This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.601 - RED issues!

Since upgrading all our customers to 9.601, a bigger part of them are complaining about RED's re/disconnection in a no-pattern way.

It started for all of them just the night we upgraded to 9.601, and they all are on different ISP's and located different places around the country.

Been with Sophos support for 2 hours today, and now they escalated it to higher grounds.

Will return with an update....

Suspicious entries in the log - but all connected REDs do this before connection:

2019:03:06-15:15:38 fw01-2 red_server[17509]: SELF: Cannot do SSL handshake on socket accept from 'xxx.xxx.xxx.xxx': SSL connect accept failed because of handshake problems

2019:03:06-15:15:46 fw01-2 red2ctl[12420]: Missing keepalive from reds3:0, disabling peer xxx.xxx.xxx.xxx

I know the last line is written before the tunnel disconnects, because there was no "PING/PONG" answer...

One customer has 2 x RD 50, one 1 100% stable and the other fluctuates in random intervals - we replaced this with a new RED 50, but the same thing occurs.



This thread was automatically locked due to age.
Parents
  • 5+ hours downtime this morning. No problem on our local network or Internet connection. The RED 15 (in Germany) was trying to handshake with an IP in US - I assume one of Sophos providers. 

     

    2019:08:29-05:07:24 neo-2 red_server[16917]: A35xxxxxxxxxxxx: No ping for 30 seconds, exiting.
    2019:08:29-05:07:24 neo-2 red_server[16917]: id="4202" severity="info" sys="System" sub="RED" name="RED Tunnel Down" red_id="A35xxxxxxxxxxxx" forced="0"
    2019:08:29-05:07:24 neo-2 red_server[16917]: A35xxxxxxxxxxxx is disconnected.
    2019:08:29-05:07:24 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-05:07:26 neo-2 red2ctl[21514]: Overflow happened on reds2:0
    2019:08:29-05:07:26 neo-2 red2ctl[21514]: Missing keepalive from reds2:0, disabling peer 195.xxx.xxx.xx
    2019:08:29-05:07:29 neo-2 red2ctl[21514]: Received keepalive from reds2:0, enabling peer 195.xxx.xxx.xx
    2019:08:29-05:08:07 neo-2 red_server[6708]: SELF: Cannot do SSL handshake on socket accept from '195.xxx.xxx.xx': SSL connect accept failed because of handshake problems
    2019:08:29-05:19:38 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-05:34:25 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-05:38:06 neo-2 red_server[11570]: SELF: Cannot do SSL handshake on socket accept from '195.xxx.xxx.xx': SSL wants a read first
    2019:08:29-05:49:23 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-06:04:27 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-06:19:27 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-06:34:24 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-06:49:38 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-07:04:32 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-07:04:46 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-07:19:21 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-07:34:21 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-07:49:22 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-07:50:00 neo-2 red_server[2023]: SELF: Cannot do SSL handshake on socket accept from '198.108.67.48': SSL accept attempt failed with unknown error SSL wants a read first
    2019:08:29-07:50:00 neo-2 red_server[2027]: SELF: Cannot do SSL handshake on socket accept from '198.108.67.48': SSL accept attempt failed with unknown error SSL wants a read first
    2019:08:29-07:50:00 neo-2 red_server[2026]: SELF: Cannot do SSL handshake on socket accept from '198.108.67.48': SSL accept attempt failed with unknown error SSL wants a read first
    2019:08:29-07:50:00 neo-2 red_server[2044]: SELF: Cannot do SSL handshake on socket accept from '198.108.67.48': SSL accept attempt failed with unknown error error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
    2019:08:29-07:50:00 neo-2 red_server[2046]: SELF: Cannot do SSL handshake on socket accept from '198.108.67.48': SSL accept attempt failed with unknown error error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
    2019:08:29-07:50:00 neo-2 red_server[2049]: SELF: Cannot do SSL handshake on socket accept from '198.108.67.48': SSL accept attempt failed with unknown error error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
    2019:08:29-07:50:01 neo-2 red_server[2051]: SELF: unable to get peer address or retrieve CN for '198.108.67.48'
    2019:08:29-07:50:01 neo-2 red_server[2052]: SELF: unable to get peer address or retrieve CN for '198.108.67.48'
    2019:08:29-07:50:01 neo-2 red_server[2053]: SELF: unable to get peer address or retrieve CN for '198.108.67.48'
    2019:08:29-08:04:24 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-08:19:24 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-08:34:28 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-08:49:33 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-09:04:27 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-09:19:26 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-09:34:24 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-09:49:23 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-10:04:26 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-10:04:40 neo-2 red_server[21506]: SELF: (Re-)loading device configurations
    2019:08:29-10:12:00 neo-2 red_server[6015]: SELF: Cannot do SSL handshake on socket accept from '195.xxx.xxx.xx': SSL connect accept failed because of handshake problems
    2019:08:29-10:12:03 neo-2 red_server[6026]: SELF: New connection from 195.xxx.xxx.xx with ID A35xxxxxxxxxxxx (cipher AES256-GCM-SHA384), rev1
    2019:08:29-10:12:03 neo-2 red_server[6026]: A35xxxxxxxxxxxx: connected OK, pushing config
    2019:08:29-10:12:04 neo-2 red_server[6026]: A35xxxxxxxxxxxx: command '{"data":{"version":"0"},"type":"INIT_CONNECTION"}'
    2019:08:29-10:12:04 neo-2 red_server[6026]: A35xxxxxxxxxxxx: Initializing connection running protocol version 0
    2019:08:29-10:12:04 neo-2 red_server[6026]: A35xxxxxxxxxxxx: Sending json message {"data":{},"type":"WELCOME"}
    2019:08:29-10:12:05 neo-2 red_server[6026]: A35xxxxxxxxxxxx: command '{"data":{},"type":"CONFIG_REQ"}'
    2019:08:29-10:12:05 neo-2 red_server[6026]: A35xxxxxxxxxxxx: Sending json message {"data":{"pin":"","fullbr_dns":"","split_networks":"1.2.3.4","lan2_vids":"","lan4_vids":"","local_networks":"","tunnel_id":2,"manual2_netmask":24,"asg_cert":"[removed]","manual_address":"195.xxx.xxx.xx","bridge_proto":"none","unlock_code":"qm7gittj","password":"","manual2_defgw":"0.0.0.0","prev_unlock_code":"qm7gittj","manual_netmask":29,"lan3_vids":"","version_r2":"2005R2","mac_filter_type":"none","mac":"00:47:9c:f3:f3:2e","dial_string":"*99#","manual2_address":"0.0.0.0","version_ng_red50":"1-330-f4c55ab8-0000000","manual_dns":"194.25.0.60","lan1_mode":"unused","username":"","activate_modem":0,"tunnel_compression_algorithm":"lzo","version_red50":"1-330-f4c55ab8-0000000","fullbr_domains":"","htp_server":"neo.geco-group.com","uplink_balancing":"failover","asg_key":"[removed]","type":"red15","deployment_mode":"online","uplink2_mode":"dhcp","version_red15":"1-330-f4c55ab8-655eb...L1538
    2019:08:29-10:12:08 neo-2 red_server[6026]: A35xxxxxxxxxxxx: command '{"data":{"key1":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","key0":"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy","key_active":0},"type":"SET_KEY_REQ"}'
    2019:08:29-10:12:08 neo-2 red_server[6026]: A35xxxxxxxxxxxx: Sending json message {"data":{},"type":"SET_KEY_REP"}
    2019:08:29-10:12:09 neo-2 red_server[6026]: A35xxxxxxxxxxxx: command '{"data":{"seq":0},"type":"PING"}'
    2019:08:29-10:12:09 neo-2 red_server[6026]: id="4201" severity="info" sys="System" sub="RED" name="RED Tunnel Up" red_id="A35xxxxxxxxxxxx" forced="0"
    2019:08:29-10:12:09 neo-2 red_server[6026]: A35xxxxxxxxxxxx: Sending json message {"data":{"seq":0},"type":"PONG"}
    2019:08:29-10:12:10 neo-2 red_server[6026]: A35xxxxxxxxxxxx: command '{"data":{"wan1_ip":"195.xxx.xxx.xx","mobile_signal_strength":"","wan2_ip":"","uplink":"WAN1","uplink_state":"0"},"type":"STATUS"}'
    2019:08:29-10:12:11 neo-2 red2ctl[21514]: Overflow happened on reds2:0
    2019:08:29-10:12:11 neo-2 red2ctl[21514]: Missing keepalive from reds2:0, disabling peer 195.xxx.xxx.xx
    2019:08:29-10:12:14 neo-2 red2ctl[21514]: Received keepalive from reds2:0, enabling peer 195.xxx.xxx.xx
    2019:08:29-10:12:18 neo-2 red_server[21506]: SELF: (Re-)loading device configurations

     

     

    The xxxxx and yyyy strings are mine. At 10:12, the config reloaded and the RED resumed operation. 

     

    Still hoping that Sophos will fix this, but urgently looking for an alternative in the meantime. Any suggestions for devices to replace the RED?

  • An Alternative would be a SG1xx in RED-Mode but you need a Network Subscription for that, when i am right.

    But this is more expensive than a red15 or red50, because currently you can get a Red15 für 250 € (brutto)  and a SG105 e.g. starts at 370 € (brutto) without subscription.

     

     

     

  • Thanks for your response! This is kind of what I had in mind. Spending the extra money is slightly painful, but not as painful as the current unreliability of the RED :-/ I think we can repurpose the RED as a backup VPN solution and move to an SG or even XG device for the primary. 

  • An XG 85/86 with the base license includes VPN capabilities.  With a 3-year enhanced support subscription, it's about US$30 more per year than a RED 15 with 24-month extended warranty.

    I prefer the SG 115 with Network Protection over a RED 50.  Less expensive than the RED with Warranty Extensions and much more flexible.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • An XG 85/86 with the base license includes VPN capabilities.  With a 3-year enhanced support subscription, it's about US$30 more per year than a RED 15 with 24-month extended warranty.

    I prefer the SG 115 with Network Protection over a RED 50.  Less expensive than the RED with Warranty Extensions and much more flexible.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • not here in germany.

    the sg115 with a 3 year network protection is 150 € more expensive than the red50 with another 2 year warranty extension. And not all are in need of a red50, especially the red15 now makes 90mbit, hence there is not really a suitable replacement option if you dont want to pay more.

    Of course you can say the 150€ additional price is round about worth 2 hours of an it-technician e.g. investigating the current problems, but when Sophos would do a proper job, we needn't talk about this options!

    Cheers

    Peter