Sophos UTM Version 9.408-4 released!

  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade

Bugfixes:
Fix [NUTM-5349]: [AWS] Restore fails if UTM is created with backup file in user data
Fix [NUTM-5466]: [AWS] ssh disabled – No connection to stack instances
Fix [NUTM-5546]: [AWS] UTM Cloud Update does not work in GovCloud
Fix [NUTM-5654]: [AWS] Conversion should not be visible for HA and AS
Fix [NUTM-3203]: [Access & Identity] [RED] If creation of RED device fails, certificates are not deleted
Fix [NUTM-4948]: [Access & Identity] [RED] Enabling wireless on RED15w causes ‘link down’
Fix [NUTM-5068]: [Access & Identity] [RED] TCP Vulnerability (CVE-2016-5696)
Fix [NUTM-5173]: [Basesystem] Memory (swap) leak in RAID monitor
Fix [NUTM-5407]: [Basesystem] OpenSSL security update (1.0.1u)
Fix [NUTM-5461]: [Basesystem] BIND Security update (CVE-2016-2776)
Fix [NUTM-5714]: [Basesystem] CVE-2016-5195 – Linux Kernel – Dirty Cow
Fix [NUTM-3042]: [Configuration Management] Advanced Threat Protection page error when login as Network Protection Auditor
Fix [NUTM-4215]: [Documentation, Email] POP3 Proxy reporting source IP of 0.0.0.0
Fix [NUTM-4840]: [Email] Email is automatically released after timeout from Sandstorm
Fix [NUTM-5285]: [Email] SMTP file extension filter is case sensitive
Fix [NUTM-5599]: [Email] Mails with the same recipient set twice lead to corrupt mail queue
Fix [NUTM-4938]: [Endpoint] Customers who expand their EP license do not get EP Protection enabled
Fix [NUTM-5049]: [Endpoint] Liveconnect Connectivity Issue
Fix [NUTM-4400]: [HA/Cluster] pg_ctl: PID file “/var/storage/pgsql92/data/postmaster.pid” does not exist
Fix [NUTM-3158]: [Kernel] Kernel freeze when running Web Proxy in full transparent mode
Fix [NUTM-3490]: [Network] Ethernet Bridge with dynamic IP looses connectivity after IP renewal
Fix [NUTM-4592]: [Network] OSPF: SSL VPN route injection still not working in 9.404
Fix [NUTM-5147]: [Network] Kernel panic on several SG135 – Kernel Fixes
Fix [NUTM-5542]: [SUM] Availability Group is unresolved after it was re-deployed without a real change
Fix [NUTM-5207]: [Sandboxd] Sandbox error when downloading a file with an umlaut in file name
Fix [NUTM-5209]: [Sandboxd] sandboxd is unable to open database file due to wrong ownership
Fix [NUTM-4816]: [Up2Date] Up2Date downloader logs errors in uplink balancing setups
Fix [NUTM-488]: [Virtualization] Fix unstable NIC ordering on VMWare
Fix [NUTM-5334]: [WebAdmin] Authenticated users might gain access to stored passwords (CVE-2016-7397, CVE-2016-7442)
Fix [NUTM-4167]: [Web] Web Protection Reporting filtered by departments doesn’t provide all data
Fix [NUTM-4806]: [Web] sandboxd is unable to insert into TransactionLog on HA setup
Fix [NUTM-4876]: [Web] URL request to parent proxy seems to be send as http request instead of https
Fix [NUTM-5136]: [Web] Web proxy in transparent mode removes authentication header
Fix [NUTM-5082]: [WiFi] IPSec traffic is not routed properly if the client is connected over Hotspot
Fix [NUTM-5303]: [WiFi] Characters in Hotspot terms of use not encoded correctly

Rescue Sophos UTM HA Slave Node with manual update

Last week I needed to reinstall one node within a Sophos UTM HA system. The new node had three missing updates, compared to the live system. I reconfigured the HA configuration to “automatic” and connected both UTMs together at the HA interface. They could see each other but the slave device couldn’t get updates. So I needed to install the updates manually. This was my situation:

<M> utm:/root # ha_utils
– Status ———————————————————————–
Current mode: HA MASTER with id 1 in state ACTIVE
— Nodes ———————————————————————–
MASTER: 1 Node1 198.19.250.1 9.407003 ACTIVE since Mon Oct 10 13:17:26 2016
SLAVE: 2 Node2 198.19.250.2 9.357001 UP2DATE since Mon Oct 10 13:17:43 2016
— Load ————————————————————————
Node 1: [1m] 1.12 [5m] 0.96 [15m] 0.93
Node 2: [1m] 0.02 [5m] 0.05 [15m] 0.06

– Kernel ———————————————————————–
Current mode: enabled master
interface: eth3
Local ID: 198.19.250.1
debug: off
verbose: off
ppp sync: off
port smtp: 25
port pop3: 8110
port ftp: 2121

– PostgreSQL ————————————————————————
(N/A)

I tried to connect via SSH but I got always this error message:

<M> utm:/root # ha_utils ssh

Connecting to slave 198.19.250.2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
40:5d:86:75:60:74:60:47:7e:53:78:1f:e6:20:a2:e0 [MD5].
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /etc/ssh/ssh_known_hosts:22
ECDSA host key for 198.19.250.2 has changed and you have requested strict checking.
Host key verification failed.

I renamed the trustet hosts file to establish a new connection:

<M> utm:/root # mv /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts_backup
<M> utm:/root # ha_utils ssh

Connecting to slave 198.19.250.2
The authenticity of host ‘198.19.250.2 (198.19.250.2)’ can’t be established.
ECDSA key fingerprint is 40:5d:86:75:60:74:60:47:7e:53:78:1f:e6:20:a2:e0 [MD5].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘198.19.250.2’ (ECDSA) to the list of known hosts.
loginuser@198.19.250.2’s password:

I downloaded the specific update files to the tmp-folder of the master UTM:

<M> utm:/tmp # mkdir my-updates
<M> utm:/tmp # cd my-updates/
<M> utm:/tmp/my-updates # wget ftp://ftp.utm.de/UTM/v9/up2date/u2d-sys-9.357001-404005.tgz.gpg
<M> utm:/tmp/my-updates # wget ftp://ftp.utm.de/UTM/v9/up2date/u2d-sys-9.405005-406003.tgz.gpg
<M> utm:/tmp/my-updates # wget ftp://ftp.utm.de/UTM/v9/up2date/u2d-sys-9.406003-407003.tgz.gpg

after this I copied the files via SCP to the slave unit:

<M> utm:/tmp/my-updates # scp u2d-sys-9.357001-404005.tgz.gpg loginuser@198.19.250.2:/tmp
<M> utm:/tmp/my-updates # scp u2d-sys-9.405005-406003.tgz.gpg loginuser@198.19.250.2:/tmp
<M> utm:/tmp/my-updates # scp u2d-sys-9.406003-407003.tgz.gpg loginuser@198.19.250.2:/tmp

then I moved all files to the sys-folder and installed the updates:

<M> utm:/tmp/my-updates # ha_utils ssh
<S> utm:/tmp # mv u2d-sys-9.357001-404005.tgz.gpg /var/up2date/sys/u2d-sys-9.357001-404005.tgz.gpg
<S> utm:/tmp # mv u2d-sys-9.405005-406003.tgz.gpg /var/up2date/sys/u2d-sys-9.405005-406003.tgz.gpg
<S> utm:/tmp # mv u2d-sys-9.406003-407003.tgz.gpg /var/up2date/sys/u2d-sys-9.406003-407003.tgz.gpg
<S> shb:/var/up2date/sys-install # auisys.plx

after a restart and the sync process, the cluster works again properly:

<M> utm:/tmp/my-updates # ha_utils
– Status ———————————————————————–
Current mode: HA MASTER with id 1 in state ACTIVE
— Nodes ———————————————————————–
MASTER: 1 Node1 198.19.250.1 9.407003 ACTIVE since Mon Oct 10 13:17:26 2016
SLAVE: 2 Node2 198.19.250.2 9.407003 ACTIVE since Tue Oct 11 09:22:33 2016
— Load ————————————————————————
Node 1: [1m] 0.98 [5m] 1.60 [15m] 2.03
Node 2: [1m] 0.18 [5m] 1.12 [15m] 1.18

– Kernel ———————————————————————–
Current mode: enabled master
interface: eth3
Local ID: 198.19.250.1
debug: off
verbose: off
ppp sync: off
port smtp: 25
port pop3: 8110
port ftp: 2121

– PostgreSQL ————————————————————————
primary | standby | lag | bytelag
———+———+————–+———-
1 | 2 | 00:00:00.5 | 0

Cisco WLC HA with 2504 series

I already posted a tutorial about Cisco WLC HA with 5500er series but I want to show you how to configure an N+1 high availability system with 2504 WLC from Cisco. Our main WLC will be a Cisco 2504 AIR-CT2504-5-K9 (supports five access points) and a HA unit Cisco 2504 AIR-CT2504-HA-K9. Here is the basic-configuration of our test environment:

WLC1-management-IP: 192.168.101.240
WLC1-virtual-IP: 1.1.1.1
WLC1-Hostname: BiWLC1
WLC2-management-IP: 192.168.101.241
WLC2-virtual-IP: 1.1.1.1
WLC1-Hostname: BiWLC2
Software Version on both WLCs: 8.3.102.0
Field Recovery Image Version: 7.6.101.1

The virtual IP needs to be the same on both controller! Also the mobility domain name and the RF group name needs to be the same:

bigroup

set the second WLC to be the HA SKU unit:

ha-sku

Now we will configure a mobility group. Take the mac-address of the virtual interface:

BiWLC1:

wlc1-mobilitygroup

BiWLC2:

wlc2-mobilitygroup

as you can see, the entries are mirrored. If you have configured everything correct, you will see the following entries in the trap logs:

Thu Sep 29 13:26:34 2016 Data path to mobility member 192.168.101.240 is up.
Thu Sep 29 13:26:26 2016 Control path to mobility member 192.168.101.240 is up.

or you can check it at Controller / Mobility Management / Mobility Groups. Data and control path needs to be up. Once, I had a problem where one path doesn’t came up. Just restart the second WLC and check again. To order the access points to change to BiWLC2 once the BiWLC1 goes down, we need to configure the High Availability options under Wireless / Access Points / Global Configuration:

ap-ha-global

Don’t be confused with “Back-up Primary Controller IP Adress”. This is the second WLC. “Back-up Secondary Controller IP” is the tertiary WLC. I also configure the WLCs directly in every AP “to be sure” 🙂

ap-ha

 

Do you want CLI commands for this? Ask me in the comments!

Sophos UTM Update Version 9.407-3 out now!

Sophos published a new maintenance release for the UTM:

  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Bugfixes:

NUTM-4079 [AWS] DNS Resolver too slow for ELBs
NUTM-3885 [Access & Identity] [RED] RED50 reconnecting every 30 minutes
NUTM-4502 [Access & Identity] [RED] reactivating RED management causes problem with provisioning server
NUTM-4749 [Access & Identity] [RED] interface default routes are not written
NUTM-4832 [Access & Identity] 9.404 SSL site-to-site VPN client is not compatibal with older UTM versions
NUTM-4870 [Access & Identity] STAS: Packetfilter rule is written too late when enabling the feature
NUTM-4875 [Access & Identity] 9.404 SSL site-to-site VPN doesn’t work with static IP setting
NUTM-4881 [Access & Identity] IPsec remote access xauth fails with “could not find cache entry”
NUTM-4918 [Access & Identity] HTML5 VPN: Portuguese (Brazil) keyboard doesn’t appear to support special characters
NUTM-4974 [Access & Identity] UTM unable to connect to support tunnel
NUTM-4981 [Access & Identity] [RED] RED management can’t be reactivated after a Backup / Restore
NUTM-4987 [Access & Identity] 9.404 SSL site-to-site VPN client compatibility to older openvpn versions
NUTM-5004 [Access & Identity] [RED] misleading peer status send
NUTM-4941 [Basesystem] NTP Vulnerability
NUTM-5132 [Basesystem] Disable weak ciphers for webadmin
NUTM-3180 [Confd] IP Address change was not applied properly to the interface
NUTM-4346 [Documentation] Enhance documentation regarding unencrypted SSO AD password in printable configuration
NUTM-3225 [Email] JSON error when accessing Data Loss Prevention Tab and SMTP Profiles
NUTM-3483 [Email] Missing/incomplete logging for sandstorm in SMTP proxy
NUTM-3505 [Email] MIME type blacklist can be bypassed if an another file is whitelisted
NUTM-3666 [Email] Mail log in user portal is case-sensitive
NUTM-3667 [Email] RAR and XLSX files causing Scanner timeout or deadlock – moving to error queue
NUTM-4331 [Email] Implement more error handling in QMGR for error cases
NUTM-4874 [Email] SMTP proxy can’t be disabled when upgrading from 9.31x
NUTM-5228 [Email] change LogLevel in httpd-spx-reply.conf to warn
NUTM-5355 [Email] Increase AV Scanner timeout to 60 seconds
NUTM-2768 [HA/Cluster] 36307: Postgres can’t be started on Slave / rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.4]
NUTM-4894 [Logging] Fallback log on slave node is filling up the partition
NUTM-1954 [Network] 35457: Amazon vpc gets imported but quagga doesnt start
NUTM-3092 [Network] snmp does not work: because 10G modules query of link status timeout if no GBIC is plugged
NUTM-3115 [Network] AFC misclassifying HTTPS connections as ‘OpenVPN’
NUTM-3157 [Network] [INFO-152] Network Monitor not running – restarted
NUTM-3229 [Network] IPv6 over transparent proxy
NUTM-3247 [Network] Spam Filter cannot query database servers from Slave if a block all AFC rule exists
NUTM-4037 [Network] Update kernel to 3.12.58
NUTM-4992 [Network] Unitymedia / KabelBW customer getting always the MTU 576
NUTM-4885 [Reporting] SSL VPN reporting shows no user with a “#” sign in the username
NUTM-4593 [Sandboxd] Constant error when inserting record into sandstorm transactionlog table
NUTM-5128 [Virtualization] Incorrect interface order on HyperV
NUTM-4868 [WAF] WAF service restart issue (segmentation fault in mod_avscan)
NUTM-5266 [WAF] Form auth default template login not possible with chrome and FF
NUTM-4916 [WebAdmin] User portal: add Windows 10 to list of supported OSs for SSL VPN
NUTM-2447 [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working
NUTM-4525 [Web] Handle ha zeroconf for sandbox_reportd
NUTM-4806 [Web] postgres[xxxxx]: [x-x] STATEMENT: INSERT INTO TransactionLog
NUTM-4877 [Web] segfault after installing ep-httpproxy-9.40-319.g32fa996.i686.rpm
NUTM-4127 [WiFi] MAC filter whitelist does not work after editing the MAC Address List
NUTM-4451 [WiFi] Mesh AP doesn’t connect after deleting the AP from webadmin
NUTM-4913 [WiFi] Hotspot voucher QR code pointing to IP address instead of configured host name
NUTM-5032 [WiFi] ‘STA WPA Failure’ messages not appearing in wireless log

Security update 9.406-3 for Sophos UTM ready to install!

Sophos fixed the TCP Vulnerability (CVE-2016-5696) within the linux kernel with this fix. Reboot is required!

Bugfixes:

NUTM-1616 [AWS] Change AMI type to HVM
NUTM-4839 [AWS] AWS Instances in GovCloud need to use S3 buckets in GovCloud
NUTM-5013 [Network] TCP Vulnerability (CVE-2016-5696)

Download:

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.405005-406003.tgz.gpg
http://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.405005-406003.tgz.gpg

Cisco switch “inline power denied”

I had a curios problem with the new Cisco Aironet access points “AIR-AP2702I-UXK9”. This are universal (country-independent) APs. After several seconds, the access points from this series (connected directly to the PoE switches) made a power reset. Powering this APs with PoE-Injector solved the problem. The Cisco switches used in the environment are 3550 series. The installed firmware is from 2004 and I thought it could be a problem with CDP and PoE. So I debugged CDP events on the Cisco switch. The AP starts again (without the injector) and after the reset, I could see the following debug messages:

012844: Aug 22 09:51:45: CDP-EV: Unrecognized type (22) seen in TLV
012845: Aug 22 09:51:45: CDP-EV: Number of addresses <0> in Address Tlv is NOT > 0
012846: Aug 22 09:51:45: CDP-EV: Number of addresses <0> in Mgmt Address Tlv is NOT > 0
012847: Aug 22 09:51:52: CDP-EV: Unrecognized type (22) seen in TLV
012848: Aug 22 09:51:52: CDP-EV: Invalid protocol type (0)
012849: Aug 22 09:51:53: CDP-EV: Unrecognized type (22) seen in TLV
012850: Aug 22 09:51:53: CDP-EV: Invalid protocol type (0)
012851: Aug 22 09:52:49: CDP-EV: Unrecognized type (19) seen in TLV
012852: Aug 22 09:52:49: CDP-EV: Unrecognized type (22) seen in TLV
012853: Aug 22 09:52:49: CDP-EV: Invalid protocol type (0)
012854: Aug 22 09:52:49: %ILPOWER-5-ILPOWER_POWER_DENY: Interface Fa0/11: inline power denied

Normally, the APs are taking 15 or 15.4 watt power but the 2700er series needs at least 16.8 watt to run at “PoE/Full Power”. So it asks via CDP to get more. The old switch (or maybe the old firmware) doesn’t understand the new AP CDP, so the switch denys inline power as a precaution. Deactivating CDP on this specific port also solves the problem, but the AP is running in “PoE/Medium Power” (which is not good; Cyclic Shift Diversity (CSD) disabled, 2 of 4 transmitters disabled, data rates MCS  8-15 disabled), no spatial stream possible, etc.; see here and here).

Maybe a firmware update could solve the problem, we couldn’t test this by now. The customer will use newer switches at the new aimed location.