This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.404 Soft-Release

Hi all,

UTM 9.404 has been Soft-Released today and can be found on the FTP server as usual (ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.403004-404005.tgz.gpg).

Here is the changelog:

 

News

  • Maintenance Release

Remarks

  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Bugfixes

  • NUTM-1775 [Access & Identity] 35668: DHCP Broadcast over all RED LAN ports causing wrong IP address assignment
  • NUTM-1784 [Access & Identity] implement "TLS 1.2 only" switch for RED to UTM communication
  • NUTM-2404 [Access & Identity] 36172: RED15 has loaded fallback network config
  • NUTM-2841 [Access & Identity] 36224: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_expect.c:51 nf_ct_unlink_expect_report+0x5e/0xd1 [nf_conntrack]()
  • NUTM-3415 [Access & Identity] PPTP VPN with an IP Pool 172.16.0.0/20 doesn't work correctly
  • NUTM-3439 [Access & Identity] After upgrade to 9.4 and using SSL VPN the IPv4 traffic is not going over the full tunnel
  • NUTM-3536 [Access & Identity] RED15 traffic not possible, red_server reports "Unable to get proc entry"
  • NUTM-3719 [Access & Identity] mdw errors when configuring a RED device
  • NUTM-3735 [Access & Identity] SSL VPN IP pool should not be usable without IPv4
  • NUTM-3757 [Access & Identity] SSL VPN: don't push IPv6 interface address if no IPv6 route is pushed
  • NUTM-3763 [Access & Identity] SSL VPN client cannot be downloaded from userportal with IE
  • NUTM-3843 [Access & Identity] SSL VPN route injection into OSPF not working properly after update to 9.4
  • NUTM-3867 [Access & Identity] SMC: WEP passwords are not pushed correctly
  • NUTM-3924 [Access & Identity] PPTP and iOS with config from userportal doesn't work properly
  • NUTM-3934 [Access & Identity] RED: CON_CLOSE provide information to UTM if peer is not stable enough
  • NUTM-3962 [Access & Identity] IPsec doesn't work with SHA2
  • NUTM-4173 [Access & Identity] Since Update to 9.4 IPsec site-to-site connections won't work after pppoe reconnect
  • NUTM-3982 [Basesystem] Errors in Notifications Database
  • NUTM-2677 [HA/Cluster] 36293: The Slave node in HA doesn't show any resource usage
  • NUTM-2235 [Network] 35662: Additional adresses of a PPPoE interface are not reachable after takeover
  • NUTM-3684 [Network] APN can't be changed if LTE is selected as network
  • NUTM-3061 [Reporting] Remote Access filtering is not working correctly if the username contains a "\" sign
  • NUTM-3662 [Reporting] wrong descriptions for CRIT-065 and INFO-007 in MIB file
  • NUTM-3753 [Reporting] Remote Access Accounting not recording L2TP sessions
  • NUTM-4306 [Reporting] postgres[xxxxx]: [x-x] STATEMENT: select src_ip, virt_ip, virt_ip6, logintime, service from vpn where status = 0 and logintime = logouttime LIMIT 1000
  • NUTM-3689 [SUM] device agent claims SUM objects
  • NUTM-3028 [Virtualization] HyperV interface handling (9.4)
  • NUTM-3482 [WAF] form template unchanged with update from 9.355 to 9.4
  • NUTM-3694 [WAF] Customized mod_security rule didn't work correctly
  • NUTM-3748 [WAF] Content length and content get lost when using form-harding
  • NUTM-4119 [WAF] SSL is not used to transfer sticky session cookies
  • NUTM-3172 [WebAdmin] Support tools - PPPoE shows itfhw instead of vlantag
  • NUTM-3113 [Web] Proxy freeze after Savi update
  • NUTM-3118 [Web] "Remove embedded objects" / "Disable JavaScript" shows script code
  • NUTM-3367 [Web] "Unblock URL" button is displayed even when "Users/Groups Allowed to Bypass Blocking" is empty
  • NUTM-3485 [Web] HTTP Proxy profile matching doesn't work for DNS groups which contain IPv6 addresses
  • NUTM-3550 [Web] frox segfaults/core dumps while uploading files
  • NUTM-3554 [Web] Error returned from samba command on AD sync
  • NUTM-3617 [Web] Sandstorm Database Error
  • NUTM-3710 [Web] New exception regex for Chrome Update
  • NUTM-3844 [Web] If using a ' character in file name, postgres is not able to insert this to the TransactionLog (Sandbox)
  • NUTM-3920 [Web] Sandbox: cleaning up old data in TransactionLog on slave nodes raises postgres errors
  • NUTM-4055 [Web] HTTP Proxy causing weird log entries in uma.log
  • NUTM-3039 [WiFi] RADIUS authentication failover via Availability Group not working correctly
  • NUTM-3072 [WiFi] Hotspot: race condition if multiple logins per MAC
  • NUTM-3472 [WiFi] wireless.log - download_ca: CA fingerprint overwritten by TA / No trusted fingerprint found in certificate chain HUB.
  • NUTM-3760 [WiFi] WIFI profile pushed to SMC using same name
  • NUTM-4117 [WiFi] Mesh AP's all go down and do not come back up
  • NUTM-4151 [WiFi] AP30 (possibly other models) not becoming active anymore after update to >= 9.400
  • NUTM-4126 [[Backend/Devel] Confd] Clean up of duplicate Domain-Regex
  • NUTM-4142 [[Backend/Devel] Confd] Remote Access Manager can't deactivate a VPN profile with groups
  • NUTM-4158 [[Backend/Devel] Confd] confd[xxx]: parse_formats: unrecognized tag format: FUNC__XXX
  • NUTM-4160 [[Backend/Devel] Confd] Accessing WebAdmin as non-superuser repeatedly raises "NODE_READ_DENIED" error on confd node "migration->tab_visibility"

Regards,

Benjamin



This thread was automatically locked due to age.
Parents
  • After this update has become GA and available on all of the UTM's I manage, I have installed it to my Home UTM and have so far not found any problems in my environment.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I've noticed a strange behavior when updating active/passive nodes. I've checked on three clusters, and all of them presented the same symptom:

    On master node, up2date files are correct:

    <M> utmsp:/root # ll /var/up2date/sys
    total 450388
    -rw-r--r-- 1 root root 43781654 May 24 09:36 u2d-sys-9.355001-356003.tgz.gpg
    -rw-r--r-- 1 root root 417408543 Jun 28 05:13 u2d-sys-9.356003-404005.tgz.gpg

    On slave node, those are different:

    <S> utmsp:/root # ll /var/up2date/sys
    total 1004204
    -rw-r--r-- 1 root root 43781654 May 24 09:36 u2d-sys-9.355001-356003.tgz.gpg
    -rw-r--r-- 1 root root 402123204 May 24 09:58 u2d-sys-9.356003-401011.tgz.gpg
    -rw-r--r-- 1 root root 417408543 Jun 28 05:13 u2d-sys-9.356003-404005.tgz.gpg
    -rw-r--r-- 1 root root 158211444 May 24 10:02 u2d-sys-9.401011-402007.tgz.gpg
    -rw-r--r-- 1 root root 6758490 May 24 10:35 u2d-sys-9.402007-403004.tgz.gpg

    It appears that the up2date files chain was updated on the last few days, but, for some reason, slave nodes are not getting the new files.

    It should not create issues, considering that the up2date chain appears to be correct, although different on master and slave, but it does. Last night, when upgrading a cluster, the slave failed to update, probably because the chain of updates were different on the devices, and it went into reserved mode. To make things worse, the master node was upgraded and rebooted anyway, so my HA went offline for a few minutes. I had to scp the right update files into the slave and manually upgrade it to match the master node version, what allowed it to be taken out of reserved mode. Afterwords, everything was working, including the failover/failback.

    So, a word of advice: ssh into the master node and check if the update files chain is correct. It should be.

    run "ha_utils ssh" to ssh into the slave node and check the update files. If they mismatch, delete those files from /var/update/sys/ on BOTH nodes, set firmware download on "Manual" on Webadmin and force a new firmware update check. Both master and slave will redownload the update files and this time both should have the same files and up2date should run smoothly.

    BTW, this has been seen before: https://community.sophos.com/products/unified-threat-management/f/52/t/77407

    If you have an HA, take precautions. It will only take a few minutes, but it will prevent a lot of pain.

    UPDATE: a simple reboot on the slave node seems to fix this, if you are indeed seeing different up2date files on master and slave. If not, just go ahead and update. I had no other issues so far.

    Regards - Giovani

Reply
  • I've noticed a strange behavior when updating active/passive nodes. I've checked on three clusters, and all of them presented the same symptom:

    On master node, up2date files are correct:

    <M> utmsp:/root # ll /var/up2date/sys
    total 450388
    -rw-r--r-- 1 root root 43781654 May 24 09:36 u2d-sys-9.355001-356003.tgz.gpg
    -rw-r--r-- 1 root root 417408543 Jun 28 05:13 u2d-sys-9.356003-404005.tgz.gpg

    On slave node, those are different:

    <S> utmsp:/root # ll /var/up2date/sys
    total 1004204
    -rw-r--r-- 1 root root 43781654 May 24 09:36 u2d-sys-9.355001-356003.tgz.gpg
    -rw-r--r-- 1 root root 402123204 May 24 09:58 u2d-sys-9.356003-401011.tgz.gpg
    -rw-r--r-- 1 root root 417408543 Jun 28 05:13 u2d-sys-9.356003-404005.tgz.gpg
    -rw-r--r-- 1 root root 158211444 May 24 10:02 u2d-sys-9.401011-402007.tgz.gpg
    -rw-r--r-- 1 root root 6758490 May 24 10:35 u2d-sys-9.402007-403004.tgz.gpg

    It appears that the up2date files chain was updated on the last few days, but, for some reason, slave nodes are not getting the new files.

    It should not create issues, considering that the up2date chain appears to be correct, although different on master and slave, but it does. Last night, when upgrading a cluster, the slave failed to update, probably because the chain of updates were different on the devices, and it went into reserved mode. To make things worse, the master node was upgraded and rebooted anyway, so my HA went offline for a few minutes. I had to scp the right update files into the slave and manually upgrade it to match the master node version, what allowed it to be taken out of reserved mode. Afterwords, everything was working, including the failover/failback.

    So, a word of advice: ssh into the master node and check if the update files chain is correct. It should be.

    run "ha_utils ssh" to ssh into the slave node and check the update files. If they mismatch, delete those files from /var/update/sys/ on BOTH nodes, set firmware download on "Manual" on Webadmin and force a new firmware update check. Both master and slave will redownload the update files and this time both should have the same files and up2date should run smoothly.

    BTW, this has been seen before: https://community.sophos.com/products/unified-threat-management/f/52/t/77407

    If you have an HA, take precautions. It will only take a few minutes, but it will prevent a lot of pain.

    UPDATE: a simple reboot on the slave node seems to fix this, if you are indeed seeing different up2date files on master and slave. If not, just go ahead and update. I had no other issues so far.

    Regards - Giovani

Children
No Data