This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bad SG330 Installation?

While I wait for Sophos "Premium Support" to call me back, I thought I would drop in here with a back story and a couple of questions.

We purchased a SG330 about a year ago, and we haven't been able to use it. Every time we deploy it into production (3 times), things start breaking. The first time we deployed it was July 2015. After configuring and testing it for a couple of months, we deployed it, and we had the typical minor issues you get when you deploy a new firewall. We'd tweak the rules or settings, and all was fine - or so we thought. Later during the day, we had phones start dropping offline randomly. We discovered they would drop off once their DHCP lease was expired and they tried to renew. We checked the DHCP relay settings in the UTM, and they were fine. We checked the logs, and we saw no DHCP traffic (allowed or blocked). Verified our internal->Any->internal->allow rule was at the top and logging traffic. Still no DHCP traffic in the logs. Fine, we'll setup DHCP on the UTM. Reset phones, they start getting IP addresses, and we see DHCP traffic in the logs. A few hours go by, and we start having issues with DHCP renewals again. This time we have workstations that are unable to pull IP addresses. Some get a lease, others do not. Check the logs, and we see that the ones that get a lease show in the logs, but the ones that don't get a lease do not show in the logs. We realize something is wrong, set the DHCP back from server to forward, and engage Sophos support. Long story short, they identify the "cause" as the DHCP clients refusing the offer because the IP address is already in use. I try to explain to them that was the case because of us moving the DHCP services to the UTM, but according to the documentation, their DHCP server pings an IP address before it offers it to a client, so that is not really what's going on since we still had the no lease issue when we used the UTM DHCP server. I showed them that the UTM was having issues with UDP, but they weren't having any of it and closed the case against my protest. We took the UTM out, put our WatchGuard back in place, and had no more issues.

Fast forward to the beginning of April 2016, and upper management is wanting their expensive new UTM installed. Fine, there are a few updates, lets install those and try it again. Maybe those fixed the issue. Nope. Put the updated UTM in place when everything was down, turned on our VMWare servers, and started having issues. The servers would not register with vCenter, but we could control them directly. Called VMWare support (which answered the phone right away), explained the issue, and they identified the problem as the servers were unable to contact the vCenter server on UDP port 900. Once she said that, I swapped out the router, and the servers had no issues registering. Finished up maintenance, and had no more issues.

Fast forward to yesterday, and see that I can install 9.4. Hopefully that's the fix... nope. Call Sophos "Premium Support" and I hang up after an hour and a half of being told an engineer will be with me "as soon as possible." Put the WatchGuard back in place, and call it a night. I'm still waiting for Sophos to call me back from the email I sent them. /rant

TLDR; SG330 has issues with UDP packets, Sophos "support" is helpless, can't use our new UTM

Now to the questions. I see that a factory reset only deletes the configs, clears cache, and removes the logs. How would I go about doing a wipe and reload of the firmware on the SG330? And, where would I go about getting the latest firmware to do that install?

Thanks,

Carl



This thread was automatically locked due to age.
Parents
  • Carl,

    Changing DHCP settings can be very painful... I just went through a similar situation on my network. Sophos support deleted and rebuilt the DHCP server on my UTM as part of troubleshooting. Everything was fine until the first round of DHCP renewals. Devices had IPs from the "old" DHCP server and the "new" server knew nothing of these assignments so it just handed out addresses like candy. Conflicts arose fast just like your experience.

    Here's how I recovered after Sophos boned my network (keep in mind I only had about 30 devices to deal with)...

    -First make sure you've assigned any required static IPs in the UTM configuration.

    -Change the IP range the DHCP is issuing to a different, temporary range with a low time to live. I went to 192.168.5.x at 30 minute renewals. Conflicts should not exist since every device is getting a brand new IP address.

    -Now wait for all of the devices to swap the new range. Force DHCP renewals if possible to speed things up.

    -Once everything is stable on the temporary range change the DHCP settings back to the desired range and TTL.  In about 30 minutes devices should pulling the new IPs, again without conflict.

    It took about 4 hours to find a way to fix the situation but only took an hour to execute since I could manually release and renew every device.

    Hopefully this helps you,

    Doug

Reply
  • Carl,

    Changing DHCP settings can be very painful... I just went through a similar situation on my network. Sophos support deleted and rebuilt the DHCP server on my UTM as part of troubleshooting. Everything was fine until the first round of DHCP renewals. Devices had IPs from the "old" DHCP server and the "new" server knew nothing of these assignments so it just handed out addresses like candy. Conflicts arose fast just like your experience.

    Here's how I recovered after Sophos boned my network (keep in mind I only had about 30 devices to deal with)...

    -First make sure you've assigned any required static IPs in the UTM configuration.

    -Change the IP range the DHCP is issuing to a different, temporary range with a low time to live. I went to 192.168.5.x at 30 minute renewals. Conflicts should not exist since every device is getting a brand new IP address.

    -Now wait for all of the devices to swap the new range. Force DHCP renewals if possible to speed things up.

    -Once everything is stable on the temporary range change the DHCP settings back to the desired range and TTL.  In about 30 minutes devices should pulling the new IPs, again without conflict.

    It took about 4 hours to find a way to fix the situation but only took an hour to execute since I could manually release and renew every device.

    Hopefully this helps you,

    Doug

Children
No Data