Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 38 subscribers
  • Views 3495 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF: Warning: DocumentRoot [/sdisk/waffiles/########] does not exist

Gatt

Sophos FW v19.0.1 (Build 365) - With a Home LIcence

Since upgrading to this version, I have had to WAF functionality, and there are no errors being shown in WebAdmin

Going into the shell and looking at /logreverseproxy.log I can see the following:

[Thu Feb 02 13:57:50.892665 2023] [mpm_worker:notice] [pid 30195:tid 140254384852672] AH00295: caught SIGTERM, shutting down
AH00112: Warning: DocumentRoot [/sdisk/waffiles/c1f1e4e6ef94ac8bd4b23cf2e423dce9] does not exist
[Thu Feb 02 13:57:52.099469 2023] [security2:notice] [pid 31313:tid 140423597891264] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[Thu Feb 02 13:57:52.099489 2023] [security2:notice] [pid 31313:tid 140423597891264] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Thu Feb 02 13:57:52.099494 2023] [security2:notice] [pid 31313:tid 140423597891264] ModSecurity: PCRE compiled version="8.43 "; loaded version="8.43 2019-02-23"
[Thu Feb 02 13:57:52.099499 2023] [security2:notice] [pid 31313:tid 140423597891264] ModSecurity: LIBXML compiled version="2.9.9"
[Thu Feb 02 13:57:52.099503 2023] [security2:notice] [pid 31313:tid 140423597891264] ModSecurity: ma engine is currently disabled, enable it by set SecStatusEngine to On.
[Thu Feb 02 13:57:52.185033 2023] [mpm_worker:notice] [pid 31315:tid 140423597891264] AH00292: Apache/2.4.53 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
[Thu Feb 02 13:57:52.185062 2023] [core:notice] [pid 31315:tid 140423597891264] AH00094: Command line: '/usr/apache/bin/httpd -E /log/reverseproxy.log

If I browse /sdisk/waffiles - it is empty.
I have even tried to manually create the directory shown in the logs, but as soon as the WAF is restarted after an update, all subfolders are again deleted

I'm preparing to revert back to 18.5 to see if this resolves the issue
I had tried to upgrade to 19.5, but it froze so had to revert after 1 hour.

Are there any known changes in v19 that would account for this behaviour, and if so has it been fixed with v19.5 ?



This thread was automatically locked due to age.
  • +1

    Hello Gatt,

    Thank you for contacting the Sophos Community.

    I think you might be affected by NC-84574

    Can you check if there is anything under /var/cores?

    Are you using your own Hardware or this is running in Sophos Hardware?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Thanks for the reply, I have managed to get it updated to v19.5

    It's running as a VM under Hyper-V (has been for a few years now)

    I can see this under /var/cores

  • 0 in reply to Gatt

    Hello Gatt,

    Thank you for the info.

    That doesn't look very good; you might have a corrupted database, causing issues with some database keys.

    I would recommend to:

    1. Take a backup of your configuration 

    2. Spin a new VM, (don't delete the current VM); use the Backup you took on step 1 and see if the issue persists with the WAF 

    3. If the issue persists for testing only, try disabling URL Hardening, cooking, signing in one of the WAF protection policies

    Reach out to me via DM if the issue persists and share the Access ID to your device. 

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Thanks - I will look at doing that tomorrow and get back to you if needed.

  • 0 in reply to emmosophos

    Hi there - Built a new VM and restored from backup, however the issue was still present with nothing in the /sdisk/waffiles/ directory 
    I'm guessing I'm now looking at having to build a brand new installation and migrate everything across manually?

  • 0

    I had the same issue. It was caused by a defective memory module (RAM) in my hardware. The firewall did not crash completely, but I got lots of core dumps as you have, and subsequently the configuration and database was defect. Backups were defect as well.

  • 0 in reply to EdmundSackbauer

    Interesting, though as this is a Virtual Machine I'm not sure it will be a RAM issue for me.. 
    Looking back at the ReverseProxy log  it started after I upgraded to v19.. 

    So I am guessing the upgrade wasn't as clean as I thought - shame I hadn't kept the VM snapshot for longer 

  • 0 in reply to Gatt

    Even VMs memory is located on physical RAM, VM memory is just pointered. If you think hypervisor does an additional memory checksum you are wrong. That is usually done in hardware (ECC) to avoid latency.

    So if you not have ECC Memory, I would not rule memory out.

  • 0 in reply to Gatt

    Hello,

    I have sent you a PM.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Finally, got this working

    After speaking with Sophos, the "DocumentRoot" error is expected behaviour - so was a red herring, however my installation was corrupted which needed a reinstall and restore from backups

    Initially, it looked like this had failed to resolve the issues so further investigation was undertaken..
    Needless to say, this lead to a lot of hair pulling as I couldn't figure out what was going on, 

    Turns out it was a weird combination of issues:

    My ISP had decided to update my router config, resulting in the DMZ IP I was using (the External Port for SFOS) was no longer a valid IP - this took a long time to diagnose as it didn't indicate that there was any problem with it - until I disabled it to try port forwarding.

    When I went to re-enable the DMZ again the IP was rejected.. After a few failed attempts a new IP was finally found that it would accept. Once I updated the External IP in Sophos to be the same - It started working - kind of

    The next issue initially looked like an SSL issue, but turned to be a set of old DNAT rules that were still present but were now causing issues with redirecting Web requests to another sever.

    External access now appears to be working, but keeping an eye on it for now

Unfiltered HTML