Configuration gone after upgrage SFOS 19.0.0 to 19.0.1

Question

Hello everybody, 
 yesterday I updated two Firewalls (XGS 126 and XG 125) from Version 19.0.0 to 19.0.1. After the upgrade both Firewalls has SFOS 19.0.1 firmware installed but lost their configuration. The problem was both firewalls are on remote site and lost all external connections (Sophos Central und VPN), so I can't reach the firewalls. Today we connect on site via serial console to the Firewalls, and I saw that Firmware 19.0.1 was installed, but (at minimum) the network configuration was gone. I made some tests: 
 - Booting the 19.0.0 Firmware the Firewall runs as expected. 
 - Booting the 19.0.1 Firmware via Bootloader or via WebAdmin Firewall has no configuration. 
 On the other hand, I made the upgrade on serval firewalls without any problem (2x XG 125, 1x XGS 5500 HA, a Virtual and a Software Firewall). 
 How can I remove the 19.0.1 Firmware from the non-working firewalls to get a 2nd try to upload the firmware again and install the 19.0.1? 
 Thanks, 
 Ben

bobbylam · Accepted Answer

Thank you all for reporting this issue. 
 We have confirmed this is a bug, and we'll fix it in an upcoming new build for v19.0 MR1. 
 This issue affects devices which has 'set vpn conn-remove-on-failover non-tcp' executed on the backend prior to the upgrade to MR1. Unfortunately the migration to MR1 does not handle this case properly, and would fall back to factory default settings. 
 If you cannot wait for the new MR1 build, and need to upgrade to MR1 right away, you can: 
 Log into Advanced shell in the CLI 
 Execute psql -U nobody -d corporate -Atc "DELETE FROM tblclientservices WHERE servicekey = 'vpn_flush_conn_failover' 
 Upgrade to MR1 as normal through UI 
 
 After upgrading to MR1, you do not need to re-run 'set vpn conn-remove-on-failover non-tcp' as this parameter is already set to non-tcp by default in MR1.

LuCar Toni · Answer

We found and could reproduce this problem based on the Logs. NC-100971 
 This will be addressed soon. Workaround is currently under investigation.

Ben@Network · Answer

Hi, 
 I updated some firewalls from 19.0.0 to 19.0.1-365 without manually removing the database entry. It runs smoothly without any problems. 
 thanks, 
 Ben

Vivek Jagad · Answer

Ben@Network This was also mentioned in the release notes of the v19.0.1 MR-1 https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.0

Vivek Jagad · Answer

Hello @ Ben@Network, Thank you for reaching out to the community, You can download the v19.0 GA from the following links: > https://www.sophos.com/en-us/support/downloads/firewall-installers > https://download.sophos.com/firmware/HW/index.html And then re-image the appliance: https://support.sophos.com/support/s/article/KB-000036812?language=en_US Then you can download firmware latest firmware 19.0.1 MR-1 from Sophos Licensing Portal: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareDownloadFirmware/index.html Between after the firmware upgrade did your appliance went into the failsafe mode ? If that is the case then you may check the reason by following the article below: > Know the cause of hardware appliance going in failsafe mode: https://support.sophos.com/support/s/article/KB-000036375?language=en_US

Vivek Jagad · Answer

Hey Ben@Network , SFOS provides you to slots of the firmware, where in you can switch between the two slots anytime without loosing the configurations. So, before moving to the SFOS v19.01 MR-1 if you have the backup of v19.0.0 GA that is excellent. And now that the configurations are broken on v19.01 MR-1 then that backup file will be handy. You can load the previous firmware using * SFLOADER : https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareLoadFirmwareSFLoader/index.html Once you are able to start the v19.0.0 GA without appliance being broke or into the fail-safe mode then you may restore the backup with the file you saved. *WARNING: The option to load firmware using SFLoader isn't available for XGS devices. To update corrupt firmware for XGS devices, see Reimage Sophos Firewall . OR the link shared previously !!

Configuration gone after upgrage SFOS 19.0.0 to 19.0.1

Top Replies