This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents
  • Same problem here. Upgraded the firmware this morning and then the issue started.

  • Hello,

    A fix for this issue is coming in MR2 which will be available soon, we apologize for the wait. You can also contact Sophos Support who will be able to apply a hotfix.

    Thank you,

    Bob

  • Mark Payne said:

    Bob,  Below is the email I got from sophos tech support to resolve this issue.  If there is a hotfix please post a link so I can download it.  I will not call sophos tech support again.  They have no clue and are only interested in sending me KB articles and making sure they can close the ticket.  I have quotes for 2 different firewall appliances (that are NOT sophos) and we will be migrating to one of them in the next week or 2.  We will also be migrating away from the sophos endpoint security. 

     

    I feel your pain, although I have a wonderful reseller in GlobelinkUK, that cannot make up for the total incompetence of handling these issues at SOPHOS  and I have emailed all the way up to the top in the past and it just gets no better.

    I accept that there will always be bugs/problems with software, it's how they are handled which is important.

    in this case they created a KB article for this issue back on 26th May and did not pull the patch even one month on! and now they are inundated with unhappy customers like me waiting for GSS to apply the hotfix. 

    I have pointed out that the KB article does not even contain the actual error message  that appears in the log (which is the first thing I tried to google it) so it will not turn up on a google search for the error. Sophos acknowledged this yesterday on their twitter feed and yet still it hasn't been updated!

    In the past on major incidents they haven't even acknowledged the issues with a kb article and just wait for everyone to report the same known issue over and over again to support, blocking up the support lines.

  • Clearly, it's too late to help you, Mark, but others may be able to benefit...

    Never call Sophos Support.  Email them only (support@sophos.com or utm-premium@sophos.com if you have premium support).  My response to the email above would have been short: "Please escalate urgently."

    Also, if your reseller isn't informing you about when you should apply Up2Dates, find a better partner for your Sophos products.  It's basic customer service and marketing 101 for products like these.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • "Also, if your reseller isn't informing you about when you should apply Up2Dates, find a better partner for your Sophos products.  It's basic customer service and marketing 101 for products like these."

     

    Forgive me for expecting Sophos to test and support a product they sell and charge an annual licensing and support fee for.  I'll throw my reseller under the bus instead. 

     

    Or not.

  • I'm not excusing Support's failure with you - that definitely reveals an organizational problem.

    I'm just telling you what most of us do.  None of our clients have seen this bug because they're all on 9.413.  I've been in the IT world for 40+ years both in the USA and Europe and, for a complex product like this one, the approach I've described has always been the standard.  My wife is a storage administrator for a large organization with hundreds of terabytes behind an IBM SVC.  They plan their upgrades meticulously and they never put Operations at risk.  It has happened that IBM, to whom they pay a lot more money for support, has released buggy code that brought down the SVC at their backup site.  Once that was fixed and running for two weeks, the main data center was upgraded.

    With as many people as you have behind your UTM, I'm amazed that your reseller didn't get you on Hot-Standby and configured to reserve a node when applying Up2Dates.  Again, standard practice for professionals that know what they're doing.  I don't reserve a node on my clients' High Availability UTMs since I never tell them to Up2Date until I know it's safe.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In the other, active 9.5 thread, Steve Hart reports:

    "The patch seems to have solved the SSO issue.

    "Their internal tracking number on this issue was NUTM-7960. "

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I recently had a Firewall in HA fail. During the RMA process I specified my Required Firmware as 9.4.14-2 and was advised against upgrading to 9.5 because of these known bugs. I recieved my new UTM Monday and low and behold it was preloaded with 9.501-5 . Someone at Sophos dropped the ball.

  • "The patch seems to have solved the SSO issue."

    Great but how do we get hold of it when Sophos don't reply to emails and fob you off on the phone

  • We had 2 SG135 UTMs die within 3 days.  One running 9.501 and 9.414.  We also asked for 9.414 or earlier, but they installed 9.501.  Very disappointing that they would roll out 2 horrible updates and then wait so long to roll out a fix...while still rolling out the broken updates.

  • TCF, in the past, we've seen plenty of issues with Up2Dated UTMs that did not occur on fresh installs.  If you want to experiment, try the following:

    1. On the 'Hardware' tab of 'Interfaces', set Virtual MACs to equal the real MACs for the NICs in use.
    2. Create a config backup and download it to a FAT32 USB memory stick.
    3. Insert the USB stick into the new 9.501 SG and boot it.  It will upgrade the 9.414 configuration as it imports it.
    4. Power down the 9.414 SG and move the cables to the new one.
    5. Check to see if you're having the SSO problem others are seeing.

    If that works with no problems, you're left with the choice of reimaging the 9.414 box with a new 9.501 ISO and losing your logs and reporting or re-imaging the new 9.501 unit with 9.414.  My choice would be the latter.  If you do notice any problems related to Active Directory in 9.414, the one-time fix in the following should get you back to normal: Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In the USA, an end user with Premium Support should email utm-premium@Sophos.com. An end user without should email/call their reseller.

    In Europe, as I understand it, the first step for a reseller to get a case open with Sophos Support is to email their distributor, but an end user with Premium Support can email Support directly.

    Never call any support for any IT issue unless you have a separate support contract of five figures or more.  Always chose email or a web form.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • In the USA, an end user with Premium Support should email utm-premium@Sophos.com. An end user without should email/call their reseller.

    In Europe, as I understand it, the first step for a reseller to get a case open with Sophos Support is to email their distributor, but an end user with Premium Support can email Support directly.

    Never call any support for any IT issue unless you have a separate support contract of five figures or more.  Always chose email or a web form.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data