Urgent: Sophos XG 18.0.3 MR-3 , RED60 loses connectivity / NO DHCP

Hi,

i need some urgent help.

I had a fine running XG 17.5.14-1 with RED60 Device, connected to Remote Office with Fibre (German Telekom Connect IP).
All was fine.

I upgtrade to XG 18.0.3 MR13 and the AP got some new Firmware, this seems fine for a few hours.

Today the RED60 device in the Remote Office doesn´t assign any DHCP IPv4 Leases to the client.
After a reboot of the RED60 or with a manual IP Assignment to the Remote Office Client all connectivity is lost.

I did´nt change any rules yet, but Remot Office is complaining that they can´t connect to Head Office or internet.

Is there any log i can verify or should i load the old stable 17.5.14-1 ?

Thanks

Jürgen

Parents
  • Hi ,

    Thank you for reaching out to the Community! 

    Did you check the red.log file on the firewall for any log entry that might help identify the issue?

    Is there any pending RED firmware update on the firewall? 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Thanks for you responds,

    i only see red logs unter /log/red and the last directory is from 2020-11-10, created on Dec 10 with a single log file inside.

    This log has some PONG and poe chip status messages.

    Thu Dec 10 14:05:27 2020 REDD INFO command '{"data":{"poe_chip_status":{"type":"chip","id":46,"totalPower":2,"totalPowerReg":0,"temperature":57.48,"volt":53.652825,"totalPowerCalc":15,"maxTotalPower":34,"firmware":12}},"type":"STATUS"}'
    Thu Dec 10 14:05:34 2020 REDD INFO command '{"data":{"seq":1108},"type":"PING"}'
    Thu Dec 10 14:05:34 2020 REDD INFO Sending json message {"data":{"seq":1108},"type":"PONG"}

    Red Firmware is 3.0.002

  • have you already only resaved the RED config and the VLANs on the RED?

    This bug is hitting us from time to time. Then resaving the config sometimes helps.

    Last week we had massive DHCP failures that had been resolved by deleting and re-adding a radom DHCP server object. So maybe your reds1 DHCP server. Also some kind of bug.

    good luck with the support. It's catastrophic at the moment, and Sophos knows it.

  • Thanks,

    i deleted the RED60 from my XG 17.5.14 MR-14, bricked the Device (no WAN connection).
    Next i added the RED60 to my XG and did a USB Deployment, this was OK.

    But i think Sophos f*cked up their RED Devices.

    I get this in the red.log

    Done
    Sun Dec 13 19:41:21 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '94.31.97.198': SSL accept attempt failed because of handshake problems
    Sun Dec 13 19:42:23 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '94.31.97.198': SSL accept attempt failed because of handshake problems
    Sun Dec 13 19:42:24 2020 REDD INFO: server: New connection from 94.31.97.198 with ID R600019JQ412345 (cipher ECDHE-RSA-AES256-GCM-SHA384), rev1

    I am going to setup a pfsense Box or OpenWrt Box these days and keep the RED60 offline.

    Maybe their support will be available to fix this thing...

  • Hi,

    i had a remote session yesterday. It looks like the ARP Cache is failing for DHCP.
    Sophos verfied this problem yesterday for about 2 1/2h without any success

  • I'm glad I have just seen this, we have exactly the same setup XG 17.5.14 MR-14 , RED60 , have been advised to delete it and set up again ! same error in the red logs. 

  • Hi,

    i have the RED60 now behind a VDSL Router for about a week and haven´t had any problems at all.

    I think the problem in the Brach Office is/was the public exposed RED60 to the internet.
    I had connected the RED60 to a static public IP and configured the RED.

    After a few weeks this failed on a friday and with a reboot all was fine for a couple of hours/minutes.

    I still think, that this was a DoS Attack, getting the RED60 down and loosing connection.
    And the RED is not able to handle such attacks in proper way.

    So i ordered a XG 125 now and i will remove the RED60.

  • FYI 

    XG 17.5 RM15 , RED60 v 3.0.003

    Still locking up remote network

    REDD ERROR: server: Can not do SSL handshake on Socket accept from . . .

    Have to Re-save config to bring back online. : (

  • 3.0.004 , still locking up

  • What was the outcome of this?

    I agree a RED would show this behaviour. But you can easily test whether this is the case when connecting it to another internet connection. If it fails there as well it is probably not a DDoS. Your ISP should also be able to tell you whether you are attacked.

    If it is a DDoS on your internet connection a XG 125 won't help to much as long as your connection is hit by more (usually UDP) packets than your connection can handle ...

    If you have the chance to set up a mirror port and connect it to a computer with wireshark you will see the attack ...

  • We had a RED 60 stop working today. This is a double NAT so not exposed to the internet. It also replaced a RED 20 and the RED 20 was stable for months. I think the machine was partially online as well. It's as if either DNS or web is blocked but not all services. Does not appear to be a DOS either.

Reply
  • We had a RED 60 stop working today. This is a double NAT so not exposed to the internet. It also replaced a RED 20 and the RED 20 was stable for months. I think the machine was partially online as well. It's as if either DNS or web is blocked but not all services. Does not appear to be a DOS either.

Children
No Data