Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 4350 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 19.0 almost bricked my XG230

webmaster webmaster

Hi,

did a standard FW upgrade today during lunch....big mistake. The XG booted into failsafe mode and stayed there.

The garner service did not manage to start.

Did a factory reset, then loaded the configuration. Same thing.

After a bit of plundering i fired up the CLI and rebooted. Luckily the 18.5.3 was still there, the reset didn't wipe it, and i managed to restore order.

I should mentioned that all these operations took an extraordinarily long time.

I guess i'll be waiting around for the next maintenance release.



This thread was automatically locked due to age.
  • 0 in reply to Vishal_R

    Hi Vishal,

    Does this confirm that SFOS 19.0.0 GA-Build317 on XG210 is an issue and we need to wait for the next update release?

    When are we expecting the next update

    Regards,

    Nikhil

  • 0 in reply to Nikhil Patwa1

    Hi :   Further update you will get on your ticket from the support team (Issue is not getting observed for all XG210).

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to webmaster webmaster

    Hello there,

    Yes, you would need to create a ticket, once you have the Case ID please share it with me.

    When opening the ticket, please reference NC-93936 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0

    For the overview:
    There are currently two different Issues identified and under investigation. If any of those IDs matches your current behavior, please raise a Support Case and refer the matching Bug ID: 

    1. Fail-safe after upgrade. In this scenario, the firewall will not boot anymore and go into fail-safe. For More Information about Fail-safe: https://support.sophos.com/support/s/article/KB-000036375?language=en_US 
    The Bug ID: NC-93936

    2. Factory Default after Upgrade. In this scenario, the firewall will boot in factory default (172.16.16.16 IP). You can go back to the old firmware. You see an error in the /log/migration.log: ERROR(0x03): Failed to migrated config. Load default.
    The Bug ID:  NC-94337

    Both issues seems to occur under rare condition. 

    __________________________________________________________________________________________________________________

  • +1 in reply to Vishal_R

    Hi :  Based on the current investigation below is the finding 

    If your device is using a configuration previously restored from a Cyberoam backup, and you have NOT regenerated the appliance certificate on SFOS, upgrading to SFOS v19 will result in operation in fail-safe mode.

    The appliance certificate generated in Cyberoam devices uses a weak signature algorithm (MD5) that is NOT supported for appliance certificates in SFOS v19.

    How to verify before upgrading:

    One may check the Signature Algorithm of the Appliance certificate by running the following command on the advanced shell:

    “openssl x509 -in /conf/certificate/ApplianceCertificate.pem -text -noout”

    If the output shows the signature algorithm as "md5WithRSAEncryption", Please DO NOT upgrade to v19 before regenerating the appliance certificate.

    Points need to be taken care of before Applying the workaround:

    Regenerating Appliance certificate results in remote users being unable to connect via VPN to the Sophos Firewall. Have the remote VPN user(s) re-download their client configuration package from the user portal to make it work. Or Restore the Sophos Firewall to a previous configuration backup taken prior to the Certificate renewal in the previous version. not in v19 to make it work as previously.

    Please refer to below advisory for more info:

    ADVISORY - Sophos Firewall: Appliance goes into failsafe mode when firmware upgrades to 19.0 GA with the reason "Unable to start logging daemon"

    support.sophos.com/.../KB-000044122

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    Hi Vishal,

    I have regenerated the Appliance Certificate although we are not using the Appliance Certificate any more, for administration console the certificate chosen is the self-signed one which is SHA-256

    I will again try to update and provide the status

    Regards,

    Nikhil

  • 0 in reply to Vishal_R

    Hi,

    I did regenerate the old certificate although we don't use it using the 18.5 installation. When rebooting into the 19.0 I still did ended up in failsafe mode probably because the 19.0 had already converted the previous configuration. Fired up the CLI, reset to factory mode, changed the network address and uploaded the backed up configuration (With the new certificate), and voila.

    Order has been restored.

    Thanks!

  • +1 in reply to LuCar Toni

    Both issues are currently listed in the Known Issue List on the Release Notes: https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.0

    Including Workarounds and verification. 

    __________________________________________________________________________________________________________________

Unfiltered HTML