Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 4699 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA Setup

Jon M

I am trying to setup HA active/passive using this document -  https://community.sophos.com/kb/en-us/123174 but after setting it up under HA details it now shows - 

 

Primary serial number standalone

Peer serial number: Faulty 

 

Some questions about the document - 

 

1) it shows the same IPs on both firewalls for all interfaces other than the dedicated HA port.  How should this be setup ie. the standby device has 172.16.16.2 as the default on the LAN and I had to configure a public IP on the WAN to register the device (no registration = no HA). 

Should I have wiped these IPs before setting up HA so in effect the only IP configured on the secondary device was on the HA port

2) the Peer administration IP - the primary has a LAN IP of 172.16.7.1 and I wanted to use the LAN interface as the peer administration port so I entered 172.16.7.2. Should I have configured this before setting up HA or does this get pushed to the standby device. 

3) I cannot now disable HA so it is stuck where it is enabled but not working. 

Think I am just not clear on what should be configured on the standby device in terms of interface IPs before trying to setup HA ? 

Any help much appreciated. 

Thanks



This thread was automatically locked due to age.
  • 0

    Quick update - 

     

    I have disabled HA and now everything is not working.  I have rebooted the firewall and nothing is passing through. 

     

    Okay, I had to go into each rule and click "Save" and they started working again. 

     

    Please tell me this is not how this is supposed to work ! 

  • +1

    Hi Jon,

    the setup is quite tricky - it sometimes behaved strange on our site es well and not everything was explainable. You have to read everything thoroughly.

    We did not see the issue with the firewall blocking when disabling HA. Maybe this has something to do with your underlying network. Instead of touching every rule a reboot also might have helped.

    All monitored ports + HA ports have to be online before establishing HA.

    As far as I remeber it worked like this:

    - We registred both Firewalls individually (at least it is possible to setup HA on two firewalls that have previously configured).

    - For the internal interface the firewall had different IPs. Regarding 2) - this need to be established before as the standby device does not know that it will get x.y.z.2.

    - The first one was completely configured regarding all the monitored ports (LAN/WAN/DMZ) and the HA Port. The second was configured regarding HA Port + management port (LAN). All monitored interfaces were up, the HA port was connected directly. All switchports were configured with the correct VLANs.

    - When establishing the HA the config is mirrored to the second firewall. They still have different management IPs but the firewall is reachable by the cluster IP (LAN / WAN /DMZ). We also used LAN for the management IP and the IP of the primary Firewall is the "official" IP. The IP of the secondary firewall ist still reachable.


  • 0 in reply to BeEf

    Hi 

     

    Many thanks for that. 

     

    I did reboot the firewall first after disabling HA but still it would not pass traffic until I saved each rule individually which I have to say I think is ridiculous coming from other firewalls such as Cisco, Checkpoint etc. As far as I can tell there is nothing wrong with the network setup. 

     

     I actually need the management port to be the WAN interface due to the network topology so I will configure that IP on the standby and then delete the default LAN interface IP (172.16.16.16) from the console before trying to enable HA and will update this thread once I have done it. 

     

    Cheers 

     

    Jon

  • 0 in reply to BeEf

    I reset the standby firewall to factory defaults then configured the HA port with an IP and the WAN port with an IP (as I am using this as management) as suggested by BeEF,  and then enabled SSH + ping in the DMZ, and configured HA with a passphrase on the standby firewall. 

     

    Then on the primary firewall enabled SSH + ping, configured HA port and then HA and enabled it and this time it worked fine. 

     

    One thing to note is that you enable HA and even when the firewall has reported HA is enabled if you check the status it is still reporting as standalone and faulty for while, you just have to be patient and keep refreshing the page and it does eventually report primary/auxiliary. 

     

    Did some testing and it fails over very quickly so all working and many thanks to BeEF for the help :)

     

    Jon