yesterday I updated two Firewalls (XGS 126 and XG 125) from Version 19.0.0 to 19.0.1. After the upgrade both Firewalls has SFOS 19.0.1 firmware installed but lost their configuration. The problem was both firewalls are on remote site and lost all external connections (Sophos Central und VPN), so I can't reach the firewalls. Today we connect on site via serial console to the Firewalls, and I saw that Firmware 19.0.1 was installed, but (at minimum) the network configuration was gone. I made some tests:
- Booting the 19.0.0 Firmware the Firewall runs as expected.
- Booting the 19.0.1 Firmware via Bootloader or via WebAdmin Firewall has no configuration.
On the other hand, I made the upgrade on serval firewalls without any problem (2x XG 125, 1x XGS 5500 HA, a Virtual and a Software Firewall).
How can I remove the 19.0.1 Firmware from the non-working firewalls to get a 2nd try to upload the firmware again and install the 19.0.1?
Thank you all for reporting this issue.
We have confirmed this is a bug, and we'll fix it in an upcoming new build for v19.0 MR1.
This issue affects devices which has 'set vpn conn-remove-on-failover…
Could you send me a AccessID to one of those systems?
We found and could reproduce this problem based on the Logs. NC-100971
This will be addressed soon. Workaround is currently under investigation.
Hi LuCar Toni,
thanks for your investigation. Do you still need the Access ID for the firewall?
Ben@Network This was also mentioned in the release notes of the v19.0.1 MR-1https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.0
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Right, I had read that in the release note that the default settings for UDP session handling have changed for new (19.0.1) firewalls. Since we do a lot of Microsoft Teams, I thought it made sense to set these values on our SFOS 19.0.0 firewalls as well. In the thread "Sophos Firewall: v19.0 MR1: Feedback and experiences" I had asked for the default value for "conn-remove-on-failover", because "enabled " is not a valid value. The answer from Sophos was "non-tcp". So I had set the values on all firewalls to this:
set vpn conn-remove-tunnel-up disableset vpn conn-remove-on-failover non-tcp
The firewalls I had successfully migrated from 19.0.0 to 19.0.1 did not have these two values set, so there were the defaut values set by version 18.0 and 18.5 respectively.
This issue affects devices which has 'set vpn conn-remove-on-failover non-tcp' executed on the backend prior to the upgrade to MR1. Unfortunately the migration to MR1 does not handle this case properly, and would fall back to factory default settings.
If you cannot wait for the new MR1 build, and need to upgrade to MR1 right away, you can:
Log into Advanced shell in the CLI
Execute psql -U nobody -d corporate -Atc "DELETE FROM tblclientservices WHERE servicekey = 'vpn_flush_conn_failover'
Upgrade to MR1 as normal through UI
After upgrading to MR1, you do not need to re-run 'set vpn conn-remove-on-failover non-tcp' as this parameter is already set to non-tcp by default in MR1.
I updated some firewalls from 19.0.0 to 19.0.1-365 without manually removing the database entry. It runs smoothly without any problems.
Thank you for the confirmation Ben, yes with MR1 build #365 we have fixed this issue, and you can upgrade without manually removing entry from DB first.
Hi!I tried to update my Sophos XG to SFOS 19.0.1 MR-1-Build365 and still config error. Is tere a plan to release proper update in near future?
V19.0 MR1 build 365 resolves the issue described above, and we have had no further report of migration issues.
can you describe the error/issue you’re seeing? What version are you upgrading from?