Recovery Steps for USG FLEX/ATP Series Application Patrol Signature Issue
Zyxel Employee
Symptom:
The App Patrol signature release V1.0.0.20220310.0 may create parsing error on device for both on-premises and on-cloud modes, application patrol daemon will not work well after updating this new signature though the rest of UTM features keep running. However, the worst case is that device may get stuck if device did rebooting further no matter manually or by schedule
Recovery Steps:
Follow the instructions to recover the affected device temporarily.
On-premises mode
1. Connect the device directly via the console port using a terminal emulation program. Reboot the device and enter debug mode.
2. Switch to another firmware partition. Type atcd 1 to use firmware partition 1.
3. Type atgo to boot up device.
- If the device is still stuck in reboot loop, repeat the step 1 and step 2 to retry. In step 2, type atcd 2 to use firmware partition 2 to boot up.
4. After the device boots up successfully, access the device via FTP from LAN to get the previous startup-configuration file.
Note: If you are unable to access the device using the latest administrative account, click here to reset the password.
5. Go to /standby_conf and download startup-config.conf. This is the latest configuration file device using before meeting the reboot issue.
6. If you want to apply this configuration file to device, you must:
- Upgrade the same firmware version as that one before the issue happen to Running partition. Do not upgrade to Standby partition to avoid the issue happening again.
- After you completed upgrade firmware, upload and apply the startup-config.conf that you downloaded in step 5.
7. We fix the reboot issue in ZLD5.21 patch 1. Do NOT reboot to the Standby partition until you get the fixed patch.
8. If the device cannot boot up with both firmware partitions, use firmware recovery to recover the device using version 5.21 P1. See Appendix 3. Firmware Recovery on page 55 in the release note.
9. In the process of firmware recovery, if you find the following error messages on console, check Windows Firewall settings and disable Windows Firewall temporarily on your laptop.
Nebula mode
Recovery Steps for Nebula USG FLEX/ATP Series Application Patrol Signature Issue
Comments
-
ZLD 5.21P1 should be installed on any device compatible with it?at which time zone of march 16?0
-
This does not work for Nebula based units, because as soon as you get them online they update and get hung in the same spot.
"load av threat info..........................."1 -
This doesn't work, firmware gets stuck again after upgrade from reset.1
-
Dear @B@BoJackBoJack said:This does not work for Nebula based units, because as soon as you get them online they update and get hung in the same spot.
"load av threat info..........................."
As we removed the signatures, this should not be the case.. if you still encounter issues, please visit our teams' session maybe tomorrow or send in a ticket to help you.. @ https://support.zyxel.eu
0 -
SimplyRem said:This doesn't work, firmware gets stuck again after upgrade from reset.if you still encounter issues, please visit our teams' session maybe tomorrow or send in a ticket to help you.. @ https://support.zyxel.eu0
-
Hi @mMontana
The firmware will be available by Wednesday.(UTC+8)
If your device updated signature(1.0.0.20220310.0) and did not reboot yet, then you can upgrade ZLD5.21 P1 firmware prevent the symptom.
@BoJack @SimplyRem
If you confirmed swap between 2 partitions and doesn't work for you, then you still can recover database on your device. The steps will flush all of exist files as default unit include configuration, installed CA...etc.
1. Initial database recover process.
Connect the device directly via the console port using a terminal emulation program. And also connect the device on 1st Ethernet port with your PC. Reboot the device.- Enter to debug mode
- Enter "atcd 1"
- Enter "atkz -f -l 192.168.1.1"
- Enter "atgof"
- After entering "atgof" system will go to restart and initial FTP server on device.
2. Upload Database file to device- Change your PC IP address as 192.168.1.1.2 and mask 255.255.255.0
- Access device by FTP(by anonymous) and upload XXXX.db file.
- System will start to recover as default database.
After finishing the steps, you can do power recycle to make sure your device could boot up successfully.0 -
This still does NOT work for Nebula units.
Once recovered and they boot, they immediately download 5.21(ABUH.0) and reboot, and again get stuck.
Why hasn't 5.21(ABUH.1) been made available to Nebula yet like the standalone units have.
Why hasn't a "new" App Patrol signature version been released that simply uses that last good version with a newer name/version number.0 -
Hi BoJack,
Nebula Update will be 3/16 via Nebula Update Online.
The signature update broke the module so we can´t upgrade/downgrade the Signature, this is why an update will be mandatory.
Thanks.0 -
This is really, really, really, really frustrating. Of course not knowing about the issue, I rebooted my Nebula ATP 500 several hours ago and am now stuck without internal and external network. Will try the recovery process tonight after getting the required cable and software. But gentlemen, this is an incredible no-go. Get your act together.1
-
Agree with Trilogy. This is the height of incompetence.
1
Guru Member
Ally Member
Freshman MemberCategories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight