This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Up2Date showing older firmware

Ran Up2Date from 9.355-1 to 9.407-3 on an Active - Active HA pair of SG125's. Both report active now on 9.407-3, but after the final reboot two older updates 9.402-7 & 9.403-4 were listed. I rebooted both units once again and the two older updates were gone, but when I arrived today they were back. What now?



This thread was automatically locked due to age.
Parents
  • I have read a similar KB on this but it doesn't answer all of my questions...

    I read elsewhere on forum from another poster that the mentioned KB is wrong on order, that Slave should be done first, which is correct?

    I have a support contract, I've heard in the past we shouldn't be monkeying in the terminal so has that stance changed?

    Were these updates skipped, am I missing packages, how would I know?

    Am I supposed to download and repeat with every package from 9.355-1 up through 9.407-3?

    I told Up2Date to update to latest so that I could skip manually incrementing them, I had read a couple of these lock you out of web ui, so If I manually apply them, how do I get back in after one of these problematic updates?

     “Stay paranoid, my friends.”

  • The first thing to do is to run the version command on each node.  You can do this as loginuser on the Master, but you may need to switch to root before you can use ha_utils to login to the Slave.  Check that the packages were applied and that there isn't any gap.  Here's the result from our lab system demonstrating that everything is in place:

                                 sys-9.355-9.356-1.3.1.tgz (May 30 22:02)
                                 sys-9.356-9.404-3.5.2.tgz (Jul  1 15:05)
                                 sys-9.404-9.405-5.5.1.tgz (Aug 11 09:38)
                                 sys-9.405-9.406-5.3.1.tgz (Oct  7 13:16)
                                 sys-9.406-9.407-3.3.1.tgz (Oct  7 13:23)

    If you see a similar situation, you can go to /var/up2date/sys/ and rm u2d-sys*.tgz.gpg to delete the unnecessary Up2Date files.

    If your version files are inconsistent on either node, post back here for the solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry if formatting doesn't come across, not sure what I'm looking at here but it doesn't look good...

    MASTER                                                                SLAVE

    Current software version...: 9.407003                     Current software version...: 9.407003

    Hardware type..............: 125r1                             Hardware type..............: 125r1

    Serial number..............: ********                        Serial number..............: ********

    Installation image.........: 9.205-13.1                      Installation image.........: 9.205-13.1

    Installation type..........: msi                                   Installation type..........: msi

    Installed pattern version..: 110663                          Installed pattern version..: 110663

    Downloaded pattern version.: 110663                     Downloaded pattern version.: 110663

    Up2Dates applied...........: 37 (see below)               Up2Dates applied...........: 34 (see below)

    sys-9.205-9.206-12.35.1.tgz (Nov 5 2014)              sys-9.205-9.206-12.35.1.tgz (Dec 18 2014)

    sys-9.206-9.207-35.19.2.tgz (Nov 5 2014)              sys-9.206-9.207-35.19.2.tgz (Dec 18 2014)

    sys-9.207-9.208-19.8.5.tgz (Nov 5 2014)                sys-9.207-9.208-19.8.5.tgz (Dec 18 2014)

    sys-9.208-9.209-8.8.1.tgz (Nov 5 2014)                  sys-9.208-9.209-8.8.1.tgz (Dec 18 2014)

    sys-9.209-9.300-8.5.1.tgz (Nov 10 2014)                sys-9.209-9.210-8.20.1.tgz (Dec 18 2014)

                                                                                sys-9.210-9.304-20.9.2.tgz (Dec 18 2014)

    sys-9.300-9.301-5.2.3.tgz (Nov 14 2014)

    sys-9.301-9.302-2.2.1.tgz (Dec 12 2014)

    sys-9.302-9.303-2.2.1.tgz (Dec 12 2014)

    sys-9.303-9.304-2.9.2.tgz (Dec 12 2014)

    sys-9.304-9.305-9.4.1.tgz (Dec 18 2014)                sys-9.304-9.305-9.4.1.tgz (Dec 18 2014)

    sys-9.305-9.306-4.6.1.tgz (Feb 11 2015)                sys-9.305-9.306-4.6.1.tgz (Feb 11 2015)

    sys-9.306-9.307-6.6.1.tgz (Feb 11 2015)                sys-9.306-9.307-6.6.1.tgz (Feb 11 2015)

    sys-9.307-9.308-6.16.2.tgz (May 7 2015)               sys-9.307-9.308-6.16.2.tgz (May 7 2015)

    sys-9.308-9.309-16.3.1.tgz (May 7 2015)               sys-9.308-9.309-16.3.1.tgz (May 7 2015)

    sys-9.309-9.310-3.11.1.tgz (May 7 2015)               sys-9.309-9.310-3.11.1.tgz (May 7 2015)

    sys-9.310-9.311-11.3.1.tgz (May 7 2015)               sys-9.310-9.311-11.3.1.tgz (May 7 2015)

    sys-9.311-9.312-3.5.1.tgz (May 7 2015)                 sys-9.311-9.312-3.5.1.tgz (May 7 2015)

    sys-9.312-9.312-5.6.4.tgz (Aug 14 2015)               sys-9.312-9.312-5.6.4.tgz (Aug 14 2015)

    sys-9.312-9.312-6.8.1.tgz (Aug 14 2015)               sys-9.312-9.312-6.8.1.tgz (Aug 14 2015)

    sys-9.312-9.313-8.3.1.tgz (Aug 14 2015)               sys-9.312-9.313-8.3.1.tgz (Aug 14 2015)

    sys-9.313-9.314-3.13.1.tgz (Aug 14 2015)             sys-9.313-9.314-3.13.1.tgz (Aug 14 2015)

    sys-9.314-9.315-13.2.1.tgz (Aug 14 2015)             sys-9.314-9.315-13.2.1.tgz (Aug 14 2015)

    sys-9.315-9.316-2.4.1.tgz (Dec 15 2015)               sys-9.315-9.316-2.4.1.tgz (Dec 15 2015)

    sys-9.316-9.317-4.5.1.tgz (Dec 15 2015)               sys-9.316-9.317-4.5.1.tgz (Dec 15 2015)

    sys-9.317-9.318-5.5.2.tgz (Dec 15 2015)               sys-9.317-9.318-5.5.2.tgz (Dec 15 2015)

    sys-9.318-9.350-5.12.1.tgz (Dec 15 2015)             sys-9.318-9.350-5.12.1.tgz (Dec 15 2015)

    sys-9.350-9.351-12.3.2.tgz (Dec 15 2015)             sys-9.350-9.351-12.3.2.tgz (Dec 15 2015)

    sys-9.351-9.352-3.6.2.tgz (Dec 15 2015)               sys-9.351-9.352-3.6.2.tgz (Dec 15 2015)

    sys-9.352-9.353-6.4.1.tgz (Feb 1 2016)                 sys-9.352-9.353-6.4.1.tgz (Feb 1 2016)

    sys-9.353-9.354-4.4.1.tgz (Mar 1 2016)                 sys-9.353-9.354-4.4.1.tgz (Mar 1 2016)

    sys-9.354-9.355-4.1.1.tgz (Mar 1 2016)                 sys-9.354-9.355-4.1.1.tgz (Mar 1 2016)

    sys-9.355-9.356-1.3.1.tgz (Oct 6 18:21)                sys-9.355-9.356-1.3.1.tgz (Oct 6 18:04)

    sys-9.356-9.357-3.1.4.tgz (Oct 6 18:22)                sys-9.356-9.357-3.1.4.tgz (Oct 6 18:05)

    sys-9.357-9.404-1.5.3.tgz (Oct 6 18:27)                sys-9.357-9.404-1.5.3.tgz (Oct 6 18:10)

    sys-9.404-9.405-5.5.1.tgz (Oct 6 18:29)                sys-9.404-9.405-5.5.1.tgz (Oct 6 18:12)

    sys-9.405-9.406-5.3.1.tgz (Oct 6 18:30)                sys-9.405-9.406-5.3.1.tgz (Oct 6 18:13)

    sys-9.406-9.407-3.3.1.tgz (Oct 6 18:32)                sys-9.406-9.407-3.3.1.tgz (Oct 6 18:15)

    Up2Dates available.........: 2                                 Up2Dates available.........: 2

    Factory resets.............: 0                                    Factory resets.............: 0

    Timewarps detected.........: 5                                Timewarps detected.........: 0

     “Stay paranoid, my friends.”

  • That looks perfect.  You can just rm /var/up2date/sys/u2d-sys*.tgz.gpg to delete the unnecessary Up2Date files.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Master missed 1 of 38 updates:

    sys-9.210-9.304-20.9.2.tgz (Dec 18 2014)

    Slave missed 4 of 38 updates:

    sys-9.300-9.301-5.2.3.tgz (Nov 14 2014)

    sys-9.301-9.302-2.2.1.tgz (Dec 12 2014)

    sys-9.302-9.303-2.2.1.tgz (Dec 12 2014)

    sys-9.303-9.304-2.9.2.tgz (Dec 12 2014)

     

    I'm confused, this isn't an issue? Again, I don't know the first thing about any of this so your help is invaluable, but these units have been paired Active-Active this entire time, so going off logic it looks like there's been some major fails going on with this "always in sync" pair. Could you give me a little more info why this isn't cause for concern? Thanks!

     “Stay paranoid, my friends.”

  • Bob, I looked at this some more and arranging chronologically I now see what you are saying, that the slave on right eventually caught up with master on left. My reseller remotely set up for me on Nov 5 2014 and turned on Active-Active then. It is quite disturbing to me that this "synced" slave didn't decide to get Up2Date with the master until over a month later. That's not really my definition of being "in sync". This left my users half the time routing through a unit that was several updates behind without any complaint or notification from the units that they were on different builds. Scary. So final question, am I okay to do the rm myself or will I be running afoul of my support?

    Master                                                                Slave

    sys-9.208-9.209-8.8.1.tgz (Nov 5 2014)

    sys-9.209-9.300-8.5.1.tgz (Nov 10 2014)                                                                                           

    sys-9.300-9.301-5.2.3.tgz (Nov 14 2014)

    sys-9.301-9.302-2.2.1.tgz (Dec 12 2014)

    sys-9.302-9.303-2.2.1.tgz (Dec 12 2014)

    sys-9.303-9.304-2.9.2.tgz (Dec 12 2014)

                                                                               sys-9.208-9.209-8.8.1.tgz (Dec 18 2014)

                                                                               sys-9.209-9.210-8.20.1.tgz (Dec 18 2014)

                                                                               sys-9.210-9.304-20.9.2.tgz (Dec 18 2014)

    sys-9.304-9.305-9.4.1.tgz (Dec 18 2014)               sys-9.304-9.305-9.4.1.tgz (Dec 18 2014)

     “Stay paranoid, my friends.”

  • I'm a little confused by the spacing you're using.  In the first post of the version results, I only looked at 9.355-to-9.407.  The fact that the two devices took different Up2Date paths doesn't mean they have different firmware today.

    If you have a paid license, you should heave your reseller get Sophos Support involved.  They might want to look at the Up2Date logs from 11-14-2014, 12-12-2014 and 12-18-2014.  In any case, if you're uncomfortable deleting the Up2Dates, you can ask them to do it if they believe that's the right approach.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I'm a little confused by the spacing you're using.  In the first post of the version results, I only looked at 9.355-to-9.407.  The fact that the two devices took different Up2Date paths doesn't mean they have different firmware today.

    If you have a paid license, you should heave your reseller get Sophos Support involved.  They might want to look at the Up2Date logs from 11-14-2014, 12-12-2014 and 12-18-2014.  In any case, if you're uncomfortable deleting the Up2Dates, you can ask them to do it if they believe that's the right approach.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Bob,

    Thanks for your assistance, I finally had Support remote in today, it's not that I'm uncomfortable in the terminal, I just don't know how strictly they enforce their "Note" about voiding support. They deleted Up2Date files, reset, and found/replaced a missing AV package. I'm still a little leery since these boxes took different paths that something else might be hinky, I may decide to do a break/clean install/relink. As a note to self (and others without support), here's what they did...

    Logged in...

    ssh loginuser@yourUTMhost

    NOTE: If not explicitly approved by Sophos support, any modifications done by root will void your support.

    Switched to root...

    sudo su -

    Looked at master Up2Date...

    version

    Looked up hostname...

    hostname

    Navigated to and listed logs...

    cd /var/log

    ls -lh

    Called up HA log and viewed recent entries...

    ls high*

    tail -200 high-availability.log

    Removed Up2Date files and reset...

    rm -f /var/up2date/sys/*

    rm -f /var/up2date/.queue/*

    rm -rf /var/up2date/sys-install/*

    cc reset up2date

    Download Up2Date files...

    audld.plx

    Results found missing AV package and downloaded it, this fixed it...

    <M> yourUTMhost:/var/log # audld.plx
    running on HA master system or cluster node
    Starting Up2Date Package Downloader
    disabling patch up2dates (confd hint)
    Using static update server list in HA mode
    Authenticating ...
    Authentication successful!
    Using static download server list in HA mode
    Starting Up2Date Download
    Starting sync mode for 'avira-xvdf'
      Downloading Up2Date Package http://us1.utmu2d.sophos.com/asg/v9/avira-xvdf/u2d-avira-xvdf-9.3774.tgz.gpg
        +++++++++++++++++++   100% - 189625822 bytes received

     “Stay paranoid, my friends.”