New Sophos Support Phone Numbers in Effect July 1st, 2023

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuration gone after upgrage SFOS 19.0.0 to 19.0.1

Hello everybody,

yesterday I updated two Firewalls (XGS 126 and XG 125) from Version 19.0.0 to 19.0.1. After the upgrade both Firewalls has SFOS 19.0.1 firmware installed but lost their configuration. The problem was both firewalls are on remote site and lost all external connections (Sophos Central und VPN), so I can't reach the firewalls. Today we connect on site via serial console to the Firewalls, and I saw that Firmware 19.0.1 was installed, but (at minimum) the network configuration was gone. I made some tests:

- Booting the 19.0.0 Firmware the Firewall runs as expected. 

- Booting the 19.0.1 Firmware via Bootloader or via WebAdmin Firewall has no configuration.

On the other hand, I made the upgrade on serval firewalls without any problem (2x XG 125, 1x XGS 5500 HA, a Virtual and a Software Firewall). 

How can I remove the 19.0.1 Firmware from the non-working firewalls to get a 2nd try to upload the firmware again and install the 19.0.1?

Thanks,

Ben



This thread was automatically locked due to age.
  • Hi Ben,

    Could you send me a AccessID to one of those systems? 

    __________________________________________________________________________________________________________________

  • We found and could reproduce this problem based on the Logs. NC-100971

    This will be addressed soon. Workaround is currently under investigation. 

    __________________________________________________________________________________________________________________

  • Hi LuCar Toni,

    thanks for your investigation. Do you still need the Access ID for the firewall?

    Many Thanks,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • Ben@Network 

    This was also mentioned in the release notes of the v19.0.1 MR-1
    https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.0

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hello Vivek,

    Right, I had read that in the release note that the default settings for UDP session handling have changed for new (19.0.1) firewalls. Since we do a lot of Microsoft Teams, I thought it made sense to set these values on our SFOS 19.0.0 firewalls as well.
    In the thread "Sophos Firewall: v19.0 MR1: Feedback and experiences" I had asked for the default value for "conn-remove-on-failover", because "enabled " is not a valid value. The answer from Sophos was "non-tcp". So I had set the values on all firewalls to this:

    set vpn conn-remove-tunnel-up disable
    set vpn conn-remove-on-failover non-tcp

    The firewalls I had successfully migrated from 19.0.0 to 19.0.1 did not have these two values set, so there were the defaut values set by version 18.0 and 18.5 respectively.

    Regards,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you all for reporting this issue. 

    We have confirmed this is a bug, and we'll fix it in an upcoming new build for v19.0 MR1.

    This issue affects devices which has 'set vpn conn-remove-on-failover non-tcp' executed on the backend prior to the upgrade to MR1. Unfortunately the migration to MR1 does not handle this case properly, and would fall back to factory default settings. 

    If you cannot wait for the new MR1 build, and need to upgrade to MR1 right away, you can: 

    Log into Advanced shell in the CLI

    Execute psql -U nobody -d corporate -Atc "DELETE FROM tblclientservices WHERE servicekey = 'vpn_flush_conn_failover'

    Upgrade to MR1 as normal through UI

    After upgrading to MR1, you do not need to re-run 'set vpn conn-remove-on-failover non-tcp' as this parameter is already set to non-tcp by default in MR1. 

  • Hi,

    I updated some firewalls from 19.0.0 to 19.0.1-365 without manually removing the database entry. It runs smoothly without any problems.

    thanks,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you for the confirmation Ben, yes with MR1 build #365 we have fixed this issue, and you can upgrade without manually removing entry from DB first. 

  • Hi!
    I tried to update my Sophos XG to SFOS 19.0.1 MR-1-Build365 and still config error. Is tere a plan to release proper update in near future?

    Thanks,

    Mar

  • V19.0 MR1 build 365 resolves the issue described above, and we have had no further report of migration issues. 

    can you describe the error/issue you’re seeing? What version are you upgrading from?