The upgrade issue from 4.25 to 4.30

2

Comments

  • parnassus
    parnassus Posts: 13  Freshman Member
    First Comment Friend Collector
    edited December 2017
    Thanks Christian.
    My configuration is simpler than your one but the fact that three sites could be concurrently affected doesn't make it easier to manage in case of any form of update failure (I mean: an USG can boot correctly into new 4.30 but then, if the configuration shows issues - at any level - that will mean that I have to go physically on the affected site to fix the issue and I should do it as fast as I can).
    Thanks for sharing.
    Davide.

    Edit: I performed a 4.25 Patch 1 to 4.30 update on a standalone USG60 and all was smooth so I'm confident the same will happen on other VTI VPN connected USGs.
  • DennizOlof
    DennizOlof Posts: 20  Freshman Member
    First Answer First Comment Sixth Anniversary
    Because of multiple reports of serious problems with Firmware v4.30 it is better to stay with 4.25 as I have done, if you have critical equipment etc, and let others try out v4.30 and report the problems. Nothing important was fixed, upgraded or solved in v4.30 for me and I will not upgrade since my USG 60W is working fine. But then again I have no special configuration or services in use, just the basic firewall.


  • CompuSoft
    CompuSoft Posts: 4  Freshman Member
    First Comment Friend Collector First Anniversary
    edited March 2018
    Hi
    We have also run into problems after upgrading to v4.30.
    After uploading firmware and reboot, all configuration was completely wiped.
    After all configuration was manually typed in again!(not first upgrade that have done this) we experience that our computers connected to a DHCP lan loses connectivity (Hyper-V enviroment)
    After looking at the logs at appears that the computers timeout whenever a logged in user/admin logout from the routers console.
    This is a major issues since we have an API that log on to the router and adds firewall rules quite often.

    Is there an easy way to downgrade the firmware again (without having to type in the whole configuration again)?

    Edit: We have 3x USG1100
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Davide,
    As Christian wrote, I would make it conditional on your current configuration. The more complicate it is, the bigger is the likelihood that the firmware update fails.
    Our configuration with the USG110 is not so complicate with: 1 WAN, 2 LANs, 1 DMZ, 1 AP, 2 VLANs, 1 SSLVPN, and about 20 firewall rules including some UTM filters.
    We never experienced any problems with updating the FW up to 4.30.

    Greetings
    Joerg
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @CompuSoft
    Each firmware partition (running and standby)has their own configuration files.
    Making sure you update the firmware: 430AAPJ0C0 on the same partition, so the "configuration" will be kept after firmware upgraded.
    I would like to know did DHCP lan loses connectivity after firmware updated?
    Charlie
  • itm_3h
    itm_3h Posts: 1  Freshman Member
    First Comment
    seem to me that content filter stopped work after upgrading from 4.25 to 4.30 . anyone else with this behaviour ?
  • parnassus
    parnassus Posts: 13  Freshman Member
    First Comment Friend Collector
    edited April 2018
    Each firmware partition (running and standby)has their own configuration files.
    Making sure you update the firmware: 430AAPJ0C0 on the same partition, so the "configuration" will be kept after firmware upgraded.
    IMHO - if I understood you correctly (that was explained in another thread) - the whole concept would be rephrased a little better because your statement "Making sure you update the firmware: 430AAPJ0C0 on the same partition, so the "configuration" will be kept after firmware upgraded." looks unclear to me: each Firmware partition (Running and Standby) owns its Configuration file - I hope those configuration files are, at some point, synced together by the Firewall IF both partitions start to contain the same Firmware version after both Running and Stanby partitions are updated, isn't it? - so basically this should mean that Firmware version A owns Configuration A and Firmware version B owns Configuration B.
    If Firmware version A is equal to version B (because user update both sequentially with a single reboot or with a dual reboot) then also Configuration A should be equal to B (and vice-versa), right? if not there is a problem (configurations are not kept synced even if both Firmware partitions are kept with same Firmware version)...so how it is possible to lose the configuration (or some parts of it) after a Firmware update that inovolves the Running partition or the Standby Partition.

  • jepper
    jepper Posts: 2  Freshman Member
    First Comment
    Hi

    The wifi of my USG60W also stopped working after the update from 4.25 to 4.30. I had to downgrade to 4.25 again. Today I tried the meanwhile available 4.31 but with the same issues. 

    I could finally locate a bug in AP Management when using a user defined MAC address on the WAN interfaces. This is what I reported to Zyxel: 

    (I'm only using the built-in access point of the USG60W)

    Symptoms:
    After upgrading from 4.25, Wifi stopped working completely. In the AP Mon list, the IP of the local AP was changed to 0.0.0.0. The AP could not be removed but edited. A second, yet not managed AP with the IP 127.0.0.1 and different MAC address appered, which could be removed and edited, but was not working. Under radio, no entry appered in the list. In the wireless AP log I could select one of the APs, but a popup appeared saying "WTP Log Query: WTP is not in RUN state."

    Cause: 
    WAN1 Interface had a user-defined MAC. After the FW update, the local AP cloned the MAC from the user defined WAN1-Mac instead of the device's MAC. 

    Workaround:
    Finally, removing the user-defined MAC address manually from the config-file and re-applying the config solved the problem and wifi instantly worked again, having only one correct local AP in the AP mon list.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @jepper,
    It is workaround to change the MAC address to device default.
    The issue will be fixed at coming official release.
  • CompuSoft
    CompuSoft Posts: 4  Freshman Member
    First Comment Friend Collector First Anniversary
    @CompuSoft
    Each firmware partition (running and standby)has their own configuration files.
    Making sure you update the firmware: 430AAPJ0C0 on the same partition, so the "configuration" will be kept after firmware upgraded.
    I would like to know did DHCP lan loses connectivity after firmware updated?
    Charlie

    CompuSoft said:
    Hi
    We have also run into problems after upgrading to v4.30.
    After uploading firmware and reboot, all configuration was completely wiped.
    After all configuration was manually typed in again!(not first upgrade that have done this) we experience that our computers connected to a DHCP lan loses connectivity (Hyper-V enviroment)
    After looking at the logs at appears that the computers timeout whenever a logged in user/admin logout from the routers console.
    This is a major issues since we have an API that log on to the router and adds firewall rules quite often.

    Is there an easy way to downgrade the firmware again (without having to type in the whole configuration again)?

    Edit: We have 3x USG1100
    Hi Charlie
    Sorry for the late response.
    The loss of connectivity on the LAN appeared after the firmware update.
    After reverting to an older firmware 4.20 the connectivity loss disappeared.

    I haven't tried to upgrade to any other new firmware releases after this since we cannot afford the downtime that reboots require. 

    Can this really be true that each reboot takes about 45~60 minutes???
    We have about max limit (2000) address objects listed and quite a few service groups as well ..but still 45 minutes !!!

    Another issue that we are experiencing is that our HA setup seems to reboot the firewall after each sync. (YES, thats bloody 45 minutes for every sync!)

    I hope this is a known issue and hoping for a positive answer.
    ~Søren, Compusoft

Security Highlight