This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[UPDATED] Reported issues in 9.1 GA release

Hi Everyone,

we want to inform you that we got a couple of customer reports about problems after GA of 9.1 and were our developement team is currently investigating the root cause.

Basically, the following issues could already be identified:

25736: RED firmwareupdate fails if upload takes longer than 3 minutes
>> Problem fixed and staged for version 9.101. Please contact support for a patch if required urgently.
>> Will be included in 9.101

25787: SSL VPN autopacketfilter rules are not set for backend group objects
>> Problem fixed and staged for version 9.101. Please contact support for a patch if required urgently
>> Will be included in 9.101

25742: ha: disabling virtual_mac for ha did not result in different mac addresses on master/slave
>> Under investigation

25868: performance regression in ins_accounting(): Postgres running on 100%
>> Will be included in 9.101

25868: Problem with compression feature in SSL VPN using non 9.100 clients
>> Please reload the SSL VPN client configuration from the user portal
>> Will be included in 9.102

25748: Sending overlay-fw on every Takeover/Restart of the UTM takes too long until all REDs are online again
>> Please wait about 10 minutes after a reboot/restart
>> Will be included in 9.101

25804: New APs not accepted by the UTM
>> Please contact support including Mac address and serial number of the device

25881: Some mailservers fail to establish smtp tls 1.2 connections
>> Planned for version 9.102

25730 Wifi [AP50] mesh: space in mesh_id leads to a reboot loop
>> Please avoid spaces in Mesh IDs
>> Will be included in 9.101

25812 Change Block password guessing to 9.0 default settings
>> Planned for 9.101

25788 Awed died without coredump and logentry due to large Mac address list
>> Under investigation. Please avoid Mac address lists larger than 200 entries

25915 eDir SSO not working, because "user" contains the IP address and not the username
>> Planned for 9.102

25945 WAF Uploads are detected as virus infected when DualScan is active
>> Planned for 9.102

We also corrected a functionality in IPSec VPN that might cause tunnels not to come up. Please have a look at In 9.1 IPSec connections could use bypass policies for a remote network without static routes. for further information.

Last but not least, we have published another knowledge base article about POP3 proxy with SSL encryption here http://www.sophos.com/en-us/support/knowledgebase/119405.aspx

We plan a 9.101 beginning of next week.

Once we have more information, I will update you here.

Cheers
Dominic

This thread was automatically locked due to age.

0 Siarom over 11 years ago in reply to utm_kid

hi siarom,

Can you post outfull of this also with bt full

gdb /usr/local/bin/reporter/websec-reporter.pl /var/storage/cores/websec-reporter.???? ( 12854 ?) also

thanks

Sorry, had forwarded the debug wrong in the last post.


secg97:/var/storage/cores # gdb /usr/local/bin/reporter/websec-reporter.pl /var/storage/cores/websec-reporter.12854

GNU gdb (GDB) SUSE (7.3-0.8.2.770.g338214c.rb1)

Copyright (C) 2011 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later 

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i686-suse-linux".

For bug reporting instructions, please see:

...

Reading symbols from /usr/local/bin/reporter/websec-reporter.pl...Missing separate debuginfo for /usr/local/bin/reporter/websec-reporter.pl

Try: zypper install -C "debuginfo(build-id)=7ac5aa852a0b148e8f9fab4e7feed9a7ea4c5307"

(no debugging symbols found)...done.



warning: core file may not match specified executable file.

[New LWP 12920]

[New LWP 12854]

[New LWP 12918]

[New LWP 12919]

Missing separate debuginfo for /usr/lib/libpq.so.5

Try: zypper install -C "debuginfo(build-id)=8af2c35b05b774e56a45ed0235d12dc6568c42e6"

Missing separate debuginfo for /usr/lib/libglib-2.0.so.0

Try: zypper install -C "debuginfo(build-id)=8af2c35b05b774e56a45ed0235d12dc6568c42e6"

Missing separate debuginfo for /lib/librt.so.1

Try: zypper install -C "debuginfo(build-id)=8af2c35b05b774e56a45ed0235d12dc6568c42e6"

Missing separate debuginfo for /lib/libc.so.6

Try: zypper install -C "debuginfo(build-id)=8af2c35b05b774e56a45ed0235d12dc6568c42e6"

Missing separate debuginfo for /lib/ld-linux.so.2

Try: zypper install -C "debuginfo(build-id)=cfd0ad7248f6a295d1b11492d84901f5c3e97263"

Missing separate debuginfo for

Try: zypper install -C "debuginfo(build-id)=cfd0ad7248f6a295d1b11492d84901f5c3e97263"

Missing separate debuginfo for /usr/lib/libpq.so.5

Try: zypper install -C "debuginfo(build-id)=4be883b35e6868448655b2314ca5c3ba5e4bbf14"

Missing separate debuginfo for /usr/lib/libglib-2.0.so.0

Try: zypper install -C "debuginfo(build-id)=c17d5611135b977cbd2f0a712591fbafb29aebce"

Missing separate debuginfo for /lib/librt.so.1

Try: zypper install -C "debuginfo(build-id)=18d1d9bfdb11844bfbba54b84fa20faa561e7cb5"

Missing separate debuginfo for /lib/libc.so.6

Try: zypper install -C "debuginfo(build-id)=8af2c35b05b774e56a45ed0235d12dc6568c42e6"

Missing separate debuginfo for /lib/libpthread.so.0

Try: zypper install -C "debuginfo(build-id)=d534247615c88be8aba8e01d7c839da7f7d38ffa"

[Thread debugging using libthread_db enabled]

Missing separate debuginfo for /lib/ld-linux.so.2

Try: zypper install -C "debuginfo(build-id)=c1629bc12c968b5831da4b501520eb42288354f5"

Missing separate debuginfo for /lib/libnss_compat.so.2

Try: zypper install -C "debuginfo(build-id)=94306ef3a4a229255ba41ddeed7b5ee84b1c4657"

Missing separate debuginfo for /lib/libnsl.so.1

Try: zypper install -C "debuginfo(build-id)=f88eb57b3bab2ace6279892fc422052336748a91"

Missing separate debuginfo for /lib/libnss_nis.so.2

Try: zypper install -C "debuginfo(build-id)=267357058e8185faf3b30c9954db55d56ec64eb0"

Missing separate debuginfo for /lib/libnss_files.so.2

Try: zypper install -C "debuginfo(build-id)=7a8a3edc4aa3ac22c888ad145f9753bccdaefda9"

Missing separate debuginfo for /lib/libnss_dns.so.2

Try: zypper install -C "debuginfo(build-id)=dc18609708a6aee39b598a259372ff08f5ca91c8"

Missing separate debuginfo for /lib/libresolv.so.2

Try: zypper install -C "debuginfo(build-id)=3bd598c7c5949c4a9c13e8f57fe0960a30e2808d"

Core was generated by `/usr/local/bin/reporter/websec-reporter.pl'.

Program terminated with signal 11, Segmentation fault.

#0  0x08057b83 in get_searched_term ()

(gdb) bt full

#0  0x08057b83 in get_searched_term ()

No symbol table info available.

#1  0x08058a46 in websecsearch_create ()

No symbol table info available.

#2  0x0805507d in websec_insert ()

No symbol table info available.

#3  0x0806b345 in yyparse ()

No symbol table info available.

#4  0x080651cc in parser_thread_task ()

No symbol table info available.

#5  0xf746a809 in start_thread () from /lib/libpthread.so.0

No symbol table info available.

#6  0xf755930e in clone () from /lib/libc.so.6

No symbol table info available.

Backtrace stopped: Not enough registers or memory available to unwind further

0 wingman over 11 years ago

Also minor issues with version 9.1

https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/21922

https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/21921

https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49438

https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/21917
Cancel
Vote Up 0 Vote Down

Cancel
0 danletkeman over 11 years ago in reply to StephaneGROBETY

Just a head up: we had to reinstall 2 ASLs today.

There is apparently a problem with 9.1 that causes the storage partition to fill up. It seems to be much more visible when ASL was installed with a small disk size (we used 16 gigs in a VM). From what I could gather, there seem to be an issue with the PostgreeSQL write ahead log files (WAL) where the DB never performs a proper checkpoint and therefore causes the WAL files to grow to unreasonable sizes (in one instance, we had a 58 mb data file with 2 gigs worth of WAL files).

We've restored version 9.006 and we're in discussion with Sophos support about the issue  (unfortunately, it seems that between communication latency and "this is normal behavior" usual BS, getting support to acknowledge the problem isn't as quick as I'd like. We're working on it, though).

Same problem here.  It's not that the disk is too small, as we have been running with a 20 gig log disk and a 16 gig data disk for a long time on 9.x.  But now after the 9.1 upgrade it fill's up very quickly.

Our http proxy is also crashing all of the time.  Not impressed so far.
Cancel
Vote Up 0 Vote Down

Cancel
0 utm_kid over 11 years ago in reply to danletkeman

Our http proxy is also crashing all of the time. Not impressed so far.

Hi ,

Can you please check /var/storage/cores and check your kernel log also do you have any segfault ,if any please report here make sure your data disk not running out of space otherwise there was be another problem ,if you have core-dump in /var/storages/cores please report here with -ls -l

thx
Cancel
Vote Up 0 Vote Down

Cancel
0 danletkeman over 11 years ago in reply to utm_kid

Hi ,

Can you please check /var/storage/cores and check your kernel log also do you have any segfault ,if any please report here make sure your data disk not running out of space otherwise there was be another problem ,if you have core-dump in /var/storages/cores please report here with -ls -l

thx

Yes we do. We also have an open support ticket.

2013:05:27-08:55:09 utm1 kernel: [253147.948185] httpproxy[5840]: segfault at e4 ip 00000000f774e792 sp 00000000ef74ac00 error 4 in libssl.so.1.0.0[f770f000+5c000]

I have been deleting the files in the /var/storage/cores to keep the data disk from filling up.

utm1:/var/storage/cores # ls -l
total 6566012
-rw-r--r-- 1 root root 3147612160 May 24 10:26 httpproxy.29291
-rw-r--r-- 1 root root 3575975936 May 27 08:57 httpproxy.5671
utm1:/var/storage/cores #
Cancel
Vote Up 0 Vote Down

Cancel
0 stealthmatt_01 over 11 years ago

We have reported the same issue with the http proxy restarting daily because of a segfault as well.

Apparently is a confirmed bug but no resolution

Bugid: 25905

Have your reported this restart issue? More people who report it will get it more action.
Cancel
Vote Up 0 Vote Down

Cancel

0 wingman over 11 years ago

9.101-12 is out [:)] -if you upgrade remember the segfault issue and how to stop them

News:
 Bugfix Release
 Fixed: Fixed problems with AD backend groups and SSL VPN
 Fixed: Some stability improvements for SMTP proxy
 Fixed: Some localization corrections
 Changed: Block password guessing feature enabled per default only for WebAdmin/Portal/SSH
 Changed: Increase timeout for RED downloads

Bugfixes:
 Fix [25305]: IE8: Some object tables remain empty
 Fix [25730]: Wifi [AP50] mesh: space in mesh_id leads to a reboot loop
 Fix [25736]: RED firmware update fails if upload takes longer than 3 minutes
 Fix [25748]: Sending overlay-fw on every Takeover/Restart of the UTM takes too long until all REDs are online again
 Fix [25787]: SSL VPN autopacketfilter rules are not set for backend group objects
 Fix [25794]: HA: After takeover, several services fail because interfaces are incorrectly marked as offline
 Fix [25868]: performance regression in ins_accounting(): Postgres running on 100%

0 Siarom over 11 years ago

Waiting anxiously by the version 9.102
Cancel
Vote Up 0 Vote Down

Cancel
0 luckman212 over 11 years ago

I am confused can someone please clarify 2 things for me:

1) is 9.101-12 really out? Where can I download it?
2) what is the 'segfault issue' I clicked on that link but honestly I didn't see any clear explanation of what the solution was -- I am supposed to stop syslog-ng??
Cancel
Vote Up 0 Vote Down

Cancel
0 gilipeled over 11 years ago

Hi ,

9.101-12 is released and it is in the UP2date on the FTP servers .
You are free to download and install.
There are still unsolved things in this ver Lillie AD SSO.
But few thing are corrected already so just download and install.

All my best

Gil Peled.

CEO- Expert2IT LTD.

SOPHOS Platinum Partner.

Gil@expert2it.co.Il.
Cancel
Vote Up 0 Vote Down

Cancel