The c2000 SOC these appliances are based upon have a problem with their internal clocks that upon reboot if the clock has failed the machine is bricked. intel has quashed just about all direct mention of this by vendors. However the spike in failures has to deal with c2000 soc based appliances. The flaw is widespread affecting Cisco, Synology, IX Systems, Netgate systems just to name a few. All vendors have been denied the ability to mention which soc directly..but folks have managed to verify independently of Intel's blocks that the c2000 chipsets are dying after around 18 months of powered on time. If the lpc clock fails during powered on time as long as you do not reboot the device will continue to operate. the instant you reboot(hard of soft) the system bricks. I have already inquired with Sophos directly about their policies. Right now it appears they do not have a proactive replacement plan in place. However if you have a subscription to a support plan(usually included with any kind of paid module) if your device fails they will ship you replacement hardware...so that's good. Cisco has carefully worded things that unless you are within their initial 90 days of purchase or you have one of their support contract they will not replace the devices. Netgate has extended their warranty to 3 years for all devices based on the c2000. Other vendors have not announced plans. Keep an eye on your sg125 and sg135 based devices..a reboot wil one day brick them. If your device is 18+ months old be sure you have a contingency plan in place(HA of some kind) so you can recover quickly while you get your replacement when these devices brick themselves. This is NOT a Sophos fault but one by Intel.
Please do not go screaming at Sophos as this one is NOT THEIR FAULT. Intel is hampering things trying to contain the damage by not allowing the vendors to say exactly which chips are hit..but a little self-research makes it very easy to figure out whoe SOC is screwed up and which devices are a time bomb.
Thanks for bringing this to our attention, William!
Yesterday at 4PM PST, one hour past same-day shipping from Sophos in California, I got a call from a client in Ohio who was in his office at 7PM his time. High winds in Ohio had caused a power outage mid-afternoon and he was concerned that he couldn't reach his SG 135 from home after the power came back on just after 6PM.
I had him unplug the unit to do a hard reboot. He plugged a monitor in so he could watch it boot, but when the power was plugged back in, nothing appeared on the screen. There was no disk activity light nor any one other than the blue power light. The unit was "bricked" just as we were warned. It had been purchased in April of 2015.
Today, he will decide whether to connect directly to the Internet with no protection or if their business with over 50 people will be cut off until the replacement arrives tomorrow. Ouch!
I had already asked this client and others with potentially-affected devices to consider getting a second unit for Hot-Standby to avoid this scenario. I've now emailed each of them with the yesterday's sad tale.
This client had a Rev.1 SG as do my 3 other 125/135 clients without a Hot-Standby. All with S12002 (125) and S13003 (135) S/Ns.
My question is this: does this affect only Rev.1 devices or does it also affect Rev.2? I'll push Sophos to get me an answer to this and return with their response.
Cheers - BobPS I'll move this thread to the top of the forum for awhile.
So does this failure affect also rev 2 devices? I have a sg125 rev2 (january 2017) here...
I don't remember, but it would be good to have that answer in this thread. Please check with your distributor and come back here and let us know.
Cheers - Bob
To chime into this old conversation, we had multiple "sudden deaths" within the last 2 Months of SG125 and 135 devices. Rev1 was the most, we also had one Rev3 which might be an unrelated issue with this device.
we've now had the 2nd faulty SG135 within weeks and now also two SG310 seem to have died the same Death, all rev1. The Sg135 dates from 2015, the SG310 around mid 2017.
...but it seems to be, taht only the atoms would be affected to....so only the 125 and 135...not the sg 2xx,3xx
we had one dead SG125 and one dead SG135 this year, both Rev. 2 and both installed 2016.
Firewall consultant since 1995Astaro consultant since 2001Sophos partner since 2012BERGMANN engineering & consulting GmbH, Wien/Austria
Found that 150 Ohm Resistor in a Refurbished SG125 ;)
and with that resistor the device is working again?