Firmware 12.6.2 (Build 628197) for M500 pulled?

I have an M500 cluster which we updated directly from watchguard.com within the WebUI to Fireware 12.6.2 (Build 628197) on 2020-09-06.
Now the web UI is reporting that this version is an unreleased version and the download webpage is reporting Fireware v12.5.4 as the latest version?

What happened here?

«1

Comments

  • WG pulled it and V12.5.5 because of quality issues.
    They expect to have a replacement version soon.

    See my Sept. 22 post here re. an e-mail from WG on this:
    https://community.watchguard.com/watchguard-community/discussion/comment/5004

  • edited October 4

    Yes, we've started to have serious Mobile SSL VPN issues today out of the blue. Is it safe to rollback to Fireware 12.5.4 from 12.6.2?

    @Bruce_Briggs Also, I'd like to improve my processes, is there some feed to monitor or some subscription to get emails about such things? I didn't get any emails.

  • The e-mail went only WG to Partners I believe.
    I don't see this info anywhere here:
    Product and Support News
    https://www.watchguard.com/wgrd-blog
    If you haven't signed up for any of these email updates - feel free.

    A downgrade is safe. Did you do a backup prior to your upgrade?
    If not, then the downgrade process is more difficult and time consuming.

    The v12.6.2 replacement version may be available as early as tomorrow.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Staj

    SSLVPN issues aren't part of the issues that customers had experienced with 12.6.2. While you're welcome to roll back with your backup, it's very likely that it won't have any impact on SSLVPN connections.

    Any issues related to 12.6.2 likely would have been seen some time ago.

    I'd suggest opening a support case so that the support team can get more details related to the VPN issues you're running into.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson I'll open a ticket shortly then. Getting severe packet loss over Mobile SSL VPN and when RDP is running across it, packet loss goes to 100% without dropping OpenVPN tunnel. No firewall issues that I can see.

    I would like to know about things like pulled releases though in the future, is there a way to be notified? Silently pulling releases isn't really acceptable...

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Staj

    Subscribing to the support blog and ensuring that you have support alerts on should get you all the pertinent alerts.

    Support Blog - https://www.watchguard.com/wgrd-blog
    Support Alerts - Log into WatchGuard.com, go to My WatchGuard -> Manage Profile, and click the Email Preferences button. The check marks opt you out of things. You'll also see your email listed in manage profile.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson I haven't opted out of WatchGuard alerts and software updates or WatchGuard general and education notices. Which category does this sort of thing fall under? Also, as @Bruce_Briggs mentioned, this issue doesn't appear to have been published on the blog.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Staj
    It'd be under support alerts if there was one.

    The update notification when the new one goes out should be on the customer support blog, along with the release notes for it.

    -James Carson
    WatchGuard Customer Support

  • Hi @James_Carson
    Thanks for the information on new releases, but I'm concerned about pulled releases. I don't really want to make a web scrapper that constantly checks whatever endpoint the web UI uses or the download page itself but I will if I don't have a way to know about pulled releases, I have aircraft operations traffic going over these boxes, I can't afford to be running pulled firmware.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Staj
    I understand your concern here -- information is being made available related to the bugs and final fixes as those versions are released.

    -James Carson
    WatchGuard Customer Support

  • That doesn't help during the period where a release is pulled and a replacement release is issued, WatchGuard apparently sent an email to partners, I don't see why it couldn't have sent one to customers. You're not giving me any options I can utilise be better informed about pulled releases.

    I guess I have another programming project on my to-do list, I'll be sure to post that to GitHub as well. If WatchGuard isn't going to be proactive then I have to be.

  • In my very many years of using WG software/hardware, I have never seen WG pull a release before.
    And, yes, WG should have sent this info to customers too.

  • edited October 5

    FYI - my 1st WG OS version was WFS V4.1, sometime around 1999 - I have been seeing all of the releases since then.

  • edited October 5

    I'll be honest, this reminds me of when they required authentication to access the "Known Issues" section in the Fireware Release Notes years back, I wasn't very impressed with that either.

  • @Staj said:
    Yes, we've started to have serious Mobile SSL VPN issues today out of the blue. Is it safe to rollback to Fireware 12.5.4 from 12.6.2?

    @Bruce_Briggs Also, I'd like to improve my processes, is there some feed to monitor or some subscription to get emails about such things? I didn't get any emails.

    We also have SSL VPN issues since 12.6.2.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @ErikS
    I'd suggest opening a case if you haven't already.

    -James Carson
    WatchGuard Customer Support

  • Release Notes for V12.6.2 Update 2 are just out.
    The V12.6.2 U2 software version isn't there at the moment, but I expect to to be shortly.

  • @Bruce_Briggs said:
    Release Notes for V12.6.2 Update 2 are just out.
    The V12.6.2 U2 software version isn't there at the moment, but I expect to to be shortly.

    I will let you be the sacrificial lamb to test it!

    Gregg Hill

  • @Bruce_Briggs said:
    Release Notes for V12.6.2 Update 2 are just out.
    The V12.6.2 U2 software version isn't there at the moment, but I expect to to be shortly.

    Right now, 12.6.2 U2 is available but only via WatchGuard Cloud, per the release notes.

    Gregg Hill

  • Well, it depends on where you look in the Release Notes.

    The Release Notes in the Download Software show:
    "You can download software from the WatchGuard Software Downloads Center."

    The Release Notes in the Upgrade to Fireware v12.6.2 Update 2 show:
    "You can use WatchGuard Cloud, Fireware Web UI, or Policy Manager to upgrade your Firebox."

    So, until this version is available on the Downloads page (not yet) you can only upgrade the firewall via WatchGuard Cloud.

    Taking the plunge...

  • Plunge taken! Let's hope we don't drown!

    Gregg Hill

  • Had to reboot my Win 10 PC to install WSM V12.6.2 U2
    I was getting a Runtime Error - a reboot resolved it.

  • I installed WSM 12.6.2 U2 a few hours ago without incident on my Win 10 Pro 64-bit desktop. I had to wait for my wife to finish my billing before I upgraded the T20 just a few minutes ago.

    Gregg Hill

  • I don't know if it's related, but right before I upgraded my T20-W, I happened to look at FSM traffic and saw a bunch of denied hits to Amazon servers in Ireland. It was the T20's WAN IP trying to get out on UDP port 10108. I have no idea why it wanted out on that port to IRL, but since the upgrade an d reboot, those packets have stopped, but it' sonly been a few minutes since the upgrade.

    2020-10-05 17:44:48 Deny src_ip=x.x.x.x dst_ip=34.248.145.13 pr=10108/udp src_port=10108 dst_port=10108 src_intf=Firebox dst_intf=Ext-Spectrum msg=blocked sites (geolocation destination) pckt_len=204 ttl=64 policy=(Any From Firebox-00) proxy_action= proc_id="firewall" rc="101" msg_id="3000-0173" geo_src="USA" geo_dst="IRL" geo="geo_dst" Traffic

    2020-10-05 17:47:34 Deny src_ip=x.x.x.x dst_ip=34.250.146.177 pr=10108/udp src_port=10108 dst_port=10108 src_intf=Firebox dst_intf=Ext-Spectrum msg=blocked sites (geolocation destination) pckt_len=124 ttl=64 policy=(Any From Firebox-00) proxy_action= proc_id="firewall" rc="101" msg_id="3000-0173" geo_src="USA" geo_dst="IRL" geo="geo_dst" Traffic

    Now I just see a bunch of DNS hits trying to reach from the T20's WAN IP as the source and trying to get to geo-blocked sites in SWE, IRL, DEU, FIN, SGP, AUS, AUT, FRA, and ITA. What the heck? I thought that DNSWatch was supposed to use USA servers.

    Gregg Hill

  • Here are the IP addrs for the DNSWatch DNS Servers. Not in some of those countries -so it must be something else.

    About DNSWatch DNS Servers
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/dnswatch/dnswatch_dns_servers_c.html

  • M470, upgraded to 12.6.2.B630604 through cloud.watchguard.com.
    Hopefully stable enough to fix the DHCP-problems.
    So far now problems.

  • @Bruce_Briggs said:
    Here are the IP addrs for the DNSWatch DNS Servers. Not in some of those countries -so it must be something else.

    About DNSWatch DNS Servers
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/dnswatch/dnswatch_dns_servers_c.html

    I just looked up the two DNSWatch IPs in IRL and they belong to Amazon. I suspect that DNSWatch uses AWS for its servers and Amazon is just spreading the love around to multiple IP addresses.

    I have not seen those hits since the 12.6.2 U2 firmware update last night.

    Gregg Hill

  • If this is so, then WG really needs to update their docs on the DNSWatch Servers being used.
    This is not what they have said to date.

  • Dang, now I wish I had saved the whole list of that traffic.

    Gregg Hill

  • Is there a reason why the update is not available on WebUI?

    Adrian from Australia

Sign In to comment.