Recovery Steps for USG FLEX/ATP Series Application Patrol Signature Issue

Zyxel_Emily
Zyxel_Emily Posts: 1,396  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
edited June 2022 in Maintenance

Symptom:

The App Patrol signature release V1.0.0.20220310.0 may create parsing error on device for both on-premises and on-cloud modes, application patrol daemon will not work well after updating this new signature though the rest of UTM features keep running. However, the worst case is that device may get stuck if device did rebooting further no matter manually or by schedule

Recovery Steps:

Follow the instructions to recover the affected device temporarily.

On-premises mode

1. Connect the device directly via the console port using a terminal emulation program. Reboot the device and enter debug mode.


2. Switch to another firmware partition. Type atcd 1 to use firmware partition 1.


3. Type atgo to boot up device.


- If the device is still stuck in reboot loop, repeat the step 1 and step 2 to retry. In step 2, type atcd 2 to use firmware partition 2 to boot up.


4. After the device boots up successfully, access the device via FTP from LAN to get the previous startup-configuration file.

Note: If you are unable to access the device using the latest administrative account, click here to reset the password.

5. Go to /standby_conf and download startup-config.conf. This is the latest configuration file device using before meeting the reboot issue.



6. If you want to apply this configuration file to device, you must:

- Upgrade the same firmware version as that one before the issue happen to Running partition. Do not upgrade to Standby partition to avoid the issue happening again.


- After you completed upgrade firmware, upload and apply the startup-config.conf that you downloaded in step 5

7. We fix the reboot issue in ZLD5.21 patch 1. Do NOT reboot to the Standby partition until you get the fixed patch.

8. If the device cannot boot up with both firmware partitions, use firmware recovery to recover the device using version 5.21 P1. See Appendix 3. Firmware Recovery on page 55 in the release note.

9. In the process of firmware recovery, if you find the following error messages on console, check Windows Firewall settings and disable Windows Firewall temporarily on your laptop.



Nebula mode

Recovery Steps for Nebula USG FLEX/ATP Series Application Patrol Signature Issue

«13

Comments

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    ZLD 5.21P1 should be installed on any device compatible with it?
    at which time zone of march 16?
  • BoJack
    BoJack Posts: 4
    First Anniversary
    This does not work for Nebula based units, because as soon as you get them online they update and get hung in the same spot.

    "load av threat info..........................."
  • This doesn't work, firmware gets stuck again after upgrade from reset.
  • [Deleted User]
    [Deleted User] Posts: 118  Ally Member
    5 Answers First Comment Friend Collector Fifth Anniversary
    edited March 2022
    BoJack said:
    This does not work for Nebula based units, because as soon as you get them online they update and get hung in the same spot.

    "load av threat info..........................."
    Dear @B@BoJack
    As we removed the signatures, this should not be the case.. if you still encounter issues, please visit our teams' session maybe tomorrow or send in a ticket to help you.. @ https://support.zyxel.eu

  • [Deleted User]
    [Deleted User] Posts: 118  Ally Member
    5 Answers First Comment Friend Collector Fifth Anniversary
    edited March 2022
    SimplyRem said:
    This doesn't work, firmware gets stuck again after upgrade from reset.
     if you still encounter issues, please visit our teams' session maybe tomorrow or send in a ticket to help you.. @ https://support.zyxel.eu
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited March 2022
    Hi @mMontana
    The firmware will be available by Wednesday.(UTC+8)
    If your device updated signature(1.0.0.20220310.0) and did not reboot yet, then you can upgrade 
    ZLD5.21 P1 firmware prevent the symptom.

    @BoJack @SimplyRem
    If you confirmed swap between 2 partitions and doesn't work for you, then you still can recover database on your device. 
    The steps will flush all of exist files as default unit include configuration, installed CA...etc.


    1. Initial database recover process.
    Connect the device directly via the console port using a terminal emulation program. And also connect the device on 1st Ethernet port with your PC. Reboot the device.
    • Enter to debug mode
    • Enter "atcd 1"
    • Enter "atkz -f -l 192.168.1.1"
    • Enter "atgof"

    • After entering "atgof" system will go to restart and initial FTP server on device.


    2. Upload Database file to device
    • Change your PC IP address as 192.168.1.1.2 and mask 255.255.255.0

    • Access device by FTP(by anonymous) and upload XXXX.db file.

    • System will start to recover as default database.

    After finishing the steps, you can do power recycle to make sure your device could boot up successfully.
  • BoJack
    BoJack Posts: 4
    First Anniversary
    edited March 2022
    This still does NOT work for Nebula units.

    Once recovered and they boot, they immediately download 5.21(ABUH.0) and reboot, and again get stuck.

    Why hasn't 5.21(ABUH.1) been made available to Nebula yet like the standalone units have.

    Why hasn't a "new" App Patrol signature version been released that simply uses that last good version with a newer name/version number.
  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi BoJack,

    Nebula Update will be 3/16 via Nebula Update Online.

    The signature update broke the module so we can´t upgrade/downgrade the Signature, this is why an update will be mandatory.

    Thanks.
  • Trilogy
    Trilogy Posts: 4
    First Anniversary
    This is really, really, really, really frustrating. Of course not knowing about the issue, I rebooted my Nebula ATP 500 several hours ago and am now stuck without internal and external network. Will try the recovery process tonight after getting the required cable and software. But gentlemen, this is an incredible no-go. Get your act together.
  • CoreSG
    CoreSG Posts: 40  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    Agree with Trilogy. This is the height of incompetence.