Recovery Steps for USG FLEX/ATP Series Application Patrol Signature Issue (Jan. 2025)

elektromassa

The procedure was done and the device was restored. Now, although everything works, I get an error like in the example every minute in the "

App watch dog recover dhcpd dead at the 784 time
dhcpd is dead at Sat Jan 25 13:56:06 2025

I have no active DHCP service. I also receive the reporting emails after the upgrade proposed.

Same configuration as before.

Nicolas_Blanc

Hello,

I have an ATP500 device that is affected. Unfortunately, several issues prevent the above procedure from succeeding:

1. I connect with an old PC to the serial console port (RS-232) of the firewall. I then start the Tera Term software and boot the firewall, but I don't get any message for entering debug mode (the Tera Term window is just blank). What am I doing wrong ? Should I type or do something?
2. I connect the PC to the P4 port of the firewall (the only one working in order to get an IP address from the firewall). Then I use the FTP command in the CMD app. The connection runs fine, except that I cannot do without logging in (user and password are required). So I try with the admin and 1234 password (as I reset the firewall before understanding that it was an issue with the firmware and not our configuration). Then I set the debug and bin modes, and I use the PUT command. But either I get a message saying that the connection was closed (timeout) or another message saying that the uploaded firmware does not fit my firewall model ID (E133), even if I double-checked that I downloaded the right file above.
3. As I don't get anything with the Tera Term window, I have no idea if the firmware was received, but I suppose not, as there is no reboot from the firewall device.

I suspect that the serial cable RS-232 is maybe not the right one (I heard that there are 2 types of cables, with the pins 4 and 5 that are swapped) but I have no mean of knowing if this hypothesis is correct.

Any help would be appreciated.

Zyxel_Judy

Hi users,

We apologize for any inconvenience this may have caused.

We hope this guide will help you resolve the issue quickly and minimize any further disruptions. If you continue to encounter difficulties or need additional support, please do not hesitate to reach out to our support team at cso_security@zyxel.com.tw or leave the detail comment here with your region(country), model information (S/N) and contact info. We'd like to have contact with you to assist and resolve the issue caused by the signature incident.

Thank you for your understanding and continued support.

Agor76

https://community.zyxel.com/en/discussion/comment/74319#Comment_74319

I've reinstalled the 5.39 Upd. 1 as a new firmware right after the recovery procedure. I wasn't able to establish ikev2 dynamic remote connections using the recovery firmware provided by Zyxel. Reinstalling the 5.39 Upd 1 solved all the issues

USG_User

With us (USG FLEX 700) IKEv2 works with the fixed recovery firmware "V5.39(ABWD.1)-sig-20250124". But the USG is notifying me that a newer FW is available for download. But this leads still only to the V5.39(ABWD.1). I take for granted that Zyxel will release an ABWD.2 soon. Or should we finally go back to the standard ABWD.1 since the buggy AppPatrol signature has been updated?

arthurkk

Hi,

I am not able to connect the Flex100 via the terminal app. So I cannot go into debug mode. However, I can log in via the web GUI after first reboot. I have tried to upload the firmware, it shows the device would reboot within 5 mins. But it never try to reboot. It seems not upload successfully. So do you have other options to fix it?

DavideMauri

Luckily we just had one customer facing the issue, but the recovery instructions cloud have been clearer. Kudos to the fast response, but now it all has to be put in a better and more complete form.

One thing my team and me have still to understand is if we need to perform the recovery procedure to the standby partition too, as someone else pointed out already (if I'm not mistaken). If that's the case, it has to be stated clearly, otherwise the next automatic firmware update would fail or make the device unusable - again.

FAQ no.7 at https://support.zyxel.eu/hc/en-us/articles/24159250192658 makes almost no sense… I mean "but not installed the fix firmware?" where, exactly?

AMI

After I did this, the FW was "sorta" working again. I still got some zysh daemon unable to connect.

And, the serial port is almost unresponsive. 20 seconds per each keystroke.
This does not look like a resolved problem but a "really dirty quick fix"

Do better or i do not have an argument for my customers why they should keep or buy Zyxel.

This is unacceptable !!!

UPDATE:

In my case, after a while, the FW locked up and I had to reboot - twice now. No I installed the latest firmware again, not the recovery one. Lets see if this keeps it running.

BUT it looks like there is a major problem with the serial port. It is practically unresponsive. I cannot even type in username and pw.

mocr

Hi, I applied the recovery procedure successfully. It just did not download the App patrol signature version 1.0.0.20250102.0 (mentioned in the procedure) but 1.0.0.20241205.0 instead. So I blocked scheduled signature update for now. Should I enable it?

Another question is if I should apply new firmware that will be available anytime soon?

Thanks for answers.

USG_User

We are currently on the same App Patrol Signature Version 1.0.0.20241205.0. I keep it on automatic update.
But I'm also still interested in an official new FW 5.39(ABWD.2) or 5.40 to replace the "quick & dirty" FW "V5.39(ABWD.1)-sig-20250124". Is this planned for the next days?