Urgent: Sophos XG 18.0.3 MR-3 , RED60 loses connectivity / NO DHCP

have you already only resaved the RED config and the VLANs on the RED?

This bug is hitting us from time to time. Then resaving the config sometimes helps.

Last week we had massive DHCP failures that had been resolved by deleting and re-adding a radom DHCP server object. So maybe your reds1 DHCP server. Also some kind of bug.

good luck with the support. It's catastrophic at the moment, and Sophos knows it.

Thanks,

i deleted the RED60 from my XG 17.5.14 MR-14, bricked the Device (no WAN connection).
Next i added the RED60 to my XG and did a USB Deployment, this was OK.

But i think Sophos f*cked up their RED Devices.

I get this in the red.log

Done
Sun Dec 13 19:41:21 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '94.31.97.198': SSL accept attempt failed because of handshake problems
Sun Dec 13 19:42:23 2020 REDD ERROR: server: Can not do SSL handshake on Socket accept from '94.31.97.198': SSL accept attempt failed because of handshake problems
Sun Dec 13 19:42:24 2020 REDD INFO: server: New connection from 94.31.97.198 with ID R600019JQ412345 (cipher ECDHE-RSA-AES256-GCM-SHA384), rev1

I am going to setup a pfsense Box or OpenWrt Box these days and keep the RED60 offline.

Maybe their support will be available to fix this thing...

Hi,

i had a remote session yesterday. It looks like the ARP Cache is failing for DHCP.
Sophos verfied this problem yesterday for about 2 1/2h without any success

I'm glad I have just seen this, we have exactly the same setup XG 17.5.14 MR-14 , RED60 , have been advised to delete it and set up again ! same error in the red logs. 

maybe there is a fix in here . . . . MR-15

XG Firewall v17.5 MR15 Released - Release Notes & News - XG Firewall - Sophos Community

Hi,

i have the RED60 now behind a VDSL Router for about a week and haven´t had any problems at all.

I think the problem in the Brach Office is/was the public exposed RED60 to the internet.
I had connected the RED60 to a static public IP and configured the RED.

After a few weeks this failed on a friday and with a reboot all was fine for a couple of hours/minutes.

I still think, that this was a DoS Attack, getting the RED60 down and loosing connection.
And the RED is not able to handle such attacks in proper way.

So i ordered a XG 125 now and i will remove the RED60.

FYI 

XG 17.5 RM15 , RED60 v 3.0.003

Still locking up remote network

REDD ERROR: server: Can not do SSL handshake on Socket accept from . . .

Have to Re-save config to bring back online. : (

3.0.004 , still locking up

What was the outcome of this?

I agree a RED would show this behaviour. But you can easily test whether this is the case when connecting it to another internet connection. If it fails there as well it is probably not a DDoS. Your ISP should also be able to tell you whether you are attacked.

If it is a DDoS on your internet connection a XG 125 won't help to much as long as your connection is hit by more (usually UDP) packets than your connection can handle ...

If you have the chance to set up a mirror port and connect it to a computer with wireshark you will see the attack ...

We had a RED 60 stop working today. This is a double NAT so not exposed to the internet. It also replaced a RED 20 and the RED 20 was stable for months. I think the machine was partially online as well. It's as if either DNS or web is blocked but not all services. Does not appear to be a DOS either.