2FA Totally crashing anyone else'sTZ570?
Firmware 7.x on TZ570
Enabled TOTP for SSLVPN and when user enables it for the first time, the network communication freezes briefly. If the user resets it quickly a few times then the ENTIRE network STOPS communicating and the physical firewall device must be unplugged. (Having a HA device does not prevent network failure and the firewall will not respond to IP traffic including admin login.)
That means a user could crash the entire network by accident or intentionally.
Anyone else use TOTP?
Best Answers
-
CORRECT ANSWER
ASCChuck
Newbie ✭
OMG! The latest firmware, sw_tz_570.7.0.1-5023-R1826-H17127-377.bin.sig, actually works! TOTP works without crashing the entire network! Last weekend, October 23 2021 was the FIRST time the device was fully functional! Do you think we will get a credit for the support time where the device did not work? I have asked this before and their response was "We would not have worked on the issue if you didn't have a support package." I would LOVE to sell that guy a new car that would not run for 11 months and have him pay insurance on it during that time and see if he still feels the same way.
1
Answers
Hi @ASCChuck, what firmware are you running?
You should specify the sub-version of the firmware when posting. Sonicwall OS 7 has had plenty of issues up to and including the latest (7.1465).
I use TOTP and do not have this issue on 7.1465.
I'm using the latest Firmware for the TZ570 (7.0.1-R1456) since the prior firmware has even more issues. Support wont even tell the developers about this issue since they can't replicate it. I will look to see if a newer version is available.
Just be aware! I will try to get a scenario that causes the total network shutdown.
I would be willing to try to replicate the issue if you find the trick.
@preston thanks for the hint about the new release, checked all my TZ downloads and it is only available for the TZ 270 at the moment, YMMV.
This will change in the next hours I guess.
--Michael@BWC
@BWC , Hi Michael, they should all be available already I can see all of them, if you search for the model does it show?
@preston I logged off and on again to MSW, TZ 570 download is now available, TZ 670 still missing, nother other Gen7 under control at the moment. Will give it another shot later.
--Michael@BWC
I had an issue a while back it showed all of them apart from the TZ570W, if I seached in the search box for TZ 570W it showed the latest
In the meantime it ascended from the depths of MSW. Maybe it was some kind of caching issue, I left the browser open and after 1 or 2 hours it appeared after hitting the refresh again, all good.
--Michael@BWC
Confirmed new firmware available: sw_tz_570_eng.7.0.1-5018-R1709.bin.sig Will have to test tonight or tomorrow!
FYI, On my 670 with 5018-R1709 the device kept randomly rebooting. I had downgrade. It is in this post.
Tested and now using sw_tz_570_eng.7.0.1-5018-R1709.bin.sig and it seems to be good. TOTP Still has issues: If you enter the onetime only code as the first code, you wont have a onetime code and more importantly if you try to reset it, it gives you the SAME QR CODE and a one time code of "0" which doesn't work.
Scenario: A user saved the QR code and a hacker hacks their PC. The user "resets" their TOTP but its NOT really reset and the hacker can still get in.
You need to DELETE the user and that clears bookmarks and maybe other saved settings.
But at least it doesn't crash the whole network! Yea?
Update.
Even the new version, sw_tz_570_eng.7.0.1-5018-R1709.bin.sig has MAJOR issues. While SonicWALL was testing, the remote access was blocked. That means that inside users could see outside, but anyone trying to remote in got timed out. The issue is with TOTP. If you are using TOTP with RADIUS, be careful, VERY CAREFUL!
@ASCChuck - might want to remove the "this question was answered" flag if it is not applicable...
A newer version is a better fix... sw_tz_570_eng.7.0.1-5027-R1938.bin.sig. Network has not crashed with this version, yet. YMMV