Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 4236 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA Troubleshooting

Roberto Corti

Buongiorno

ho un problema con un cluster di Sophos XG330 (SFOS 17.5.3 MR-3).

Una breve nota sull'infrastruttura. I 2 nodi del firewall sono in 2 stabili diversi collegati tra di loro in fibra ottica. ogni nodo ha le porte collegate sia alla rete informatica (tranne la porta 4 HA) che ad uno switch (ogni porta una VLAN separata) che lo collega all'altro Stabile.

 

Tutto funziona correttamente ma, se ad esempio, aggiorno il firmware i nodi vanno in tilt, il nodo che normalmente è attivo diventa passivo e l'altro diventa instabile.

In fase di setup iniziale i firewall erano nello stesso locale con dei cavi diretti e questo non succedeva quindi penso proprio il problema sia degli switch (Cisco 3560/24) ma prima di installare gli XG agli stessi switch erano collegati i Sophos UTM320 e funzionavano perfettamente, anche l'update del firmware quindi non vorrei che ci sia un impostazione che non ho effettuato.

Ogni aiuto/idea/suggerimento sarà apprezzato :-)

--------------------------------------------------------------------------------------------------------------------------

Good morning

I have a problem with a Sophos XG330 cluster (SFOS 17.5.3 MR-3).

A brief note on infrastructure. The 2 nodes of the firewall are in 2 different buildings connected to each other in optical fiber. each node has the ports connected both to the computer network (except port 4 HA) and to a switch (each port a separate VLAN) that connects it to the other Stable.


Everything works correctly but, if for example, I update the firmware the nodes go crazy, the node that is normally active becomes passive and the other becomes unstable.

In the initial setup phase the firewalls were in the same room with direct cables and this did not happen so I think the problem is with the switches (Cisco 3560/24) but before installing the XGs the Sophos UTM320 were connected to the same switches and worked perfectly , also the firmware update so I wouldn't want there to be a setting I didn't make.

Any help / ideas / suggestions will be appreciated :-)



This thread was automatically locked due to age.
Parents
  • 0

    Hello ,

    Could you please re-confirm the configuration on the firewalls according to this KB article? It does seem the dedicated link is not directly connected and went through your switch. Could you test the ping response from the dedicated link from point A to B and check the response time which should be less than 250ms.

  • 0 in reply to Aditya Patel

    Hi,the HA link goes to a switch on a separate VLAN and goes to the other XG via a trunk and a fiber optics link.

    this is the ping result

     

  • 0 in reply to Roberto Corti

    Hello Roberto,

    1.Can you post configuration of Cisco Switches with description of Ports/Trunks?

    2.There are other trunk defined on these switches?

    Can you exclude loop ? Is active Spanning Tree Protocol ?

     

    Gabriele

  • 0 in reply to GabrieleD

    Hi Gabriele,

     

    this is the HA related Cisco config

     

    interface Port-channel10
     description -- to_ sw_dia2-218
     switchport trunk encapsulation dot1q
     switchport mode trunk
     switchport nonegotiate
    !
    interface GigabitEthernet0/23
     switchport access vlan 210
     switchport mode access
     spanning-tree portfast
    !
    interface GigabitEthernet0/24
     switchport access vlan 210
     switchport mode access
     spanning-tree portfast
    !
    interface GigabitEthernet0/26
     description *** Heart-Beat - Astaro ***
     switchport access vlan 210
    !
    interface GigabitEthernet0/28
     description -- to_ sw_dia2-218_ Gi0/28
     switchport trunk encapsulation dot1q
     switchport mode trunk
     switchport nonegotiate
     channel-group 10 mode active


    #sh vlan id 210

    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    210  HeartBeat                        active    Gi0/23, Gi0/24, Gi0/26, Po10

    VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
    ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
    210  enet  100210     1500  -      -      -        -    -        0      0   

    Remote SPAN VLAN
    ----------------
    Disabled

    Primary Secondary Type              Ports
    ------- --------- ----------------- ------------------------------------------



     

    i want to do 2 tests (but don't know if today as i'm starting o.o.f. for a week)

    1) link the two switches for a new sfp/fiber link and use only for HA

    2) instead of using a VLAN on 2 Cisco Switch, want to use 2 media converter and a fiber link between the 2 XG (we don't have any cupper lines between our buildings) in this way i can exclude the switch problem

     

    I have another possibility : link directly the 2 XH with a sfp port and fiber link but i must verify what happen on nodes and how to do.

  • 0 in reply to Roberto Corti

    Ciao Roberto,

    1. Have you defined a zone type DMZ and assign to HA Link monitor?

    2.1. on which port of "left" switch is attached HA monitor porta of "left" firewall ?

    2.2 on which port of "right" switch is attached HA monitor porta of "right" firewall ?

    3. Port 28 is Fiber true? That port you transport other VLAN ? (to distribute WAN, LAN, DMZ traffic on both Switches/Firewall ), or come from other ports on each switch?

  • 0 in reply to GabrieleD

    Hi Gabriele

     

    1) Yes, and have activated SSH on this zone

    2) Building 4 -> XG330 Port.4 -> g0/24

    3) Building 2 -> XG330 Port.4 -> g0/24

    4) yes in fiber, of course, the trunk transport all VLAN's of this switch to other Building to distribute WAN/LAN/ (every port in a separate VLAN)

     

    Roberto

  • 0 in reply to Roberto Corti

    PS i will be Out Of Office for a Week, so i continue following this thread when I'm back

     

    Roberto

Reply Children