Sophos Firewall: v18.5 MR2: Feedback and experiences

Hi Ian,

After upgrading to 18.5.2 MR2 I did see similar behaviour to what you're describing, until I realised that my primary laptop was associating with the far end mesh AP (APX 530, typical RSSI of -71 dBm). The near end mesh AP (APX 530, typical RSSI of -43 dBm) was offline, as is so often the case after an XG restart. Once I power cycled the near end mesh AP and it successfully joined the mesh, then my laptop performance was back to normal.

Maybe worth investigating to see if your performance issues are WiFi related?

BTW I wouldn't touch another XG/XGS unit with built-in WiFi. Doesn't scale when you need to add additional APs as the built-in WiFi AP is a special case, and a complete pain if you want to upgrade to a non-WiFi unit (either configure from scratch, or export full config, wade through config file and excise local WiFi settings, re-order config file to ensure dependencies are parsed first, import config into clean install, then export full config from both units and compare with diff/WinMerge or check page-by-page to ensure migrated config is right).

Hi Wayne,

the graphs are with one device connected. Unable to access the console. I will re-image it today.

Ian

I will re-image it today and report back.

Ian

I tried to reproduce this on my test lab. I made a upgrade from V18.0 MR5 to V18.5 MR2. The certificate was renewaled. Heartbeat was blocked for some minutes, until MCS was able to fetch the new policy and all clients (multiple clients and servers) could fetch the new certificate. Firewall rule was ANY - ANY - ANY --> Block without heartbeat. Therefore the client could not communicate to any website anymore. But MCS still works due the whitelisting of SFOS. 

You could take a look into your mcsagent.log on the client, if you see a delay or an issue of the communication itself (DNS as explained). MCS is the service to fetch the policies from Central. See: https://support.sophos.com/support/s/article/KB-000034886?language=en_US

Generally speaking, i could not reproduce any kind of issue in this process. 

Does "unable to associate" mean that it's trying to be stateful but it can't find the established connection so its dropping packets? The CPU utilization does seem to be increasing over time, so maybe that indicates some kind of cascading problem. Memory usage seems about what I see (on an XGS87).

Have you tested it with only one LAN device hooked up -- or through the Console with no devices hooked up? I'm wondering if a defective RJ45 port or something could be hosing you.

Automatic upgrade, no choice.

Ian

Did you upgrade or reimage the appliance by arrival? 

It is a brand new XG115W rev 3.

Ian

Especially SSH should be there, as it is a light weight service. There is something wrong with your appliance. Maybe the disk broken? What kind of XG115 is this? 

Hi Chris,

I fixed a dns issue yesterday, the XG does not hand out IPv6 dns info, but that does not explain the high number of unable to associate packet errors.

ian