This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.406-3 released


Up2Date 9.406003 package description:

Remark:
System will be rebooted

News:
Security Release

Bugfixes:
Fix [NUTM-1616]: [AWS] Change AMI type to HVM
Fix [NUTM-4839]: [AWS] AWS Instances in GovCloud need to use S3 buckets in GovCloud
Fix [NUTM-5013]: [Network] TCP Vulnerability (CVE-2016-5696)

RPM packages contained:
perf-tools-3.12.48-0.237935773.g86aa827.i686.rpm
ep-ha-aws-9.40-191.g83c01f2.rb1.noarch.rpm
ep-webadmin-9.40-640.g7ad4baa.rb8.i686.rpm
ep-cloud-ec2-9.40-26.g00cde1e.rb2.i686.rpm
kernel-smp-3.12.48-0.237935773.g86aa827.i686.rpm
kernel-smp64-3.12.48-0.237935773.g86aa827.x86_64.rpm
ep-release-9.406-3.noarch.rpm



This thread was automatically locked due to age.
Parents
  • Installed on 6 UTM's so far - in private network :-) - Everything seems normal...

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer 9.5
    Sophos  XG  Certified Engineer 17.1
    Homelab: 1 x SG210 XG v18 - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • twister5800 said:

    Installed on 6 UTM's so far - in private network :-) - Everything seems normal...

    Unfortunately, nothing normal here. Installed 9.406-3 on a client network and now the 2 BO-VPN connections don't pass any traffic. Totally at a loss as to how to fix it.

    I'm not at all happy this morning.

  • Trane Francks said:

    Unfortunately, nothing normal here. Installed 9.406-3 on a client network and now the 2 BO-VPN connections don't pass any traffic. Totally at a loss as to how to fix it.

    I'm not at all happy this morning.

    BO-VPN? - What is that?
    PLease post some IPSEC live logs from the device :-)

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer 9.5
    Sophos  XG  Certified Engineer 17.1
    Homelab: 1 x SG210 XG v18 - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • twister5800 said:
    BO-VPN? - What is that?

    "Branch Office VPN". Another way of saying Site-to-Site.

    PLease post some IPSEC live logs from the device :-)
    Not much to see:
    2016:09:15-20:03:55 mnres pluto[5796]: "S_FW-xxx" #17: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
    2016:09:15-20:03:55 mnres pluto[5796]: "S_FW-xxx" #17: we don't have a cert
    2016:09:15-20:03:55 mnres pluto[5796]: "S_FW-xxx" #17: Dead Peer Detection (RFC 3706) enabled
    2016:09:15-20:03:55 mnres pluto[5796]: "S_FW-xxx" #17: sent MR3, ISAKMP SA established
    2016:09:15-20:12:17 mnres pluto[5796]: "S_FW-xxx" #18: responding to Quick Mode
    2016:09:15-20:12:18 mnres pluto[5796]: "S_FW-xxx" #18: IPsec SA established {ESP=>0x1b171b9d <0x79e15ac5 DPD}
    2016:09:15-20:20:33 mnres pluto[5796]: packet from xxx.xxx.xxx.xxx:500: Informational Exchange is for an unknown (expired?) SA
    2016:09:15-20:29:40 mnres pluto[5796]: "S_FW-xxx" #17: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xb77ca9a9) not found (maybe expired)
    2016:09:15-21:00:07 mnres pluto[5796]: "S_FW-xxx" #19: responding to Quick Mode
    2016:09:15-21:00:07 mnres pluto[5796]: "S_FW-xxx" #19: IPsec SA established {ESP=>0x7bb54e65 <0x9164dfce DPD}
Reply
  • twister5800 said:
    BO-VPN? - What is that?

    "Branch Office VPN". Another way of saying Site-to-Site.

    PLease post some IPSEC live logs from the device :-)
    Not much to see:
    2016:09:15-20:03:55 mnres pluto[5796]: "S_FW-xxx" #17: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
    2016:09:15-20:03:55 mnres pluto[5796]: "S_FW-xxx" #17: we don't have a cert
    2016:09:15-20:03:55 mnres pluto[5796]: "S_FW-xxx" #17: Dead Peer Detection (RFC 3706) enabled
    2016:09:15-20:03:55 mnres pluto[5796]: "S_FW-xxx" #17: sent MR3, ISAKMP SA established
    2016:09:15-20:12:17 mnres pluto[5796]: "S_FW-xxx" #18: responding to Quick Mode
    2016:09:15-20:12:18 mnres pluto[5796]: "S_FW-xxx" #18: IPsec SA established {ESP=>0x1b171b9d <0x79e15ac5 DPD}
    2016:09:15-20:20:33 mnres pluto[5796]: packet from xxx.xxx.xxx.xxx:500: Informational Exchange is for an unknown (expired?) SA
    2016:09:15-20:29:40 mnres pluto[5796]: "S_FW-xxx" #17: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xb77ca9a9) not found (maybe expired)
    2016:09:15-21:00:07 mnres pluto[5796]: "S_FW-xxx" #19: responding to Quick Mode
    2016:09:15-21:00:07 mnres pluto[5796]: "S_FW-xxx" #19: IPsec SA established {ESP=>0x7bb54e65 <0x9164dfce DPD}
Children
  • Thanks for clarifying, I guess I still have a lot to learn :-D

    Hmm...IPSEC looks great, what about firewall, when you try to access something on "far side" on when and vice versa (Hope you have logging enlabled in IPSEC :-) ) 

    I have now upgraded 15 devices, 4 with HA active/passive, 8 sites have IPSEC, and no issues...

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer 9.5
    Sophos  XG  Certified Engineer 17.1
    Homelab: 1 x SG210 XG v18 - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • twister5800 said:

    Thanks for clarifying, I guess I still have a lot to learn :-D

    Hmm...IPSEC looks great, what about firewall, when you try to access something on "far side" on when and vice versa (Hope you have logging enlabled in IPSEC :-) ) 

    I have now upgraded 15 devices, 4 with HA active/passive, 8 sites have IPSEC, and no issues...

    The firewall shows nothing regarding the IPsec traffic. It is a mystery. With one of the two tunnels suddenly starting to work (sporadically), I'm more confused than ever. When the one tunnel stops working, restarting the SG230 (HQ) and SG115 (branch) seems to get it working again for a few hours. Rebooting several times/day now.

    It's kind of ridiculous. I will most assuredly not be installing this on any of my other client sites.

  • I know it may be hard work to mask confidential info, but can you send the whole live log from ipsec for a whole day?

    Have you started a support case with support?

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer 9.5
    Sophos  XG  Certified Engineer 17.1
    Homelab: 1 x SG210 XG v18 - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • twister5800 said:

    I know it may be hard work to mask confidential info, but can you send the whole live log from ipsec for a whole day?

    Have you started a support case with support?

    There's just nothing useful in there at all. I've opened a support ticket with the Japanese reseller and will revert to Sophos proper should the reseller be unable to solve the problem. Currently, one of the tunnels works intermittently and the other doesn't work at all.

  • Trane Francks said:

    There's just nothing useful in there at all. I've opened a support ticket with the Japanese reseller and will revert to Sophos proper should the reseller be unable to solve the problem. Currently, one of the tunnels works intermittently and the other doesn't work at all.

    Hmm...Let's hope this not is the work of the Great Firewall :-)
    But serious! - have you tried to download a backup and restore from earlier ISO? 9.404?

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer 9.5
    Sophos  XG  Certified Engineer 17.1
    Homelab: 1 x SG210 XG v18 - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • No easy way for me to restore. I'm half-way across the country remotely administering this network.