Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 31 subscribers
  • Views 10050 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG 650 - Will installing an 8 port GbE SFP Flexi Port module on active/passive SG 650's cause HA to fail due to dissimilar Hardware

Vince Hayes1

Hi,

I'm not sure this is the right forum, as it's XG650, but I couldn't find any group that deal's with SG650's

We have 2 SG650's running UTM9.5, in Active/Passive mode.  All is working okay.  We have also purchased 2 x 8 port GbE SFP Flexi Port modules- one for each firewall.

If we turned both firewall's off, added the modules, and powered them on again, I'm sure the HA would be okay.  However, I was wondering if I could power down the SG650's one at a time to change the modules, leaving the other SG650 active. That way I wouldn't have to take down the network, and just have an "at risk" period instead, at a quiet time.  

My concern would be that after the initial power down , module replacement, and restart of the first SG650, the two SG650's would have dissimilar hardware and would break the HA before we could power down the 2nd SG650 and repeat the process.  

When we first purchased the SG650's we struggled to get the HA working initially, so would be reluctant to break it again.

Many Thanks for your help.

Vince



This thread was automatically locked due to age.
Parents
  • 0

    Hi Vince,

     

    Since this Modules are connected via direct host Bus, i would never insert them while running.

    it is safe to shutdown one firewall then insert the module and restart it.

    Of course you'll need to wait for HA-Sync then power down the second Appliance and insert the Module.

     

    Yours Lukas

  • 0 in reply to lna

    Thanks for your reply Lukas.  We may try that, or perhaps wait until no-ones using them and power them both down, and swap the modules then.  

Reply Children
  • 0 in reply to V Hayes

    I have a similar situation using two SG230's running in HA.

    I will be adding an 8-port Ethernet FlexiPort module to both units and would like to do without any down time.

    If I power down the slave and install the 1st module, power on and let re-sync, will HA recover ?

    If it does go back to slave mode passive, is it safe to then power down the Active and repeat the process or do I force the active to switch to passive "slave" before powering off the 2nd unit?

     

    Thanks

    Dave

  • 0 in reply to DaveGrasso

    Already wrote this in other threads.

    Please do not perform such kind of installation in UTM9. The HA Daemon in UTM9 can go nuts, if you turn down one of the notes, insert some kind of hardware and reboot. 

    Simply schedule some kind of downtime, shutdown the cluster and perform the work at the same time. 

  • 0 in reply to LuCar Toni

    I appreciate the answer and understand this is the best solution - but "down-time" is difficult as I support hospitals that are 24-7. So I want to minimize the outage to the smallest possible.

    Would you say the outage would be only as long as it takes to power down both units, install the flexiport module and power up again?  Maybe 30-minutes to be safe?

    I assume the 8 new Ethernet ports will come up disabled and not a factor of HA until used.

     

    Thanks !

     

    Dave

  • 0 in reply to DaveGrasso

    Would highly recommend to get in touch with your Sophos Partner.

    In Case of any kind of failure, this should be planned. 

    So basically you need only the time of Booting the Primary appliance. 

    You would start to shutdown the slave. Install the module etc. but do not turn it on. 

    Afterwards shutdown the master - Downtime starts. Install the module and power on the master. 

    Wait until all services are up and running. Check the module in Webadmin - Hardware, if it is there. 

    Now everything should be up and running. You can power on the slave with the module and check the HAsync. 

  • 0 in reply to LuCar Toni

    Zero down time;

    I have replaced Older units with newer units with this technique.  May be a bit unorthodox but it has always worked for me:

    Node 1 is Slave, Node 2 is master.  Power down Node 1 Slave and install the Flex-port Ethernet module.

      No downtime so far, Node 2 Master is in control and HA is aware of the slave going away.

    Install the Flex-port module and pull out all the Ethernet cables - then power up Node 1 that WAS a Slave.

    Node 1 is now an ISOLATED Master and Node 2 continues to be the Master in control - still no down time. At this point you can log into the Node 1 UTM by plugging a laptop into Eth0 and confirming the 8 new Ethernet ports show up.

    Now for the "pull the tablecloth out from under the dishes" part.  Have the Ethernet cables half plugged into the node 1 isolated master. Then quickly unplug all Ethernet from the node 2 master and plug all Ethernet cables into the node 1 Master.  There should only be a 1-5 sec delay where you may loose a ping.  If all goes well, you now have a Master (node1) in control with 8 new Ethernet ports.

    Power down node 2 Master ( isolated ; no Ethernet ) , install the Flex-port module, plug in all Ethernet cables, power up.

    Node 2 since it has an newer timestamp will come up as a Slave.

    I tried this in my lab and only 1-ping loss.  Going to go for it with production pair.

    For most that can schedule a downtime you probably will not want to do this - but I have to be 24-7.

     

    Dave

     

     

     

     

  • 0 in reply to DaveGrasso

    The point in this is "You have tried it in your lab".

    As far as i can tell, this can go wrong. Even more dangerous is the part about the HA daemon. 

  • 0 in reply to LuCar Toni

    Thanks for you comments.  I have seen HA go crazy and may "chicken-out" to take the 15-min outage on the Master active reboot.

    But I may have HA issues by simply powering off the passive unit.  It may be safest to break HA, take the 15min hit and enable HA.

    Sorry for beating this to death - mostly thinking out loud and do appreciate you responding.

     

    Dave