SonicOS 7.0.1-5095 released
BWC
Cybersecurity Overlord ✭✭✭
Hi all,
there is a new Release available for Gen7 Appliances, the Release Notes contain some interesting Resolved Issues and some really weird ones, like this:
GEN7-26093 SSL VPN will not work if DPI and Stateful Firewall Security is applied before enabling SSL VPN.
I will install it on a few machines, but no broad deployment atm.
--Michael@BWC
Category: Entry Level Firewalls
0
Comments
Wow, what a long list of fixes!
Looks like those guys have been playing whack-a-mole with these bugs over the past two months.
I'm left wondering if there's ever going to be stabilization...
The Resolved list is good as it corrects a number of issues mentioned here on the forum.
Known Issues list is always more interesting.
"GEN7-35285 The packet monitor drop-down packet details may display information that is not related to the packet.
GEN7-35640 Traffic is not distributed as expected after a failover when using source and destination IP address binding in Round Robin-based WAN Load Balancing."
So Packet Monitor is not reliable, and neither is a key setting for RoundRobin LB!
Applied this firmware and found I couldn't pass any DNS traffic. ICMP would leave the WAN, however no DNS. Reverted back to 5080 and it's working correctly.
@pbnj can you explain which DNS traffic you mean? Client to DNS Proxy on the Firewall or Client to WAN to a public Resolver?
The few appliances of mine which are upgraded already, working without trouble so far.
--Michael@BWC
@BWC
Apologies for the delay. Real life...
I didn't do a lot of testing as I was in a pretty solid down state.
Mainly confirmed that wireless networks weren't passing or receiving DNS traffic. All wired networks experienced the same. No DNS traffic passing on local network to local DNS server. No DNS traffic passing from local network to public DNS servers. For example 8.8.x.x. I think only DNS was affected.
Last test I performed was seeing if the sonicwall itself could pass traffic to local or external DNS servers. No DNS traffic would pass.
This could be related to a security setting. I have most of the bells and whistles enabled. Reverting to prior known working version with a backed up config got things up and running faster than figuring out where the break was actually at. I just rebuilt the thing and haven't configured the logging yet, so logs were pretty useless when I checked them.
Please let me know if you have any questions.
@pbnj thanks for the feedback, I cannot confirm the issues you've experienced in general. It might be triggered by a specific setting. I have probably most of the related settings activated incl. DNS Security etc as well.
In the meantime I upgraded a handful of Appliances (all TZs for now), more to come in the following days.
A Packet-Monitor would be great to have when this happens. But dealing with a non-working network leaves often no room for further research, which is very unfortunate.
--Michael@BWC
@BWC
Turns out it was this guy:
Turned it off and back in business.
I'll tinker with it later when time permits. I don't think it's a misconfiguration on my end, but will confirm. If it isn't a misconfiguration, the chances of me opening a support ticket are slim to none.
Please let me know if you have any questions.
Hi,
I upgraded yesterday to this firmware and it broke our internet connection completely. None of the access rules were hit and the troughput was no more then around 1Mbps on our 1Gbps wan connection. So rebooted both devices (we run a HA active/standby pair) but that did not help.
I called our supplier and we pulled all the cables from the standby unit and I had to download the 5080 firmware and booted with this, with current config. That restored our connection. Troubleshoot times are not availeble when the whole company works in the cloud so we had to act quickly.
I find it also strange that when you want to downgrade the firmware that you cannot simply select the previous firmware and select boot this with current config. Well, the button is there but when you select it, it reads boot the 5095 with current config while I am absolutely sure that I selected the 5080 version.
Also, why do I need to pull all cables from the stanby unit to downgrade? At least, that is what our supplier told me to do. So now I have to repair the HA setup also and hope that a next try of upgrading the firmware now succeeds.
Does anybody have issues with this firmware? I cannot believe that the above dns proxy setting is the culprit since there was also no incoming traffic.
Kind regards,
Renzo
Yeah that setting can be really painfull to use - I only used it once when I changed the provider and had to use new DNS servers and many of the old ones were entered manually on the machines - the setting worked fine as it intercepted the DNS requests and I had time to change them on the machines - after 3 days some stuff acting weird, turned setting back off everything was fine - dangerous switch it is...
Yes, whacked the mole for 5 months for issue GEN7-33847 - 🤣
We had a somewhat similar issue. We tried to put in 5095 and it completely took down the network. We eventually narrowed it down to the upgrade applying PortShield settings on our redundant ports. Well, HA can't be used with PortShield so it broke both things which caused the network to go haywire due to the both firewalls being plugged into our redundant core switches. We also disconnected the secondary firewall from the primary and the network and then one by one restored each to factory and then loaded 5080 firmware and config files. All was well after that, but super annoying. I talked to SonicWall support, and they wanted me to tear down the redundant ports, reconfigure HA, and then reenable the redundant ports, but by this point we were just more concerned with getting things back together and the restore seemed like the easier option. Hopefully they get this resolved in future upgrades. I do suggest opening a ticket directly with Sonicwall so they have as many ticketed incidents of this behavior as possible.