Is there a preferred upgrade path / procedure for firmware? I seem to be having issues every time I upgrade, especially from anything in the 17.0/17.1 series to anything in the 17.5 series. The issues I have seen are: HA auxiliary upgrades and reboots, but HA primary fails to reboot and gets stuck on the previous version Upgrade appears to complete but HA is disabled after upgrade (a real pain if the unlicensed node is the one with all the config) Upgrade completes but both HA devices decide they are primary Upgrade completes but doesn't seem to work quite right until both HA devices are rebooted again Under UTM9 I could reliably do a firmware upgrade pretty much whenever I wanted and there would only be a brief half second outage while the HA changeover happened. XG seems to be a lot more fragile. I'm almost inclined to break HA, do the upgrade, then re-create HA, on the assumption that that might be more reliable. It's a heap more work though, and not without risk. I haven't yet tried doing a pre-upgrade reboot of both nodes (some of the uptimes can get pretty big). Might that help? Thanks James

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firmware upgrade issues

Is there a preferred upgrade path / procedure for firmware? I seem to be having issues every time I upgrade, especially from anything in the 17.0/17.1 series to anything in the 17.5 series. The issues I have seen are:

HA auxiliary upgrades and reboots, but HA primary fails to reboot and gets stuck on the previous version
Upgrade appears to complete but HA is disabled after upgrade (a real pain if the unlicensed node is the one with all the config)
Upgrade completes but both HA devices decide they are primary
Upgrade completes but doesn't seem to work quite right until both HA devices are rebooted again

Under UTM9 I could reliably do a firmware upgrade pretty much whenever I wanted and there would only be a brief half second outage while the HA changeover happened. XG seems to be a lot more fragile.

I'm almost inclined to break HA, do the upgrade, then re-create HA, on the assumption that that might be more reliable. It's a heap more work though, and not without risk.

I haven't yet tried doing a pre-upgrade reboot of both nodes (some of the uptimes can get pretty big). Might that help?

Thanks

James

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 6 years ago

Had couple of HA already and never experience this issue but i have to admit, i had couple of customers with such an issue, but never could observe (troubleshoot) this at my own.

You should start with a reboot of both nodes, might help.

I perform always the firmware update "immediately" after GA launch on MySophos. So my nodes have a up time of 1-2 Month (depending on the release cycle).

And maybe there is something broken in your setup?

Can you explain the link setup between both nodes? What are you using?

And can you explain, which "up2date" mechanism you use? Upload the firmware as GPG or use the onboard "New Firmware available?"
Cancel
Vote Up 0 Vote Down

Cancel
0 jamesharper over 6 years ago in reply to LuCar Toni

Do you mean physical link between nodes? It's a direct cable connection for the HA link.

I have tried both upload firmware and "new firmware available". I will always use the latter when the firmware I want is available. I don't think it makes too much difference to the outcome.

I think there might be something in that reboot-before-update idea. If one of the nodes is already a bit unhappy then throwing a firmware at it is just asking for trouble. I will also pay better attention to the logs in case something is wrong before I do the update.

I'm progressively going through and updating to 17.5.3 to support management from Sophos Central. The management itself has never worked for me ("Our servers are busy, please try again later" - might be an issue with HA), but it does mean that Sophos Central gets the alerts (eg HA is down) and I can then grab the alerts via API, process them, and feed them into our ticketing system

James
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jamesharper over 6 years ago in reply to LuCar Toni

Do you mean physical link between nodes? It's a direct cable connection for the HA link.

I have tried both upload firmware and "new firmware available". I will always use the latter when the firmware I want is available. I don't think it makes too much difference to the outcome.

I think there might be something in that reboot-before-update idea. If one of the nodes is already a bit unhappy then throwing a firmware at it is just asking for trouble. I will also pay better attention to the logs in case something is wrong before I do the update.

I'm progressively going through and updating to 17.5.3 to support management from Sophos Central. The management itself has never worked for me ("Our servers are busy, please try again later" - might be an issue with HA), but it does mean that Sophos Central gets the alerts (eg HA is down) and I can then grab the alerts via API, process them, and feed them into our ticketing system

James
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data