This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG blocking all HTTP after reboot, no entries in the logs to diagnose

XG330 (SFOS 17.5.12 MR-12) 

Since firewall reboot last night our XG is now blocking all HTTP sites and displaying the following page. We have not made any changes to any rules, and the HTTPS version of the site works fine.

More critically, there are no entries in the log viewer for these blocks to help diagnose which area of the XG is causing this block.



This thread was automatically locked due to age.
  • Check your Pattern.

     Seems like your pattern are broken.

    Check /log/u2d.log

    __________________________________________________________________________________________________________________

  • Hi , Here request are getting blocked due to malware scanning failed which could be due to AV engine selected inside  "Scan engine selection" in Web ==> General Settings patterns updated failed or broken during last pattern update checks. 

    Reference snapshot:



    Please confirm patterns are up to date and if it is still giving failed result, as in work around  "Change the scan engine to another one" time being. (If only the selected AV update is failed, if both Sophos and Avira AV pattern updated failed ) then /log/u2d.log will give more information on reason as guided by

    Is appliance running in HA setup? If yes, is it A-A or A-P setup?

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Thanks and ,

    Not an HA appliance setup.

    Looks like the pattern update has been failing which corresponds with a support case we have open relating to Firmware check fails, and issues with Sophos Central Management.

    I've not before accessed logs via scp on the XG but will follow details here: https://support.sophos.com/support/s/article/KB-000035842

    Warmest regards.

  • Looks to be FATAL : Error in parsing response, exiting. on both the Firmware and Patterns updates:

    Extract from u2d.log with Serial and DeviceID redacted:

    DEBUG Oct 21 12:24:06 [2654]: --serial = [redacted]
    DEBUG Oct 21 12:24:06 [2654]: --deviceid = [redacted]
    DEBUG Oct 21 12:24:06 [2654]: --fwversion = 17.5.12.664
    DEBUG Oct 21 12:24:06 [2654]: --productcode = CN
    DEBUG Oct 21 12:24:06 [2654]: --model = XG330
    DEBUG Oct 21 12:24:06 [2654]: --vendor = WP02
    DEBUG Oct 21 12:24:06 [2654]: --sfmversion = --oem
    DEBUG Oct 21 12:24:06 [2654]: Added new server : Host - , Port - 8443
    DEBUG Oct 21 12:24:06 [2654]: Final query string is :
    ?&serialkey=[REDACTED]&deviceid=[REDACTED]&fwversion=17.5.12.664&productcode=CN&appmodel=XG330&appvendor=WP02&useragent=SF&oem=&sfmversion=--oem
    DEBUG Oct 21 12:24:06 [2654]: Response code : 0
    DEBUG Oct 21 12:24:06 [2654]: Response body :

    DEBUG Oct 21 12:24:06 [2654]: Response length : 0
    ERROR Oct 21 12:24:06 [2654]: Response not parsed successfully.
    ERROR Oct 21 12:24:06 [2654]: FATAL : Error in parsing response, exiting.
    DEBUG Oct 21 12:24:16 [3041]: --serial = [redacted]
    DEBUG Oct 21 12:24:16 [3041]: --deviceid = [redacted]
    DEBUG Oct 21 12:24:16 [3041]: --fwversion = 17.5.12.664
    DEBUG Oct 21 12:24:16 [3041]: --productcode = CN
    DEBUG Oct 21 12:24:16 [3041]: --model = XG330
    DEBUG Oct 21 12:24:16 [3041]: --vendor = WP02
    DEBUG Oct 21 12:24:16 [3041]: --pkg_ips_version = 9.17.14
    DEBUG Oct 21 12:24:16 [3041]: --pkg_ips_cv = 14.0
    DEBUG Oct 21 12:24:16 [3041]: --pkg_atp_version = 1.0.0302
    DEBUG Oct 21 12:24:16 [3041]: --pkg_atp_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_savi_version = 1.0.0
    DEBUG Oct 21 12:24:16 [3041]: --pkg_savi_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_avira_version = 1.0.0
    DEBUG Oct 21 12:24:16 [3041]: --pkg_avira_cv = 4.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_apfw_version = 11.0.012
    DEBUG Oct 21 12:24:16 [3041]: --pkg_apfw_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_waf_version = 1.0.0006
    DEBUG Oct 21 12:24:16 [3041]: --pkg_waf_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_sslvpn_version = 1.0.007
    DEBUG Oct 21 12:24:16 [3041]: --pkg_sslvpn_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_ipsec_version = 1.4.001
    DEBUG Oct 21 12:24:16 [3041]: --pkg_ipsec_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_clientauth_version = 1.0.0019
    DEBUG Oct 21 12:24:16 [3041]: --pkg_clientauth_cv = 2.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_redfw_version = 3.0.000
    DEBUG Oct 21 12:24:16 [3041]: --pkg_redfw_cv = 2.00
    DEBUG Oct 21 12:24:16 [3041]: --sfmversion = --oem
    DEBUG Oct 21 12:24:16 [3041]: Added new server : Host - , Port - 8443
    DEBUG Oct 21 12:24:16 [3041]: Final query string is :
    ?&serialkey=[REDACTED]&deviceid=[REDACTED]&fwversion=17.5.12.664&productcode=CN&appmodel=XG330&appvendor=WP02&useragent=SF&oem=&pkg_ips_version=9.17.14&pkg_ips_cv=14.0&pkg_atp_version=1.0.0302&pkg_atp_cv=1.00&pkg_savi_version=1.0.0&pkg_savi_patch=2&pkg_savi_cv=1.00&pkg_avira_version=1.0.0&pkg_avira_patch=2&pkg_avira_cv=4.00&pkg_clientauth_version=1.0.0019&pkg_clientauth_cv=2.00&pkg_apfw_version=11.0.012&pkg_apfw_cv=1.00&pkg_redfw_version=3.0.000&pkg_redfw_cv=2.00&pkg_waf_version=1.0.0006&pkg_waf_cv=1.00&pkg_sslvpn_version=1.0.007&pkg_sslvpn_cv=1.00&pkg_ipsec_version=1.4.001&pkg_ipsec_cv=1.00&sfmversion=--oem
    DEBUG Oct 21 12:24:16 [3041]: Response code : 0
    DEBUG Oct 21 12:24:16 [3041]: Response body :

    DEBUG Oct 21 12:24:16 [3041]: Response length : 0
    ERROR Oct 21 12:24:16 [3041]: Response not parsed successfully.
    ERROR Oct 21 12:24:16 [3041]: FATAL : Error in parsing response, exiting.

  • The problem seems to be the "empty" body. 

    We are sending this "final query" to the backend server to get the current version.

    But you get back: 

    DEBUG Oct 21 12:24:16 [3041]: Response body :

    Which indicates, the response is empty.

    Did you redact the following line: DEBUG Oct 21 12:24:16 [3041]: Added new server : Host - , Port - 8443

    And why is there a parent proxy port? 

    Do you use parent proxy? if not please try to set one and empty the configuration. 

    __________________________________________________________________________________________________________________

  • Hi : Please share support case ID for firmware check fails issue for my reference. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • That line wasn't redacted, verbatim from the log file:

    DEBUG Oct 21 12:24:16 [3041]: Added new server : Host - , Port - 8443

    We don't use a parent proxy. The setting in Routing > Upstream Proxy was not enabled but did include a port number. I've emptied the config there and saved. Still fails on the Firmware and Pattern updates:

  • Check for Firmware Update error: Case ID is: 03252846

  • Hi : Thanks for sharing case ID.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Also Case ID for Sophos Central Management is: 03255107