t say so.

    But i can`t ping any clients behind the RED60.

    IPS is disabled.

    Any idea?

  • Hi,

    i tried to call Sophos Support internationl.

    (It`s a very bad support, no one answering the phone, maybe after 40 minutes you get the wrong support departemend).

    But after 40 min i got  an engineer, he asked some details and just before the call was interrupted, he said something like...

    Yes, this is a known bug with the firmware. We need to downgrade to the last release.

    The RED 60 firmware 3.0.002 was from July 10 2020, so it could be only the XG 18.0.3 Release.

    So i am back at XG 17.5.14 MR14-1, lets see if this wild guess will help.

  • So,

    faster than i thought, it fails again.

    So the RED 60 firmware 3.0.002 must be the bad boy.
    I am not shure when the upgrade was done. 

    I wish that someone from sophos support would take over the case.