This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Link Aggregation for dedicated HA Port

Hello!

We are trying to build an HA Cluster over two datacenters, each with two switches and one Sophos XG 330 (FW v17.5.7 MR-7). The LAN and WAN ports on the firewall are both LAG ports, connected to each switch. We would like to also use a LAG port for the dedicated HA port for an Active-Passive cluster, however, it seems we can't choose a LAG interface for the HA port even though it is in the DMZ zone with SSH access (the list of available ports is just empty).

Right now we just use one normal port for the HA, however after some failover tests, we noticed that if the switch with the HA link goes down, we have a split brain situation with the firewalls, since both firewalls at both datacenters still have a working LAN and WAN port.

So we were wondering if there is a way to use an LAG port for the dedicated HA port? I found some older threads discussing this over the old UTM firewalls and it seems like it was possible back then, so we are kinda confused why it doesn't work with the new XG anymore.

BR Daniel

This thread was automatically locked due to age.

0 Keyur over 6 years ago

Hi Daniel Boschofsky

Please refer to the given article for LAG and HA scenario, I will further check your requirement and provide you further details about your scenario.

https://community.sophos.com/kb/en-us/128161

https://community.sophos.com/kb/en-us/123100
Cancel
Vote Up 0 Vote Down

Cancel
0 Daniel Boschofsky over 6 years ago in reply to Keyur

Hi Keyur,

thanks for your answer.

We already have LAG interfaces configured for WAN and LAN, however, we can't do this for the HA interface. Please see the diagram below:

Currently we are only able to use a normal single port connection to one of the switches for the dedicated HA port. But we would like to also use a LAG interface for this, since the failure of one switch could cause a split brain, since LAN and WAN are still up and running for both switches. If we set up a LAG interface and configure it for HA according to the links you provided, we simply cannot choose it as a 'Dedicated HA Port'.

BR Daniel
Cancel
Vote Up 0 Vote Down

Cancel
0 MichaelBolton over 6 years ago in reply to Daniel Boschofsky

Hi Daniel,

This cannot be done currently on XG. I have asked for this feature since V15 came out. Sophos can't seem to understand the need for HA port redundancy. I did extensive HA failover testing and the XG's will split brain if the HA link goes down. Terrible design on their part since SG could do it.
Cancel
Vote Up 0 Vote Down

Cancel
0 E-kenz over 5 years ago in reply to MichaelBolton

Hello,

This problem is still actual in V18!

We are facing the same situation, and we have no other way than to have a dedicated HA switch, which goes back to LAG<->MLAG on our core switch.

The function was available on utm, why isn't it on XG? I don't think it takes long for such a feature to be dev...

Even a backup link, not even a LAG will solve the issue.
Cancel
Vote Up 0 Vote Down

Cancel