Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 86 replies
  • Subscribers 58 subscribers
  • Views 24468 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall v18 MR-5: Feedback and experiences

LuCar Toni

New Thread to cover changes / feedback / experiences about MR5.

MR5 was Re Released. New Build number: 586

"Old" MR3 Thread: https://community.sophos.com/xg-firewall/f/discussions/123403/xg-firewall-v18-mr-3-feedback-and-experiences

"Old" MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/124771/xg-firewall-v18-mr-4-feedback-and-experiences

Release Notes: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/xg-firewall-v18-mr5-is-now-available

https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_180_rn.html



This thread was automatically locked due to age.
Parents
  • 0

    LDAP Auth is broken on 18 MR-5

    all auth requests on the firewall are producing "LDAP Server not found with authserver id" errors, tried to recreate the LDAP server, tried setting the LDAPserver to use an known dn instead of anonymous ... auth failed.

    ldap server is configured like the kb states https://support.sophos.com/support/s/article/KB-000035738

    had to rollback to -MR 4

  • 0 in reply to Alex_Wo

    Can you show us a screenshot of this issue? You are using LDAP server to anything specific? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    we have an pretty standard OpenLDAP setup

    i don't have any screenshots but i have some logs:

    ERROR     Apr 12 06:39:47.620137 [LDAP_AUTH]: (ldapauth_handle_authrequest): LDAP_AUTH: LDAP Server not found with authserver id 4
    ERROR     Apr 12 06:39:47.620155 [LDAP_AUTH]: (ldapauth_handle_authrequest): LDAP_AUTH: LDAP Server not found with authserver id 3
    ERROR     Apr 12 06:39:47.620266 [access_server]: check_auth_result: VPN/SSLVPN/MYACC Authentication Failed
    MESSAGE   Apr 12 06:39:47.620301 [access_server]: (update_admin_access_table): ### Admin user authentication failed from IP xx.xx.xx.xx
    MESSAGE   Apr 12 06:40:02.521909 [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
    ERROR     Apr 12 06:40:15.155300 [access_server]: ldapauth_bind: bind failed: Invalid credentials
    ERROR     Apr 12 06:40:15.155311 [access_server]: ldapauth_test_auth:'ldap.xxx.xx:389': bind failed for user: 'uid=xxxxxx'
    ERROR     Apr 12 06:40:20.247596 [LDAP_AUTH]: (nsg_decryption): failed to find needed_length for :

    ERROR     Apr 12 06:40:20.247613 [LDAP_AUTH]: (pg_db_handle_get_ldap_server_config): LDAP server password decryption failed
    ERROR     Apr 12 06:40:20.247620 [LDAP_AUTH]: (pg_db_handle_get_ldap_server_config): LDAP server: password not found, will not add server
    ERROR     Apr 12 06:40:20.247624 [LDAP_AUTH]: (pg_db_handle_get_ldap_server_config): couldn't added LDAP server 'ldap.xxx.xx:389'

  • 0 in reply to Alex_Wo

    Did you configure your SSMK in MR3 (Set the Secure Storage Master Key)? Seems like the database could not migrate the password.

    Check the /log/migration.log for any migration errors after/while migration to MR5. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    any hints for what to check?

    btw. the ldap connection is normaly without auth. the server with the auth was created while debugging.

Reply Children
  • 0 in reply to Alex_Wo

    Are you a business customer or Home user? It seems like the migration log cannot migrate a specific field in this config, which is empty. Hence the adding of the server fails (my initial assumption). 

    You should:

    Open a support case as a business customer.

    Open a own thread in this community to get this analyzed as a home user.  

    We should not discuss this in depth in such overview thread. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    business i will open an support case

    thanks

Unfiltered HTML