Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR1: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR1 is Now Available 

The old V20.0 GA Post:  Sophos Firewall: v20.0 GA: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Prio Change
[bearbeitet von: LuCar Toni um 4:40 PM (GMT -7) am 23 Sep 2024]
Parents
  • I have an issue, after updating my firewall at home to v20.0MR1 last night all my IPSEC-VPN connections (all route-based and 4 in total) are failing. Got an error something like remote side does not respond (or very similar).

    Tried to recreate 1 tunnel to one of the firewalls (using same settings) but this did also not come online.

    All tunnels are configured to other Sophos firewalls

    • 1 is at v20.0.0 GA
    • 2 are at v19.5.3 MR-3
    • 1 is at v19.5.2 MR-2

    Since it was really late and I desperately needed to go to bed, I just rolled back to v20.0.0 after which all 4 connections came back online.

    I'm not sure if anything has changed in policies (all connections are using the IKEv2 profile).

    Just noticed this morning that SSO to this firewall is not working anymore whereas credential login does work. SSO will always get to a page

    Firewall is starting
    
    Please stand by while the system finishes loading.
    Firewall management and security services will be available shortly.
    You will be redirected to the login screen, once startup is complete.

    Main question tough is about the RB-VPN connections to the 4 other firewalls of which none comes back online after upgrading. Hopefully someone has a clue in what could be the issue.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi  , regarding the IPsec VPN issue, please share below details:

    * Logs (from cli - /log/charon.log) on far end SFOS while the connection is attempted on SFOS that is migrated to v20.0.MR1

    * IPsec related configurations on both SFOS nodes.

    * Also, please verify the SFOS that is migrated to v20.0.MR1, IPsec flag (ACL) is set (turned ON) on WAN zone for IPsec (this is a new setting in v20.0.MR1); you can verify it from from the UI - Administration --> Device Access;

    • Hi just checked /log/charon.log on the far end and there doesn't seem to arrive any new logging since I upgraded back to MR1 some 20 minutes ago. In the same logfile other VPN-connections are logging additional lines.
      charon.log on upgraded firewall shows the following:
    • IPsec flag is (and was already) turned ON on WAN zone.
    • Both locations use the IKEv2 profile which I checked to be identical. It's all route-based setup using RSA-keys as authentication type

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • We have not seen any such issue (verified rbvpn tunnel with RSA between v20.0.MR1 and v20.0.GA)

    When the upgraded SFOS (to v20.0.MR1) attempts IPsec connection (assuming this is the Initiator), on the other SFOS (assuming Responder running v20.0.GA), please check fes things mentioned below in the CLI of responder SFOS and provide the output:

    a) tcpdump -n port 500 or 4500    // this will tell if the IKE packets reaching responder SFOS or not.

    b) if you see packets reaching responder SFOS, please also do

         tcpdump -nv port 500 or 4500    // wanted to check the packet length.

    c) if no IPsec/IKE packets are seen on responder node, please check if there are any drop packets

    drppkt | grep 500 (this will check if there is any incoming IKE packet is dropped).

    You may want to DM the details to me if it is appropriate.

Reply
  • We have not seen any such issue (verified rbvpn tunnel with RSA between v20.0.MR1 and v20.0.GA)

    When the upgraded SFOS (to v20.0.MR1) attempts IPsec connection (assuming this is the Initiator), on the other SFOS (assuming Responder running v20.0.GA), please check fes things mentioned below in the CLI of responder SFOS and provide the output:

    a) tcpdump -n port 500 or 4500    // this will tell if the IKE packets reaching responder SFOS or not.

    b) if you see packets reaching responder SFOS, please also do

         tcpdump -nv port 500 or 4500    // wanted to check the packet length.

    c) if no IPsec/IKE packets are seen on responder node, please check if there are any drop packets

    drppkt | grep 500 (this will check if there is any incoming IKE packet is dropped).

    You may want to DM the details to me if it is appropriate.

Children
  • DM sent with output


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi  , To summarise, the issue is related to increased packet size of IKE messages in v20.0MR1 (Strongswan has been upgraded in SFOS), causing some device in the ISP path dropping the packets sent by Initiator and the packets does not reach Responder SFOS node, connection will keep reattempted from Initiator SFOS.

    This is known to us, and in such environments, have to reduce the default phase1 DH groups from 6 to 4 in the IPsec profile (IKEv2 or some other existing profiles). With this change, all the tunnels are UP as this change reduced the IKE packet size and intermediate devices did not drop the packets.

    Also, please check ping <jumbo packet size> from SFOS that is having v20.0.MR1 to the responders' wan ip, this is also not successful, most likely that intermediate devices dropping jumbo packets; thinking that Ipsec tunnels not coming up and jumbo ping does not work could be related.