Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 GA: Feedback and experiences

Release Post:  Sophos Firewall v19.5 is Now Available 

Old v19.0 MR1 thread:  Sophos Firewall: v19.0 MR1: Feedback and experiences 

EAP Sub thread:  SFOS v19.5 Early Access Program (Read Only) 

EAP 19.5 Thread:  Sophos Firewall: v19.5 EAP1: Feedback and experiences 



This thread was automatically locked due to age.
Parents
  • I have updated 2 test firewalls to 19.5 today. Both have a tunnel to an XG with 19.0.1 and dynamic routing with OSPF. The first firewall has an IPSec tunnel, here the tunnel stood after the update, the OSPF negotiation basically worked (no error messages in the log), however the firewall did not distribute its own route, so the site was not reachable. Reboot and reconfigure OSPF did not help. After a rollback to 19.0.1 the OSPF worked again.
    The second firewall has a RED tunnel to the central office, there are no problems with OSPF there.
    Are there any known issues with SFOS 19.5, IPSec and OSPF?

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • Hi      Dev team would like to investigate why this is not working in your setup.Can you share the support access for your device/s in  Private message to me? Meanwhile some quick info on this  will help team to start with 1. config from /conf/routing/ 2. Logs: /log/csc.log , /log/ospfd.log , /log/zebra.log 3. ifconfig output 4. complete backup of the device config if available . Also If possible please provide device support access id for to login and check more. -Shrikant

  • Hi, I send you the access ID via PM. -Ben

    If a post solves your question please use the 'Verify Answer' button.

  • The version 19.5 has an OSPF link monitor, on my test firewall was the LAN port down and the route was not distributed. After I plugged the cable into the LAN port, the route was distributed. 

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks Ben@Network  for providing configuration and logs to quickly analyze the problem you were facing. Good to hear that its working fine post link restore.  

  • Are there any possibilities to disable the OSPF Link monitoring?

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, we are working on the same and tracking it under  NC-110203.

    Also can you share more details on use case where this will be helpful to distribute route without actual connectivity/reachability.

Reply Children
  • I manage many firewalls with OSPF. This problem occurred on my test firewall, which normally has no active link on the LAN interface. I use this to test the updates and to test the automation using API. This is of course not a setup that will be used like this in the real world.

    Now that I think about it, another problem might become relevant. If the switch that the firewall is connected to fails, the OSPF route would be deleted and the firewall would not be available to analyze the problem. We usually access the LAN IP of the firewall via VPN tunnel (WebAdmin or ssh) and then see what is reachable in network. This way would then be omitted. I could alternatively access via Sophos Central and open the console in WebAdmin, but then I would have to enter a password again, which I would have to type in manually.

    This can be done, but it is a different way with its own challenges. If the route is kept, we can use the normal workflow to access it.

    So it would be desirable to have at least the choice whether the link monitoring should be active or not.

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks Ben@Network  for the details.

    We are working on the solution to provide a configurable option to end user. 

    We anticipated appliance access scenario and want to know, if this can be an issue for any other scenarios/use cases.