Failed to apply startup-config.conf after the device is upgraded to firmware 4.35

Zyxel_Emily
Zyxel_Emily Posts: 1,278  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

In some cases, it failed to apply startup-config.conf after the device is upgraded to firmware 4.35.

We are working on fixing the issue.

Before the next firmware is released, you can follow the guide to apply startup-config.conf of firmware 4.33 to firmware 4.35.


1.   After the device is upgraded to 4.35, the error message appears on console.

Failed to apply startup configuration file and failover to previous firmware...


In the partition with firmware 4.33, the startup-config.conf of firmware 4.33 named autobackup-4.33.conf is automatically generated.

Download autobackup-4.33.conf.

2. Select firmware 4.35 and reboot the device.

3.   After the device boots up, enter the commands on console to apply the backup file autobackup-4.33.conf.

Router> configure terminal

Router(config)# apply /conf/autobackup-4.33.conf ignore-error

«1

Comments

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    @Zyxel_Emily

    Hello Emily,

    in my case i've read the "workarrounds" to fix v4.55 and remember by my upgrade to 4.33 and rollback to 4.32 ?

    i'm useing V4.32(AAKZ.0)ITS-WK52-r86652 right now to have not my location one day off or/and to reconfigured a emergency vLAN directly to my ISP Firewall without any wireless connectivity ?

    Is there a WK Version of 4.55 existing that has fixed the known crashes / side effects during the upgrade to 4.35 ?


    Regards

    Chris

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ChristianG,

    The firmware is sent to you in private message.

    It contains the fix "Apply configuration failed after the device is upgraded to firmware 4.35".

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi @Zyxel_Emily

    thx for sending the binary file ?

    this can be used to upgrade from V4.32(AAKZ.0)ITS-WK52-r86652 to 4.35-WK46 directly ?


    Regards

    Christian

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ChristianG,

    You can upgrade USG60W from 4.32(AAKZ.0)ITS-WK52-r86652 to 4.35-WK46 directly.

    If you still have concerns about the firmware upgrading, remember to save the startup-config.conf of USG60W first and then upload firmware 4.35-WK46 to "standby" partition.

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    hi @Zyxel_Emily

    i've done the upgrade to your served version, but the message looks a bit tricky ?

    find the visable issue ?


    and what's wrong i the main screen ?

    i've no idea why this is shown ?


    regards

    Chris

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @ChristianG,

    Can you share the startup-config.conf in version 4.32(AAKZ.0)ITS-WK52-r86652 with me in private message?

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi @Zyxel_Emily

    thanks for your offering. i've checked the imported config localy, cause 2 vLANs where decommisioned to the end of the year. One of them had a BWM rule set and was deactivated. ?

    So i've made a full scan over the config 4.32 and found some elements that are no longer existing (like a forwarding route to the INAC firewall that can't interpreted by USG and was marked during the upgrade ?

    In my mind the process to checkup the config consistence should be done, before starting with an upgrade to show some topics, that can be show side effects up after the update ?

    my last message after upgradeing is an error to download AP firmware

    In previous ITS versions that mesage can be ignored - cause it's a ITS version.

    Is this also in the currect ITS version ? if not, can you please share the required FQDNs/Ports to allow the download trough the INAC firewall correctly.


    Thx and Regards

    Chris

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ChristianG,

    ISP----INAC firewall(LAN)----(WAN)USG

    If INAC firewall is placed ahead of USG, you need to allow port 80 and 443 on that firewall so USG can download AP firmware.

    Example: On INAC firewall, from LAN to any, service: port 80 & 443, action: allow


    Besides, if the startup-config.conf is still not able to be applied after upgraded to 4.35-WK46, share the startup-config.conf in version 4.32(AAKZ.0)ITS-WK52-r86652 with me in private message.

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    edited December 2019

    Hi @Zyxel_Emily

    after a cleantup and updateing some "old" rulesets, the USG is rebooting successfuly (tested several times after cleanup 4.32) ? by setup the INAC to ISP and USG at the second stage LAN area with sveral CAPWAP-APs, there where some old rules and BWM config existing, that's no longer working, casue ZyWALL and INAC had also private adress areas. Only the VoIP area at INAC has an direct DNAT.

    But i',m not sure, why my USG is repoting the attached information in the LOG - cause i've never the SecuReporter in place ? the option is not enabled - is there a adjustment at the reporting area at USG the solution to have no longer the lot of entries at my USG ?

    Thanks forward for service. USG should simple act as a L3 Firewall with managed AP's in the lan area and transfer internet traffic to the INAC L7 Firewall.

    Regards

    Chris

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ChristianG,

    This log means that USG tried to get the SecuReporter claim status but failed.

    This checking will be triggered when you login to GUI and it is used to decide if the SecuReporter promotion banner will pop up or not. You can ignore this log if you don’t want to use the SecuReporter service (Now we offer 1 yr trial license for free)


    If you want to have a try on this feature, you may need to check some information before using this service:

    - Make sure the port 443 of INAC firewall is allowed. (On INAC firewall, from LAN to any, service: port 80 & 443, action: allow)

    - Use the command and enter the DNS server IP on the list to check if it can resolve domain zones

    Router> nslookup secureporter.cloudcnm.zyxel.com server <dns_server_IP>

Security Highlight