This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG HA Active-Active mode vMware Primary IP not working

Hello,

I managed to setup my firewalls in Active-Active mode but the primary ip doesn't respond to either ping or https. I can only connect to the auxiliary FW using the secondary IP but it is on read-only mode.

Environment details.

vMware ESXI 6.7

Cisco L3 router 37xx

Sophos XG 17.5 GA

Thanks in advance.

This thread was automatically locked due to age.

Parents

Panagiotis Vakerlis over 6 years ago

Hello,

Dummy stuff first. Are all ports with switches? Meaning port one must be on both XG on a switch and then connected to your lan switch. Port2 (probably wan) must be from both XG on a switch and then to the modem.

Is the HA enabled? If you go to the console of the primary and enter "system ha show details" without quotes what do you get?

Can you post your configuration of the HA?
Cancel
Vote Up 0 Vote Down

Cancel
Tippmann over 6 years ago in reply to Panagiotis Vakerlis

Hello,

Thank you for your reply. I am sorry for the late response.

Each port group is on its own vlan. Since this is a VM i separated them into different vlans. Communication is not a problem between them or to the rest of the infrastructure. As far as HA please see below.

So right after i enable HA i completely lose connection with the primary FW.

Thanks in advance.
Cancel
Vote Up 0 Vote Down

Cancel
Super CM over 6 years ago in reply to Tippmann

I am having the same problem here. From the console I can ping the IP of the primary but not from the network. Also I cant ping the other devices IP. I can only get to the auxiliary IP from the same network these are all on.
Cancel
Vote Up 0 Vote Down

Cancel
Tippmann over 6 years ago in reply to Super CM

My manage VM has a NIC on the same network as the FW and still can't ping the primary device. That rolls out the possibility of a missing gateway.
Cancel
Vote Up 0 Vote Down

Cancel
Super CM over 6 years ago in reply to Tippmann

All of mine are on the same network.
Cancel
Vote Up 0 Vote Down

Cancel
Super CM over 6 years ago in reply to Super CM

Also Ill point out that my setup is with Hyper-V. I also tried setting up active-passive but had the same problem. Is there really no fix for this?
Cancel
Vote Up 0 Vote Down

Cancel
Tippmann over 6 years ago in reply to Super CM

Active-Passive didn’t work for me either on vmware
Cancel
Vote Up 0 Vote Down

Cancel
Super CM over 6 years ago in reply to Tippmann

Okay so I was able to get this working. On the hyper v host (for each of the nics in the vms), I had to enable Mac address spoofing.
Cancel
Vote Up 0 Vote Down

Cancel
Tippmann over 6 years ago in reply to Super CM

I am glad you got it going. I will take a look to see if i have the same setting on vmware. thank you!
Cancel
Vote Up 0 Vote Down

Cancel
MasterRoshi over 6 years ago in reply to Super CM

Hi Super,

This is required because the primary will own/use the virtual mac for the cluster ports and the secondary uses the normal mac address.

Without MAC spoofing (VMware has its equivalent to this), the hypervisor will drop all traffic to the host, if you failover you will see the same behavior for the new primary (now the new secondary will be reachable).
Cancel
Vote Up 0 Vote Down

Cancel

Reply

MasterRoshi over 6 years ago in reply to Super CM

Hi Super,

This is required because the primary will own/use the virtual mac for the cluster ports and the secondary uses the normal mac address.

Without MAC spoofing (VMware has its equivalent to this), the hypervisor will drop all traffic to the host, if you failover you will see the same behavior for the new primary (now the new secondary will be reachable).
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data