Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuration gone after upgrage SFOS 19.0.0 to 19.0.1

Hello everybody,

yesterday I updated two Firewalls (XGS 126 and XG 125) from Version 19.0.0 to 19.0.1. After the upgrade both Firewalls has SFOS 19.0.1 firmware installed but lost their configuration. The problem was both firewalls are on remote site and lost all external connections (Sophos Central und VPN), so I can't reach the firewalls. Today we connect on site via serial console to the Firewalls, and I saw that Firmware 19.0.1 was installed, but (at minimum) the network configuration was gone. I made some tests:

- Booting the 19.0.0 Firmware the Firewall runs as expected. 

- Booting the 19.0.1 Firmware via Bootloader or via WebAdmin Firewall has no configuration.

On the other hand, I made the upgrade on serval firewalls without any problem (2x XG 125, 1x XGS 5500 HA, a Virtual and a Software Firewall). 

How can I remove the 19.0.1 Firmware from the non-working firewalls to get a 2nd try to upload the firmware again and install the 19.0.1?

Thanks,

Ben



This thread was automatically locked due to age.
Parents
  • Thank you all for reporting this issue. 

    We have confirmed this is a bug, and we'll fix it in an upcoming new build for v19.0 MR1.

    This issue affects devices which has 'set vpn conn-remove-on-failover non-tcp' executed on the backend prior to the upgrade to MR1. Unfortunately the migration to MR1 does not handle this case properly, and would fall back to factory default settings. 

    If you cannot wait for the new MR1 build, and need to upgrade to MR1 right away, you can: 

    Log into Advanced shell in the CLI

    Execute psql -U nobody -d corporate -Atc "DELETE FROM tblclientservices WHERE servicekey = 'vpn_flush_conn_failover'

    Upgrade to MR1 as normal through UI

    After upgrading to MR1, you do not need to re-run 'set vpn conn-remove-on-failover non-tcp' as this parameter is already set to non-tcp by default in MR1. 

  • Hi!
    I tried to update my Sophos XG to SFOS 19.0.1 MR-1-Build365 and still config error. Is tere a plan to release proper update in near future?

    Thanks,

    Mar

  • What was the version of v18.5 you upgraded from? Did you upgrade directly to v19.0 MR1 build 365? Did all configuration disappear from your system (i.e. it got factory reset)? 

    Is there a support case open for this, if so what's the ID? 

  • It was the 18.5.4 Mr4 418. The config gone except the login data and the Rule Group.

    There is no support case opened, because it is the "home" version.

  • What version did you upgrade to? 

    __________________________________________________________________________________________________________________

  • If you encounter the same issue as above, all of your config would be reset, not just some. Is it possible for you to enable remote support access, so we can log in and take a look at your device? 

    PM me the support access ID once you have it enabled. 

    Thanks! 

  • But at the moment I am back at version 18.5. So do you need still access or if I upgraded to  19?

    Regards,
    Kay-Uwe

  •  Do you have Sophos XG or XGS Series Appliances with HA or without HA? or do you have virtual with HA or without HA?

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I have no Sophos Hardware and at the moment no HA.

  • Seems the issue is related to your hardware compatibility where Sophos XG is installed or some advanced setting is not enabled on the same hardware to run v19.0.

    Please share the output you have checked for the below command here from SSH option 5>3 :     
    # grep SSSE3 /var/log/sasi.log
    # grep flags -m1 /proc/cpuinfo

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hello,
    for the sasi.log there are no entry for SSSE3. The sasi.log path on my installation is /log/sasi.log.

    For the second command:

    flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap intel_pt xsaveopt dtherm ida arat pln pts

Reply
  • Hello,
    for the sasi.log there are no entry for SSSE3. The sasi.log path on my installation is /log/sasi.log.

    For the second command:

    flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap intel_pt xsaveopt dtherm ida arat pln pts

Children
  • Hope you took backup from 18.5.4 Mr4 418 before upgrading the firmware to 19.0.1 MR-1-Build365?

    Please Go to System-->Admininstration --->Backup and Firmware -->Firmware and share the status of the firmware shown on GUI

    As there is a trick if you upgrade from 18.5.4 Mr4 418--> 19.0.0 then to 19.0.1-365 

    It would be great if you raise a ticket with Sophos Support Team as well.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Check the /log/migration.log. Please paste the couple last entries to this thtread. 

    __________________________________________________________________________________________________________________

  • 2022-09-09 15:24:23.903 GMT starting old version corporate db
    Starting conf database
    378 2022-09-09 15:24:24.169 GMTLOG:  could not connect socket for statistics collector: Network is unreachable
    378 2022-09-09 15:24:24.169 GMTLOG:  disabling statistics collector for lack of working socket
    380 2022-09-09 15:24:24.169 GMTLOG:  database system was shut down at 2022-09-09 15:23:55 GMT
    378 2022-09-09 15:24:24.173 GMTLOG:  database system is ready to accept connections
    2022-09-09 15:24:26.028 GMT
    2022-09-09 15:24:26.049 GMT : Database started after 0 seconds
    DROP SCHEMA
    UPDATE 3
    Stopping database
    378 2022-09-09 15:24:27.479 GMTLOG:  received fast shutdown request
    378 2022-09-09 15:24:27.479 GMTLOG:  aborting any active transactions
    381 2022-09-09 15:24:27.479 GMTLOG:  shutting down
    381 2022-09-09 15:24:27.566 GMTLOG:  database system is shut down
    2022-09-09 15:24:28.491 GMT : Database stopped after 1 seconds
    /sdisk/oldpgconfdump.sql is created
    Starting conf database
    423 2022-09-09 15:24:31.646 GMTLOG:  could not connect socket for statistics collector: Network is unreachable
    423 2022-09-09 15:24:31.646 GMTLOG:  disabling statistics collector for lack of working socket
    425 2022-09-09 15:24:31.647 GMTLOG:  database system was shut down at 2022-08-05 04:13:28 GMT
    423 2022-09-09 15:24:31.652 GMTLOG:  database system is ready to accept connections
    2022-09-09 15:24:33.473 GMT
    2022-09-09 15:24:33.474 GMT : Database started after 0 seconds
    DROP SCHEMA config CASCADE
    DROP SCHEMA
    DROP SCHEMA public CASCADE
    DROP SCHEMA
    DROP PROCEDURAL LANGUAGE plpgsql
    437 2022-09-09 15:24:34.169 GMTERROR:  cannot drop language plpgsql because extension plpgsql requires it
    437 2022-09-09 15:24:34.169 GMTHINT:  You can drop extension plpgsql instead.
    437 2022-09-09 15:24:34.169 GMTSTATEMENT:  DROP PROCEDURAL LANGUAGE plpgsql
    ERROR:  cannot drop language plpgsql because extension plpgsql requires it
    HINT:  You can drop extension plpgsql instead.
    CREATE SCHEMA public
    CREATE SCHEMA
    psql:/sdisk/oldpgconfdump.sql:18921: WARNING:  column "senderemail" has type "unknown"
    DETAIL:  Proceeding with relation creation anyway.
    psql:/sdisk/oldpgconfdump.sql:18921: WARNING:  column "receipientemail" has type "unknown"
    DETAIL:  Proceeding with relation creation anyway.
     setval
    --------
        183
    (1 row)

     setval
    --------
          1
    (1 row)

     setval
    --------
          1
    (1 row)

     setval
    --------
          1
    (1 row)

     setval
    --------
          1
    (1 row)

     setval
    --------
          1
    (1 row)

     setval
    --------
        915
    (1 row)

     setval
    --------
          1
    (1 row)

    426 2022-09-09 15:24:36.601 GMTLOG:  checkpoints are occurring too frequently (5 seconds apart)
    426 2022-09-09 15:24:36.601 GMTHINT:  Consider increasing the configuration parameter "checkpoint_segments".
    Stopping database
    423 2022-09-09 15:24:40.661 GMTLOG:  received fast shutdown request
    423 2022-09-09 15:24:40.661 GMTLOG:  aborting any active transactions
    426 2022-09-09 15:24:41.171 GMTLOG:  shutting down
    426 2022-09-09 15:24:41.360 GMTLOG:  database system is shut down
    2022-09-09 15:24:41.676 GMT : Database stopped after 1 seconds
    old conf to new conf migrated with return value :: 0
    2022-09-09 15:24:41.795 GMT starting migration log
    Starting conf database
    484 2022-09-09 15:24:41.898 GMTLOG:  could not connect socket for statistics collector: Network is unreachable
    484 2022-09-09 15:24:41.898 GMTLOG:  disabling statistics collector for lack of working socket
    486 2022-09-09 15:24:41.899 GMTLOG:  database system was shut down at 2022-09-09 15:24:41 GMT
    484 2022-09-09 15:24:41.903 GMTLOG:  database system is ready to accept connections
    2022-09-09 15:24:43.887 GMT
    2022-09-09 15:24:43.889 GMT : Database started after 0 seconds
    INSERT 0 0
    INSERT 0 0
    INSERT 0 0
    INSERT 0 1
    INSERT 0 0
    INSERT 0 0
    INSERT 0 0
    INSERT 0 0
    INSERT 0 0
    INSERT 0 0
    INSERT 0 0
    INSERT 0 0
    INSERT 0 1
    UPDATE 1
    INSERT 0 1
    UPDATE 1
    nvram_get failed with -16
    Old version is 18.511 and currentversion is 19.005
    Database is upgrading to dbv19.000
    Check migration for version dbv19.000
    Applying migration for version dbv19.000
    Database is upgrading to dbv19.001
    Check migration for version dbv19.001
    Applying migration for version dbv19.001
     create_default_public_iphosts
    -------------------------------

    (1 row)

    Database is upgrading to dbv19.002
    Check migration for version dbv19.002
    Applying migration for version dbv19.002
     add_column
    ------------

    (1 row)

     add_column
    ------------

    (1 row)

    Database is upgrading to dbv19.003
    Check migration for version dbv19.003
    Applying migration for version dbv19.003
    1509 :send_data_to_listener: write error  'Network is unreachable'
    Cleaned up nasm directories using mv/rm
    Database is upgrading to dbv19.004
    Check migration for version dbv19.004
    Applying migration for version dbv19.004
    1516 2022-09-09 15:24:46.260 GMTERROR:  update or delete on table "tblrootcainfo" violates foreign key constraint "tblvpncertificate_caid_fkey" on table "tblvpncertificate"
    1516 2022-09-09 15:24:46.260 GMTDETAIL:  Key (companyid)=(54) is still referenced from table "tblvpncertificate".
    1516 2022-09-09 15:24:46.260 GMTSTATEMENT:  delete from tblrootcainfo where caname in ('Lets_Encrypt_r3','AC_RAIZ_FNMT_RCM_SERVIDORES_SEGUROS','GlobalSign_Root_R46','GlobalSign_Root_E46','GLOBALTRUST_2020','ANF_Secure_Server_Root_CA','Certum_EC_384_CA','Certum_Trusted_Root_CA','TunTrust_Root_CA','HARICA_TLS_RSA_Root_CA_2021','HARICA_TLS_ECC_Root_CA_2021','vTrus_ECC_Root_CA','vTrus_Root_CA','ISRG_Root_X2','A_Trust_Root_07','DigiCert_RSA4096_Root_G5','DigiCert_SMIME_RSA4096_Root_G5','DigiCert_TLS_ECC_P384_Root_G5','DigiCert_TLS_RSA4096_Root_G5','DigiCert_SMIME_ECC_P384_Root_G5','DigiCert_CS_RSA4096_Root_G5','DigiCert_Client_RSA4096_Root_G5','DigiCert_Client_ECC_P384_Root_G5','DigiCert_ECC_P384_Root_G5','DigiCert_CS_ECC_P384_Root_G5','GlobalSign_Secure_Mail_Root_E45','GlobalSign_Secure_Mail_Root_R45','GlobalSign_Client_Authentication_Root_R45','GlobalSign_Client_Authentication_Root_E45','GlobalSign_Code_Signing_Root_E45','GlobalSign_Document_Signing_Root_R45','GlobalSign_Document_Signing_Root_E45','GlobalSign_Code_Signing_Root_R45','GlobalSign_Timestamping_Root_R45','Autoridade_Certificadora_Raiz_Brasileira_v10','DVV_Gov._Root_CA_G3_ECC','DVV_Gov._Root_CA_G3_RSA','HARICA_Code_Signing_RSA_Root_CA_2021','HARICA_Client_ECC_Root_CA_2021','HARICA_Client_RSA_Root_CA_2021','HARICA_Code_Signing_ECC_Root_CA_2021','Microsoft_Identity_Verification_Root_Certificate_Authority_2020','I.CA_Root_CA_ECC_12_2016','Telia_Root_CA_v2','Izenpe.com');
    psql:/_conf/DB/dbv19.004/corporate.sql:68: ERROR:  update or delete on table "tblrootcainfo" violates foreign key constraint "tblvpncertificate_caid_fkey" on table "tblvpncertificate"
    DETAIL:  Key (companyid)=(54) is still referenced from table "tblvpncertificate".
    /bin/psql -1 -p 5432 -U pgroot -q  -d corporate -f /_conf//DB/dbv19.004/corporate.sql Failed
    /bin/sh /_conf//DB/dbv19.004/migration.sh Failed
    UPDATE 1
    Stopping database
    484 2022-09-09 15:24:47.136 GMTLOG:  received fast shutdown request
    484 2022-09-09 15:24:47.136 GMTLOG:  aborting any active transactions
    487 2022-09-09 15:24:47.136 GMTLOG:  shutting down
    487 2022-09-09 15:24:47.590 GMTLOG:  database system is shut down
    2022-09-09 15:24:48.148 GMT : Database stopped after 1 seconds
    applymigration.sh exited with 1
    2022-09-09 15:25:00.109 GMT: Before mountconf unmount

  • Could we get your Access ID of your current appliance in V18.5 ? So DEV can investigate your issue. 

    __________________________________________________________________________________________________________________

  • Hi,

    I installed today the 18.5 version on a VM with a backup from my production. I upgraded it to 19 and the same issue.

    Here the status.

  • Is this a known bug ? I have the same problem and the same entries in the migration log while updating our XGS4500 active/passive cluster from SFOS 18.5.4 MR-4-Build418 to SFOS 19.0.1 MR-1-Build365. Is there a workaround ?

  • Hello Rainer,

    did you solve the problem?

    If not, can you try to install first 19.0.0 and than to 19.0.1 as described by Bharat, view post ago?

    For me the effort is too much, because I have no cluster.

    Regards,
    Kay-Uwe

  • Hello Key-Uwe, i raised a ticket at sophos support and our case ended in the kba https://support.sophos.com/support/s/article/KB-000044509. After deleting the certificate the upgrade from 18.5.4 direct to 19.0.1 without 19.0.0 works.