Sophos UTM 9.406-3 released

Thanks for clarifying, I guess I still have a lot to learn :-D

Hmm...IPSEC looks great, what about firewall, when you try to access something on "far side" on when and vice versa (Hope you have logging enlabled in IPSEC :-) ) 

I have now upgraded 15 devices, 4 with HA active/passive, 8 sites have IPSEC, and no issues...

apijnappels said:

Which version did you come from? Post 9.405? If so, you might be affected by MTU DHCP bug.... Check MTU setting on your external interface.

Yes, it was from post 9.405.  My MTU setting was changed to 576 (or something to that effect).  I have it set to 1500 now, but to no avail as my WAN is still down.

RaZor said:

I followed those instructions for a dynamic Comcast line and luckily it worked great.

I may still reload with the previous release though because I prefer not to hack the OS.

As a Sophos Partner, it's disappointing indeed but they still make the best security products for our customers.

This is exactly why we don't update firewalls right away unless a fix is absolutely needed.

Good advice.  I'll try again and maybe it will work this time.  I thought that all I had to do was take out the mtu part from the config file and restart the interface.  I'll read it again and try soon.

apijnappels said:

Which version did you come from? Post 9.405? If so, you might be affected by MTU DHCP bug.... Check MTU setting on your external interface.

Directly from 9.405. Using static IP with MTU of 1454 per Japanese ISP requirements. WAN interface works just fine; only the VPNs are disfunctional. (One of the VPNs is apparently in its rebellious teenage years; it works sporadically. The other is petulant and simply refuses to cooperate at all.)

twister5800 said:

Thanks for clarifying, I guess I still have a lot to learn :-D

Hmm...IPSEC looks great, what about firewall, when you try to access something on "far side" on when and vice versa (Hope you have logging enlabled in IPSEC :-) ) 

I have now upgraded 15 devices, 4 with HA active/passive, 8 sites have IPSEC, and no issues...

The firewall shows nothing regarding the IPsec traffic. It is a mystery. With one of the two tunnels suddenly starting to work (sporadically), I'm more confused than ever. When the one tunnel stops working, restarting the SG230 (HQ) and SG115 (branch) seems to get it working again for a few hours. Rebooting several times/day now.

It's kind of ridiculous. I will most assuredly not be installing this on any of my other client sites.

I know it may be hard work to mask confidential info, but can you send the whole live log from ipsec for a whole day?

Have you started a support case with support?

Modifying the /var/chroot-dhcpc/etc/default.conf (and eth1.conf) did no good - I did take the interface down then up again, as well as rebooted the UTM and modem.

Looking at the logs, eth1 (WAN) is having a problem getting a DHCP address from the modem.

from system.log

2016:09:15-11:05:14 opeth dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 4
2016:09:15-11:05:18 opeth dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 11
2016:09:15-11:05:29 opeth dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 6
2016:09:15-11:05:35 opeth dhclient: No DHCPOFFERS received.
2016:09:15-11:05:35 opeth dhclient: Trying recorded lease xx.xxx.xxx.xx
2016:09:15-11:05:35 opeth dhclient: bound: renewal in 6585 seconds.
2016:09:15-11:06:14 opeth dhclient: Killed old client process
2016:09:15-11:06:14 opeth dns-resolver[4361]: DNS server failed to contact!

(I've looked up solutions to this problem, and none helped.  It's possible I missed a solution out there somewhere however)

I messed around with the timeout, modified the speed.  I'm at a loss here when "all" that was done was a firmware change.  I am temped to just nuke the thing and reload the iso image and my backup configuration.  But I want to learn from this.

Hi Twister,

I have had alot of customers with this issue.  The MTU gets set at 576 on the external interface when DCHP is set as the connection method. As you can image, this causes a range of network related problems . Changing the MTU manually drops the connenction altogether.

The solution for me (not ideal) is to roll back to a previous firmware version.

I really hope Sophos fix this soon as im a little over rolling back to previous firmware.

Josh.

Well, now I'm stumped, my case might not have to do with the latest update after all.  I rolled back the firmware and restored my settings - same thing - WAN link is down.

My WAN link won't even come up from the bare bones installation.  This appears to be a common problem, yet I can't find a solution.

Disconnect your firewall from the modem, power down your firewall, power down your modem and leave your modem powered down for 1 minute.  Restore power to the modem and let it completely boot.  Plug the firewall back into the modem and power up the modem.  Leave your WAN link in automatic mode do not set a speed and duplex.  See if that gets you back.