Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG kein Firmwareupdate auf 9.601 oder 9.602-3 mit RED!

Hallo Community, 

nach einigen Test bei unseren Kunden, hat sich auch mit der 9.602-3 die selben Probleme mit REDs gezeigt. Habt ihr ähnliche Erfahrungen gemacht?

Gestester Workaround

Nach einem Firmwareupdate auf die Version 9.601 oder 9.602-3, kann es dazu kommen, dass die REDs keine Verbindung mehr herstellen könnnen. Gut zu erkennen im Log: 

2019:03:06-23:15:38 fw01 red_server[17509]: SELF: Cannot do SSL handshake on socket accept from 'xxx.xxx.xxx.xxx': SSL connect accept failed because of handshake problems
 
2019:03:06-15:15:46 fw01-2 red2ctl[12420]: Missing keepalive from reds3:0, disabling peer xxx.xxx.xxx.xxx

Über die Konsole kann man temporär, das Ausrollen der neuen Firmware verhindern. Per SSH loginuser:

su -

cc get red use_unified_firmware
 
if value returned = 1
 
cc set red use_unified_firmware 0
 
reds will update and reboot
 
confirm value is 0 rerunning get command above
 
Das Problem muss dauerhaft in der Sophos UTM-Firmware behoben werden. Derzeit gibt es dazu noch keine mir bekannte Aussage von Sophos.
 


This thread was automatically locked due to age.
Parents Reply Children
  • Wir haben hier einen SG310-Cluster unter UTM (Total Protect) 9.601-5 mit 21 RED15 in Außenstellen im Einsatz.

    Das beschriebene Problem tritt hier nicht auf (gottlob!).

     

    mfg, Jan

  • Heute morgen hatte ich tatsächlich einen Fehler bezgl. einer RED 50 in Verbindung mit einer SG 135:

     

     

    Ich habe das Teil gelöscht und neu hinzugefügt. Die RED hat sich dann neu verbunden, Firmwareupdate durchgeführt, reboot und dann funktionierte alles wieder.

     

    Anbei noch das Log:

     

    2019:05:08-08:04:57 sophos red_server[17235]: SELF: RED15(w) fw version set to 1-373-b15c4b2a-e9f0c31
    2019:05:08-08:04:57 sophos red_server[17235]: SELF: RED50 fw version set to 1-373-b15c4b2a-0000000
    2019:05:08-08:04:57 sophos red_server[17235]: SELF: IO::Socket::SSL Version: 1.953
    2019:05:08-08:04:57 sophos red_server[17235]: SELF: Startup - waiting 15 seconds ...
    2019:05:08-08:05:12 sophos red_server[17622]: UPLOAD: Uploader process starting
    2019:05:08-08:05:12 sophos red_server[17235]: SELF: (Re-)loading device configurations
    2019:05:08-08:05:12 sophos red_server[17235]: Axxxxxxxxxxx: New device
    2019:05:08-08:05:13 sophos red_server[17235]: Axxxxxxxxxxx: Staging config for upload
    2019:05:08-08:05:13 sophos red_server[17235]: SELF: (Re-)loading device configurations
    2019:05:08-08:05:15 sophos red_server[17622]: [Axxxxxxxxxxx] Uploaded config to registry service
    2019:05:08-08:08:16 sophos red_server[18879]: SELF: Cannot do SSL handshake on socket accept from 'xxx.xxx.xxx.xxx': SSL connect accept failed because of handshake problems SSL wants a read first
    2019:05:08-08:08:18 sophos red_server[18880]: SELF: New connection from xxx.xxx.xxx.xxx with ID Axxxxxxxxx (cipher AES256-GCM-SHA384), rev1
    2019:05:08-08:08:18 sophos red_server[18880]: Axxxxxxxxxxx: connected OK, pushing config
    2019:05:08-08:08:19 sophos red_server[18880]: Axxxxxxxxxxx: command '{"data":{"version":"0"},"type":"INIT_CONNECTION"}'
    2019:05:08-08:08:19 sophos red_server[18880]: Axxxxxxxxxxx: Initializing connection running protocol version 0
    2019:05:08-08:08:19 sophos red_server[18880]: Axxxxxxxxxxx: Sending json message {"data":{},"type":"WELCOME"}
    2019:05:08-08:08:21 sophos red_server[18880]: Axxxxxxxxxxx: command '{"data":{},"type":"CONFIG_REQ"}'
    2019:05:08-08:08:21 sophos red_server[18880]: Axxxxxxxxxxx: Sending json message {"data":{"pin":"","fullbr_dns":"","split_networks":"1.2.3.4","lan2_vids":"","lan4_vids":"","local_networks":"","tunnel_id":1,"manual2_netmask":24,"asg_cert":"[removed]","manual_address":"0.0.0.0","bridge_proto":"none","unlock_code":"h2zhrcxu","password":"","manual2_defgw":"0.0.0.0","prev_unlock_code":"xxxxxx","manual_netmask":24,"lan3_vids":"","version_r2":"2005R2","mac_filter_type":"none","mac":"00:51:83:27:60:6c","dial_string":"*99#","manual2_address":"0.0.0.0","version_ng_red50":"1-373-b15c4b2a-0000000","manual_dns":"0.0.0.0","lan1_mode":"unused","username":"","activate_modem":0,"tunnel_compression_algorithm":"lzo","version_red50":"1-373-b15c4b2a-0000000","fullbr_domains":"","htp_server":"vpn.xxxxxxx.de","uplink_balancing":"failover","asg_key":"[removed]","type":"red50","deployment_mode":"online","uplink2_mode":"dhcp","version_red15":"1-373-b15c4b2a-e9f0c31","m...L1513
    2019:05:08-08:08:21 sophos red_server[18880]: Axxxxxxxxxxx: command '{"data":{"message":"Received device configuration from UTM using network fallback mode successfully"},"type":"DISCONNECT"}'
    2019:05:08-08:08:21 sophos red_server[18880]: Axxxxxxxxxxx: Disconnecting: Received device configuration from UTM using network fallback mode successfully
    2019:05:08-08:08:21 sophos red_server[18880]: id="4202" severity="info" sys="System" sub="RED" name="RED Tunnel Down" red_id="Axxxxxxxxxx" forced="1"
    2019:05:08-08:08:21 sophos red_server[18880]: Axxxxxxxxxxx is disconnected.
    2019:05:08-08:09:33 sophos red_server[29250]: SELF: Cannot do SSL handshake on socket accept from 'xxx.xxx.xxx.xxx': SSL connect accept failed because of handshake problems
    2019:05:08-08:09:35 sophos red_server[29268]: SELF: New connection from xxx.xxx.xxx.xxx with ID Axxxxxxxxxx (cipher AES256-GCM-SHA384), rev1
    2019:05:08-08:09:35 sophos red_server[29268]: Axxxxxxxxxxx: connected OK, pushing config
    2019:05:08-08:09:36 sophos red_server[29268]: Axxxxxxxxxxx: command '{"data":{"version":"0"},"type":"INIT_CONNECTION"}'
    2019:05:08-08:09:36 sophos red_server[29268]: Axxxxxxxxxxx: Initializing connection running protocol version 0
    2019:05:08-08:09:36 sophos red_server[29268]: Axxxxxxxxxxx: Sending json message {"data":{},"type":"WELCOME"}
    2019:05:08-08:09:37 sophos red_server[29268]: Axxxxxxxxxxx: command '{"data":{},"type":"CONFIG_REQ"}'
    2019:05:08-08:09:37 sophos red_server[29268]: Axxxxxxxxxxx: Sending json message {"data":{"pin":"","fullbr_dns":"","split_networks":"1.2.3.4","lan2_vids":"","lan4_vids":"","local_networks":"","tunnel_id":1,"manual2_netmask":24,"asg_cert":"[removed]","manual_address":"0.0.0.0","bridge_proto":"none","unlock_code":"xxxxxxx","password":"","manual2_defgw":"0.0.0.0","prev_unlock_code":"xxxxxx","manual_netmask":24,"lan3_vids":"","version_r2":"2005R2","mac_filter_type":"none","mac":"00:51:83:27:60:6c","dial_string":"*99#","manual2_address":"0.0.0.0","version_ng_red50":"1-373-b15c4b2a-0000000","manual_dns":"0.0.0.0","lan1_mode":"unused","username":"","activate_modem":0,"tunnel_compression_algorithm":"lzo","version_red50":"1-373-b15c4b2a-0000000","fullbr_domains":"","htp_server":"vpn.xxxxxxx.de","uplink_balancing":"failover","asg_key":"[removed]","type":"red50","deployment_mode":"online","uplink2_mode":"dhcp","version_red15":"1-373-b15c4b2a-e9f0c31","m...L1513
    2019:05:08-08:09:38 sophos red_server[29268]: Axxxxxxxxxxx: command '{"data":{"message":"Firmware update required. Trying provisioning service ..."},"type":"DISCONNECT"}'
    2019:05:08-08:09:38 sophos red_server[29268]: Axxxxxxxxxxx: Disconnecting: Firmware update required. Trying provisioning service ...
    2019:05:08-08:09:38 sophos red_server[29268]: id="4202" severity="info" sys="System" sub="RED" name="RED Tunnel Down" red_id="Axxxxxxxxxxx" forced="1"
    2019:05:08-08:09:38 sophos red_server[29268]: Axxxxxxxxxxx is disconnected.
    2019:05:08-08:12:05 sophos red_server[9971]: SELF: Cannot do SSL handshake on socket accept from 'xxx.xxx.xxx.xxx': SSL connect accept failed because of handshake problems SSL wants a read first
    2019:05:08-08:12:07 sophos red_server[9973]: SELF: New connection from xxx.xxx.xxx.xxx with ID Axxxxxxxxxxx (cipher AES256-GCM-SHA384), rev1
    2019:05:08-08:12:08 sophos red_server[9973]: Axxxxxxxxxxx: connected OK, pushing config
    2019:05:08-08:12:09 sophos red_server[9973]: Axxxxxxxxxxx: command '{"data":{"version":"0"},"type":"INIT_CONNECTION"}'
    2019:05:08-08:12:09 sophos red_server[9973]: Axxxxxxxxxxx: Initializing connection running protocol version 0
    2019:05:08-08:12:09 sophos red_server[9973]: Axxxxxxxxxxx: Sending json message {"data":{},"type":"WELCOME"}
    2019:05:08-08:12:10 sophos red_server[9973]: Axxxxxxxxxxx: command '{"data":{},"type":"CONFIG_REQ"}'
    2019:05:08-08:12:10 sophos red_server[9973]: Axxxxxxxxxxx: Sending json message {"data":{"pin":"","fullbr_dns":"","split_networks":"1.2.3.4","lan2_vids":"","lan4_vids":"","local_networks":"","tunnel_id":1,"manual2_netmask":24,"asg_cert":"[removed]","manual_address":"0.0.0.0","bridge_proto":"none","unlock_code":"h2zhrcxu","password":"","manual2_defgw":"0.0.0.0","prev_unlock_code":"xxxxxxx","manual_netmask":24,"lan3_vids":"","version_r2":"2005R2","mac_filter_type":"none","mac":"00:51:83:27:60:6c","dial_string":"*99#","manual2_address":"0.0.0.0","version_ng_red50":"1-373-b15c4b2a-0000000","manual_dns":"0.0.0.0","lan1_mode":"unused","username":"","activate_modem":0,"tunnel_compression_algorithm":"lzo","version_red50":"1-373-b15c4b2a-0000000","fullbr_domains":"","htp_server":"vpn.xxxxxxxxxx.de","uplink_balancing":"failover","asg_key":"[removed]","type":"red50","deployment_mode":"online","uplink2_mode":"dhcp","version_red15":"1-373-b15c4b2a-e9f0c31","m...L1513
    2019:05:08-08:12:11 sophos red_server[9973]: Axxxxxxxxxxx: command '{"data":{"message":"Device configuration has changed, reconnecting ..."},"type":"DISCONNECT"}'
    2019:05:08-08:12:11 sophos red_server[9973]: Axxxxxxxxxxx: Disconnecting: Device configuration has changed, reconnecting ...
    2019:05:08-08:12:11 sophos red_server[9973]: id="4202" severity="info" sys="System" sub="RED" name="RED Tunnel Down" red_id="Axxxxxxxxxxx" forced="1"
    2019:05:08-08:12:11 sophos red_server[9973]: Axxxxxxxxxxx is disconnected.
    2019:05:08-08:12:17 sophos red_server[10949]: SELF: Cannot do SSL handshake on socket accept from 'xxx.xxx.xxx.xxx': SSL connect accept failed because of handshake problems
    2019:05:08-08:12:19 sophos red_server[10951]: SELF: New connection from xxx.xxx.xxx.xxx with ID Axxxxxxxxxxx (cipher AES256-GCM-SHA384), rev1
    2019:05:08-08:12:19 sophos red_server[10951]: Axxxxxxxxxxx: connected OK, pushing config
    2019:05:08-08:12:20 sophos red_server[10951]: Axxxxxxxxxxx: command '{"data":{"version":"0"},"type":"INIT_CONNECTION"}'
    2019:05:08-08:12:20 sophos red_server[10951]: Axxxxxxxxxxx: Initializing connection running protocol version 0
    2019:05:08-08:12:20 sophos red_server[10951]: Axxxxxxxxxxx: Sending json message {"data":{},"type":"WELCOME"}
    2019:05:08-08:12:22 sophos red_server[10951]: Axxxxxxxxxxx: command '{"data":{},"type":"CONFIG_REQ"}'
    2019:05:08-08:12:22 sophos red_server[10951]: Axxxxxxxxxxx: Sending json message {"data":{"pin":"","fullbr_dns":"","split_networks":"1.2.3.4","lan2_vids":"","lan4_vids":"","local_networks":"","tunnel_id":1,"manual2_netmask":24,"asg_cert":"[removed]","manual_address":"0.0.0.0","bridge_proto":"none","unlock_code":"h2zhrcxu","password":"","manual2_defgw":"0.0.0.0","prev_unlock_code":"xxxxxxx","manual_netmask":24,"lan3_vids":"","version_r2":"2005R2","mac_filter_type":"none","mac":"00:51:83:27:60:6c","dial_string":"*99#","manual2_address":"0.0.0.0","version_ng_red50":"1-373-b15c4b2a-0000000","manual_dns":"0.0.0.0","lan1_mode":"unused","username":"","activate_modem":0,"tunnel_compression_algorithm":"lzo","version_red50":"1-373-b15c4b2a-0000000","fullbr_domains":"","htp_server":"vpn.xxxxxxxxxxxx.de","uplink_balancing":"failover","asg_key":"[removed]","type":"red50","deployment_mode":"online","uplink2_mode":"dhcp","version_red15":"1-373-b15c4b2a-e9f0c31","m...L1513
    2019:05:08-08:12:24 sophos red_server[10951]: Axxxxxxxxxxx: command '{"data":{"key1":"8yiGf34Q96UBxZlpHN5G2OiASmw0DoN+UVFwQZkAzW0=","key0":"aYRg4WNvdj2xUDC5l3eJ7hcNsnK0vzy0V3TTkFZ79Sk=","key_active":0},"type":"SET_KEY_REQ"}'
    2019:05:08-08:12:24 sophos red_server[10951]: Axxxxxxxxxxx: Sending json message {"data":{},"type":"SET_KEY_REP"}
    2019:05:08-08:12:25 sophos red_server[10951]: Axxxxxxxxxxx: command '{"data":{"seq":0},"type":"PING"}'
    2019:05:08-08:12:25 sophos red_server[10951]: id="4201" severity="info" sys="System" sub="RED" name="RED Tunnel Up" red_id="Axxxxxxxxxxx" forced="0"
    2019:05:08-08:12:25 sophos red_server[10951]: Axxxxxxxxxxx: Sending json message {"data":{"seq":0},"type":"PONG"}
    2019:05:08-08:12:26 sophos red_server[10951]: Axxxxxxxxxxx: command '{"data":{"switch_port_status":{"lan3":"1004","lan1":"1004","lan4":"1E04","lan2":"1004"},"wan1_ip":"xxx.xxx.xxx.xxx","mobile_signal_strength":"","wan2_ip":"","uplink":"WAN1","uplink_state":"0"},"type":"STATUS"}'
    2019:05:08-08:12:26 sophos red_server[10951]: Axxxxxxxxxxx: PORTSTATE LAN1: Down, LAN2: Down, LAN3: Down, LAN4: 1Gb/s
    2019:05:08-08:12:27 sophos red2ctl[17190]: Missing keepalive from reds1:0, disabling peer xxx.xxx.xxx.xxx
    2019:05:08-08:12:30 sophos red2ctl[17190]: Received keepalive from reds1:0, enabling peer xxx.xxx.xxx.xxx
    2019:05:08-08:12:34 sophos red_server[17235]: SELF: (Re-)loading device configurations
    2019:05:08-08:12:42 sophos red_server[10951]: Axxxxxxxxxxx: command '{"data":{"seq":1},"type":"PING"}'
    2019:05:08-08:12:42 sophos red_server[10951]: Axxxxxxxxxxx: Sending json message {"data":{"seq":1},"type":"PONG"}
    2019:05:08-08:12:58 sophos red_server[10951]: Axxxxxxxxxxx: command '{"data":{"seq":2},"type":"PING"}'
    2019:05:08-08:12:58 sophos red_server[10951]: Axxxxxxxxxxx: Sending json message {"data":{"seq":2},"type":"PONG"}

     

    Vielleicht helfen die Informationen ja weiter?!