This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firmware Up2Date installation failed - after upgrade to UTM 9.709-3

Hi list,

with previous version I had 95% up2date failture from UTM, message being all 5 servers not responding. I updated manually the 2 FW version before this one. Now that I installed 9.709-3 version, I get tones of

Firmware Up2Date installation failed: IPS pattern installation was not successful but will keep trying to install. During this time IPS might not be active. Please inspect the UTM if you keep getting this message!
Please check the up2date log file for detailed information

Also, the pattern version stay since ages at 205945 - Your patterns are up to date which is false based on othe UTM.

This version is a Home version. On other UTM (with licences) I face the same problem that up2date never show up new firmware version, have to execute them manually.

The Home version is running ipv4 and ipv6, others only ipv4.

Thanks for any hint

Daniel


This thread was automatically locked due to age.
Parents
  • Hallo,

    was sagt denn das up2date-log ?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Logs:

    2022:02:25-18:44:53 guava audld[26056]: 3. Modules::Audld::Authentication::start:68() /</sbin/audld.plx>Modules/Audld/Authentication.pm
    2022:02:25-18:44:53 guava audld[26056]: 4. main::main:187() audld.pl
    2022:02:25-18:44:53 guava audld[26056]: 5. main::top-level:40() audld.pl
    2022:02:25-18:44:53 guava audld[26056]: |=========================================================================
    2022:02:25-18:44:53 guava audld[26056]: id="3703" severity="error" sys="system" sub="up2date" name="Authentication failed, no valid answer from Authentication Servers"
    2022:02:25-18:44:53 guava audld[26056]:
    2022:02:25-18:44:53 guava audld[26056]: 1. Modules::Logging::alf:100() /</sbin/audld.plx>Modules/Logging.pm
    2022:02:25-18:44:53 guava audld[26056]: 2. Modules::Audld::Authentication::start:72() /</sbin/audld.plx>Modules/Audld/Authentication.pm
    2022:02:25-18:44:53 guava audld[26056]: 3. main::main:187() audld.pl
    2022:02:25-18:44:53 guava audld[26056]: 4. main::top-level:40() audld.pl
  • 2022:02:25-18:44:53 guava audld[26056]: id="3703" severity="error" sys="system" sub="up2date" name="Authentication failed, no valid answer from Authentication Servers"

    There is your error.  You can't reach the auth servers possibly due to a DNS issue.  Might need to see more of the log other than what you posted.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Don't think this is the issue (or DNS error comes from the upgrade) as (check for update is set to each 15 min):

    . remember that with previous version 95% of the upgrade failed with "all 5 servers not responding" which means 5% OK
    . no DNS changes made after the upgrade
    . the message doesn't appear on each tries eg. sometimes 30 min without failure message
    . I changed the update time to daily, still get the message each 5 minutes
    . a ipv4 ping to www.sophos.com or an ipv6 traceroute to www.sophos.com *from UTM tools* are OK
    . pattern version doesn't upgrade too  

    Problem lies somewhere else ...

  • . remember that with previous version 95% of the upgrade failed with "all 5 servers not responding" which means 5% OK

    "all 5" - that's not 95%, that's 100%.  What do you mean 95% and 5%?  If it says all, that means all.

    . a ipv4 ping to www.sophos.com or an ipv6 traceroute to www.sophos.com *from UTM tools* are OK

    Pings and traceroutes to a website doesn't mean that Up2Date should be accessible.  That just means that ICMP is acknowledging a response and giving you the TTL response.

    I agree that Pattern version isn't updating, as per another post we've been speaking in, and hopefully someone at Sophos will address.  The pattern version lack of updating and your Up2Date problem may be related to each other.  More updated UTMs seem to be stuck at 206808 (mine is as well).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Pings and traceroutes to a website doesn't mean that Up2Date should be accessible.  That just means that ICMP is acknowledging a response and giving you the TTL response.

    But means that DNS is working as you supposed a DNS issue ;)

    I found another strange behavior with this: as told, despite the fact that update should be done daily, it's not. But it's regulary. For instance, this night it was each hours at H@12min H@17min @22min H@28min H@33min and from here it jump to H+1@12min aso. But after 3 hours, 1 min is added which means it started at H@13min H@18min H@23min H@28min H@33min and than jumpt to H+1@13min aso.

    Very very strange

Reply
  • Pings and traceroutes to a website doesn't mean that Up2Date should be accessible.  That just means that ICMP is acknowledging a response and giving you the TTL response.

    But means that DNS is working as you supposed a DNS issue ;)

    I found another strange behavior with this: as told, despite the fact that update should be done daily, it's not. But it's regulary. For instance, this night it was each hours at H@12min H@17min @22min H@28min H@33min and from here it jump to H+1@12min aso. But after 3 hours, 1 min is added which means it started at H@13min H@18min H@23min H@28min H@33min and than jumpt to H+1@13min aso.

    Very very strange

Children
  • Well, you missed the point.  Ping != DNS resolution.  That is ICMP_ECHO requests being fulfilled or not fulfilled. It will use hosts file information, being DNS cache, and thus pings the last known IP.  The reply is just the TTL response of the last known IP address.

    So no, ICMP doesn't equate to DNS directly. I also said 'possibly', not 'definitely'.

    At any rate, yes you have an issue with Up2Date, and others do as well (pattern updates not working correctly) as outlined in other posts.

    The later post you made is why I also previously stated that we needed more information from your logs:

    >>> Modules::Audld::LocalRestriction::_seek_own_country::130()

    I don't know if that reads the same is how I am interpreting it because I've not seen this before, but it reads like there is a restriction in place of where you can get your Up2Date files, and maybe why your failure % is so high.  I don't know what country your UTM is in.  Could be reaching out to other remote domains because the one you would normally get your Up2Date is unavailable?  Dirk or someone else might know more on that.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • UTM is in France. I setted up another server with UTM9 on the same location *WITHOUT* ipv6 and being _behind_ the faulty UTM: up2date works without problem . Please notice that error is "500 timeout" and host cmd shows the -I hope- right IPs.

    Is there a way to force ipv4 for up2date ?

  • Is there a way to force ipv4 for up2date ?

    Good question.  I wonder if you can create a Network DNS Host object with the IP information on EU1 and EU2 sites, and add them to your exceptions (whitelist them)?  Maybe a workaround for an issue related to the UTM?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Will try to find a way for this.

    Another one: up2date is setup to check daily or all 15minutes for pattern. Message I have are all 5 minutes each half hour which means that during the other half hour it's working as it should.

    Another one: I see from host command that usX.utmu2d.sophos.com and euX.utmu2d.sophos.com doesn't have ipv6 address, those listed above are from nat64 on my network.

    Pretty sure that problem comes from the 2 above points: each half hour up2date works with ipv4 => no message, the second one with ipv6 => errors

    sophos.com without ipv6 ? Hmm ... 

  • Salut Daniel,

    This issue seems like it would be of interest to Sophos Support.  Qu'est-ce-qu'ils disent?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Salut Bob. No feedback, even from French Sophos distributor. Should I remove ipv6 ? ;) Vaut mieux en rire qu 'en pleurer ...

  • With the monthly report I saw that in februar up2date had 4 successfull connections for 3554 failures. This mean that I received 3554 emails !

  • Resultat sans IPv6, Daniel?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, from last week Weekly Executive Report:

    Up2Date :  
    Succès des requêtes 3
    Échec des requêtes 425
    Mises à jour du firmware installées : 0
    Mises à jour du modèle installées : 0

    which means 3 times successfull. For pattern version I have:

    Version des listes de définitions actuelle : 205945
    Dernière version des listes de définitions disponible : 207042

    but the 207042 version never gets installed, even manually.

    As already told:
    . another server in the same LAN same UTM version but without ipv6 gets his update without problem
    . the problem appears with version 9-709.3

    Cheers

  • Hello there,

    Could you please open a case with Support, or share the Case ID your Distributor has opened with Support.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.