Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 624 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG-HA-Cluster: License on Master after failover - can the former auxilary stay primary?

TobiasGroene

Hi,

I've recently read that, there is an issue with licensing after failover. Could you help me here?

We have a XG-125 Active-Passive Cluster (V19.1 Firmware) and currently the former auxilary is "primary". The former "primary" holds the licenses. Is there any problem with that, do we have to swich the licensed "secondary" to become the "Primary" again? Or is there no problem and the former "auxilary" with no licenses can stay active as "primary".

Thank you very much for your answers!



This thread was automatically locked due to age.
  • 0

    There is no issue in this sense.

    It is quite simple: If you join a HA, the appliance in this situation will sync the license "to the cluster". So to speak, the cluster will hold the license and whatever appliance is active will have the license. 

    This will work for every situation (Active-Passive, Standalone etc). 

    If you disable the HA, the HA will be cleared and the Appliance, which is currently the primary will be active (second node goes into factory reset). In this situation, the appliance will ask the license server, which license it has. If this is the appliance without the license (so the Aux), there will be no license.

    You can check this in MySophos: https://secure2.sophos.com/en-us/mysophos/my-account/network-protection/view-devices

    If you see an potential problem, you can do a license transfer in mySophos. This will seemly transfer the license to your other appliance. 

    __________________________________________________________________________________________________________________

  • 0

    Hello,

    Greetings,

    Like suggested there is no operational issue if the active/master device becomes the auxiliary.

     

    Ideally, the device which becomes active/master would be able to sync the license with the Sophos portal. The firewall from where you establish the HA becomes active/master and later, you shall only be able to sync the license from that device.

    You may validate the master/active device using the below command from the advanced shell:

    nvram get '#li.master'

     

    If it says; "yes", you should be able to sync the license from this and the license should exist on the same appliance at the portal.

     

    If it says no, which means the auxiliary device is master/active and new licenses can only be synced from that device. At the same time, the license should exist on this device over the customer portal.

     

    You may refer below KBA to understand more about licensing part:

    https://support.sophos.com/support/s/article/KB-000038005?language=en_US#whathighavailability

     

    Also, refer below KBA to transfer the license over to the user portal.

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/HALicenseTransfer/index.html

     

    I hope the above information will help clarify things!

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to MayurMakvana

    BTW: This nvram get command is not need in V19.5 + because the Interface will reflect the initial primary.

    __________________________________________________________________________________________________________________

Unfiltered HTML