This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[UPDATED] Reported issues in 9.1 GA release

Hi Everyone,

we want to inform you that we got a couple of customer reports about problems after GA of 9.1 and were our developement team is currently investigating the root cause.

Basically, the following issues could already be identified:

25736: RED firmwareupdate fails if upload takes longer than 3 minutes
>> Problem fixed and staged for version 9.101. Please contact support for a patch if required urgently.
>> Will be included in 9.101

25787: SSL VPN autopacketfilter rules are not set for backend group objects
>> Problem fixed and staged for version 9.101. Please contact support for a patch if required urgently
>> Will be included in 9.101

25742: ha: disabling virtual_mac for ha did not result in different mac addresses on master/slave
>> Under investigation

25868: performance regression in ins_accounting(): Postgres running on 100%
>> Will be included in 9.101

25868: Problem with compression feature in SSL VPN using non 9.100 clients
>> Please reload the SSL VPN client configuration from the user portal
>> Will be included in 9.102

25748: Sending overlay-fw on every Takeover/Restart of the UTM takes too long until all REDs are online again
>> Please wait about 10 minutes after a reboot/restart
>> Will be included in 9.101

25804: New APs not accepted by the UTM
>> Please contact support including Mac address and serial number of the device

25881: Some mailservers fail to establish smtp tls 1.2 connections
>> Planned for version 9.102

25730 Wifi [AP50] mesh: space in mesh_id leads to a reboot loop
>> Please avoid spaces in Mesh IDs
>> Will be included in 9.101

25812 Change Block password guessing to 9.0 default settings
>> Planned for 9.101

25788 Awed died without coredump and logentry due to large Mac address list
>> Under investigation. Please avoid Mac address lists larger than 200 entries

25915 eDir SSO not working, because "user" contains the IP address and not the username
>> Planned for 9.102

25945 WAF Uploads are detected as virus infected when DualScan is active
>> Planned for 9.102

We also corrected a functionality in IPSec VPN that might cause tunnels not to come up. Please have a look at In 9.1 IPSec connections could use bypass policies for a remote network without static routes. for further information.

Last but not least, we have published another knowledge base article about POP3 proxy with SSL encryption here http://www.sophos.com/en-us/support/knowledgebase/119405.aspx

We plan a 9.101 beginning of next week.

Once we have more information, I will update you here.

Cheers
Dominic

This thread was automatically locked due to age.

0 jeff.welling over 11 years ago

Re the wifi problem, try toggling the algorithm used on that wireless network. Wireless Protection -> Wireless Networks, edit the network, click advanced, toggle the algorithm. Save, try and connect. Still no love? Then toggle it back and try again. I've seen this work more often than it should.
Cancel
Vote Up 0 Vote Down

Cancel
0 Bembel over 11 years ago in reply to jeff.welling

Re the wifi problem, try toggling the algorithm used on that wireless network. Wireless Protection -> Wireless Networks, edit the network, click advanced, toggle the algorithm. Save, try and connect. Still no love? Then toggle it back and try again. I've seen this work more often than it should.

Hi Jeff,

thanks, I will try this on Monday, but to be honest, all three AP30s were working perfectly for the last months/years including all available updates...first time they fail every day.

Will report back on Monday.

Cheers!
Cancel
Vote Up 0 Vote Down

Cancel
0 Jayson over 11 years ago

Issue to report:

UTM 9.1 will connect via Site to Site SSL VPN to ASG 8.x however will not allow traffic to flow unless SSL VPN for clients is turned on 0.0

Can be reproduced. Turn off SSL VPN for client users and the Site to Site VPN stops working.
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago

segfault issue on 9.1 https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/21934
Cancel
Vote Up 0 Vote Down

Cancel
0 StephaneGROBETY over 11 years ago

Just a head up: we had to reinstall 2 ASLs today.

There is apparently a problem with 9.1 that causes the storage partition to fill up. It seems to be much more visible when ASL was installed with a small disk size (we used 16 gigs in a VM). From what I could gather, there seem to be an issue with the PostgreeSQL write ahead log files (WAL) where the DB never performs a proper checkpoint and therefore causes the WAL files to grow to unreasonable sizes (in one instance, we had a 58 mb data file with 2 gigs worth of WAL files).

We've restored version 9.006 and we're in discussion with Sophos support about the issue (unfortunately, it seems that between communication latency and "this is normal behavior" usual BS, getting support to acknowledge the problem isn't as quick as I'd like. We're working on it, though).
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago

Just a head up: we had to reinstall 2 ASLs today.

There is apparently a problem with 9.1 that causes the storage partition to fill up. It seems to be much more visible when ASL was installed with a small disk size (we used 16 gigs in a VM). From what I could gather, there seem to be an issue with the PostgreeSQL write ahead log files (WAL) where the DB never performs a proper checkpoint and therefore causes the WAL files to grow to unreasonable sizes (in one instance, we had a 58 mb data file with 2 gigs worth of WAL files).

We've restored version 9.006 and we're in discussion with Sophos support about the issue (unfortunately, it seems that between communication latency and "this is normal behavior" usual BS, getting support to acknowledge the problem isn't as quick as I'd like. We're working on it, though).

The minimum size is 40 gigs disk...anything smaller and you are risking similar issues

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago

That being said my average disk usage across all my installs is 20 gigs...but i always provision no less than 40 gigs...[:)]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel

0 Siarom over 11 years ago in reply to wingman

segfault issue on 9.1 https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/21934

https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/28904


secg97:/root # ls -ls /var/storage/cores/

total 27872

27872 -rw-r--r-- 1 root root 28540928 May 16 12:15 websec-reporter.12854



secg97:/root # gdb /var/chroot-http/usr/bin/httpproxy /var/storage/cores/websec-reporter.12854

GNU gdb (GDB) SUSE (7.3-0.8.2.770.g338214c.rb1)

Copyright (C) 2011 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later 

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i686-suse-linux".

For bug reporting instructions, please see:

...

Reading symbols from /var/storage/chroot-http/usr/bin/httpproxy...Missing separate debuginfo for /var/storage/chroot-http/usr/bin/httpproxy

Try: zypper install -C "debuginfo(build-id)=20add27afa9837ca3445b528c04732c8825ed79e"

(no debugging symbols found)...done.



warning: core file may not match specified executable file.

[New LWP 12920]

[New LWP 12854]

[New LWP 12918]

[New LWP 12919]

Core was generated by `/usr/local/bin/reporter/websec-reporter.pl'.

Program terminated with signal 11, Segmentation fault.

#0  0x08057b83 in ?? ()

(gdb) bt full

#0  0x08057b83 in ?? ()

No symbol table info available.

#1  0x08058a46 in ?? ()

No symbol table info available.

#2  0x0805507d in ?? ()

No symbol table info available.

#3  0x0806b345 in ?? ()

No symbol table info available.

#4  0x080651cc in get_afc_profile ()

No symbol table info available.

#5  0xf746a809 in ?? ()

No symbol table info available.

#6  0x00000000 in ?? ()

No symbol table info available.

0 wingman over 11 years ago
I see that the pop3s issue has been removed as a bug "under investigation" but most of the users have problems accessing pop3s resources using either certificate.

After updating what seems to be the correct certificate I now get
2013:05:26-00:07:04 ***** pop3proxy[14124]: SslServer timeout
2013:05:26-00:07:04 ***** pop3proxy[14124]: Prefetcher exception occurred
2013:05:26-00:07:04 ***** pop3proxy[14124]: Failed to shutdown SSL connection

Update: It seems that there is a bug ID already ->> 25070. Maybe the first post can be updated to include this? (reference https://community.sophos.com/products/unified-threat-management/astaroorg/f/80/t/65035)
Cancel
Vote Up 0 Vote Down

Cancel
0 utm_kid over 11 years ago in reply to Siarom

hi siarom,

Can you post outfull of this also with bt full

gdb /usr/local/bin/reporter/websec-reporter.pl /var/storage/cores/websec-reporter.???? ( 12854 ?) also

thanks
Cancel
Vote Up 0 Vote Down

Cancel