Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 8199 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Clustering & Redundancy Limitations

Rockfish

Hi all,

Regarding the clustering/HA features of XG. The best practice advice seems to be that the clustering is only supported within a rack - e.g. two XGs, with a CAT6 cable directly connecting one HA port to another. Clustering two XG firewalls across two geographic sites is - correct me if i'm wrong - not supported. Even if connected by high-bandwidth, low latency links.

Therefore to achieve redundancy, you need to run two separate firewalls, two separate sets of firewall rules, public IP addresses, etc.

This seems like quite a limitation - is cross-site clustering on the road map for a future release? How do other XG users correctly achieve redundancy with two data centers?

Thanks



This thread was automatically locked due to age.
  • +1

    The issue here with Split Brain Scenario´s (Geographic separate HA Appliances) is you miss some feature which prevents a master master situation. 

    It will work, so you can basically setup this scenario, but if this link gets cut, both appliances will go into Master (Primary) state and it will get very messy. 

    As far as i know, there are plans to implement such features for backup interfaces to prevent this. 

    Here is the Feature Request: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/34644892-high-availability-with-backup-interface

     

    Most of the setups i saw, use some kind of switching mechanism to prevent the HA Link to fail and still use Split brain or use two HA cluster. 

    Still depends on the Load, because you need to keep in mind, the appliance will sync a lot traffic in real time. 

  • 0

    Hi,

    I agree with you that in this type of environment we need a backport as well.   But I hope it will work on the dark fibre between both locations same as Cisco ASA.

  • 0 in reply to Deepak Verma

    This will, like UTM9 work fine. You can link both together and be happy. But be careful with those issues, which needs to be resolved like Master-Master. 

    Also (as far as i know) XG does not support Jumbo Frames on the HA Port. So most likely most of those Links requires Jumbo Frames. 

  • 0 in reply to LuCar Toni

    I tried clustering across two sites with our XGs and it didn't work well at all, despite being the link being low latency. So I didn't get to the point of having a split brain scenario.

    Most other firewalls i've used can do cross-site clustering without issue, so i'm very surprised it's not supported. It means that you need to either have a 'warm spare' firewall without any conflicting config on it, or double up on public IP addresses and have run two separate XGs (not clustered). Both of these scenarios are far from ideal.

    It would be good to know that this is on definitely on the product roadmap.

     

    Thanks

  • 0

    If I had to build a HA-setup with geo-redundant datacenters I use a common practise to avoid the split brain:

    Also other systems have the same problem if the interconnect DC1<->DC2 is broken. But here the problems are starting, wrong planing of the interconnect ;).

     

    So you've to tell one site, in case of a broken interconnect, which is active and which site has to go into standby.

    Simple solution -> shutdown the network ports with a simple track script on the Cisco switch.

     

    So the second XG will state to invalid and is not getting active.