UTM Up2date 9.716 released

I was reluctant to go with another APX 120 after the first one I purchased used arrived bricked out of the box, but I gave it a second try and the speed bump going to 802.11ac from the AP15 (which seems to be locked at 72 mbps, 802.11n) made it worth it for me.

I was just about to go with a TP-Link access point, which can be managed from the Omada Controller, a really nice feature, but since the 802.11ac standard should still be around a for a long time I took the chance on an APX model. 

So if you're looking for a wireless solution, TP-link's Omada controllers can manage their Omada access points and switches, which will cost about as much as a used APX120.

I want a firewall/router that supports access points with multiple separate SSIDs so I can isolate appliances, cameras, etc. from our primary LAN. After what Sophos did with the AP series access points, there is no way I would trust them again, so sorry. Burn me once, shame on you. Burn me twice ...

We went for cisco years (decades, actually) ago and did never regret it. They still support APs 10+ years old in their software and the feature set is out of doubt. Main reason to replace an AP is for speed and frequency bands, not for age.

Just make sure you get the "real" cisco, not a company named "meraki" aquired some years ago. Expensive tough.

The only Sophos AP I deal with are these in the RED devices. We have a huge fleet of RED (mostly 15/15w) bought with the beginning of corona and still in heavy use. Fortunatelly plans to drop software support for them have only been announced by sophos for the XG line (afaik starting with V20), not for the SG.

We make gradually progress in moving to software clients, but for some setups (IP hardphone, printer) it's tricky.

utmadm said:

I want a firewall/router that supports access points with multiple separate SSIDs so I can isolate appliances, cameras, etc. from our primary LAN.

Ubiquity feels like it would be a good fit for for a home environment or smaller business. It's not to difficult to set up and the software is free once you pay for the hardware. I was leaning towards this as an option as well as it includes similar NGFW features (and the AP controller "key" is built in), and I sort of regret not going with that, but the Dream Machine Pros are more like $400 and up, which is still not that bad if you want to invest in their ecosystem of switches, cameras, and APs.

Today after upgrading Cluster to 9.716 all RED are unable to reconnect.

2023:08:03-14:34:43 schxxxxxx-utm-2 red_server[17884]: [R20xxxxxxxxxxxF] Config has changed, re-read confd firmware versions
2023:08:03-14:34:46 schxxxxxx-utm-2 red_server[17884]: [R20xxxxxxxxxxxF] Curl command to push config for RED ID R20xxxxxxxxxxxF failed with error code 6, retry in 60 seconds
2023:08:03-14:35:06 schxxxxxx-utm-2 red_server[29097]: SELF: New connection from 84.xx.xx.x7 with ID R20xxxxxxxxxxxF (cipher AES256-GCM-SHA384), rev1
2023:08:03-14:35:06 schxxxxxx-utm-2 red_server[29097]: R20xxxxxxxxxxxF: Device config was not yet uploaded with the current firmware version '1-1261-6de2a4c19-b1551d2'
2023:08:03-14:35:06 schxxxxxx-utm-2 red_server[29097]: R20xxxxxxxxxxxF: Connection is refused as device config was not yet uploaded.
2023:08:03-14:35:06 schxxxxxx-utm-2 red_server[29097]: R20xxxxxxxxxxxF: Sending json message {"data":{},"type":"DEVICE_CONFIG_NOT_YET_UPLOADED_TO_PROV"}

Ideas?

Thanks,

Hi Dirk,

we have updated to version 9.716 today and have also observed the error you described.

After about 90 minutes, however, the RED devices were suddenly and unexpectedly accessible without our intervention.
We could not determine the cause for the behavior.

Has the error also disappeared in your case?

Don't know if devices are back online.

But we discovered the RED-broker-server (red.astaro.com) can't be resolved from Germany.

Now i can resolve the name again. 

Homeoffice Users with RED devices were running normally after update to 9.716 last week.

Hi Philipp,

seems the UTM uploads the config directly after upgrade again.

With DNS problem today, UTM are unable to do this and RED-connection is refused.

12 locations were offline. Hope this is cured tomorrow.

PS: Within seconds we reached Sophos Support... and after a short time we were able to isolate the upload problem. It gets better.

I have problems with 10G interfaces "i40e 0000:08:00.2: Error I40E_AQ_RC_EINVAL adding RX filters on PF, promiscuous mode forced on".

See my post in the german forum. A Sophos support ticket has been opened.