Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 7550 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA Port Monitoring and IPSEC VPN

Mark H

I have 2 pairs of XG230's, latest firmware, new setup (just HA, basic FW, and VPN).

 

When enabling HA with port monitoring for LAN, WAN 1 and WAN 2, the VPN tunnel terminates after 1-2 hours and won't reinitiate. When I have HA on but not monitoring any ports, the VPN tunnel remains active.

 

Anyone run into this issue?



This thread was automatically locked due to age.
Parents
  • 0

    Mark,

    put only LAN as port monitoring and try again. Also check HA logs from console by typing this command:

    system ha show logs

    Regards

  • 0 in reply to lferrara

    It doesn't seem like the XG can do true high availability. It either does WAN failover or device failover, but will not failover if the gateway itself is down on the primary unit but up on the secondary unit.

    For example, my network looks something like this

     

    ISP 1 and ISP 2 are connected to WAN Switch A and WAN Switch B. Each ISP has two cables so Switch A or B can be out and still provide connectivity to either Sophos XG device by either ISP.

    I have 2 cables from WAN Switch A go into WAN (Port 2) on each XG and 2 cables from WAN Switch B go into Port 5 on XG. 

    Both XG have 1 LAN cable coming out and 1 goes into Core Switch A and the other into Core Switch B. Core Switch A and B are connected together as well using a 1' CAT6 cable.

     

    So now if I unplug ISP 1 from WAN Switch A, the XG still shows the port as active on its WAN for the primary device. And if I unplug ISP 2 from WAN Switch A, the primary XG has no Internet but still shows both ports active - so HA port monitoring does nothing.  Device on network is still trying to go out LAN on primary but there's just no Internet.

     

    Monitoring the LAN only is troublesome as the Sophos XG will flip every time the switch reboots for a firmware upgrade. While it's not that frequent, our core switches get firmware updates roughly every month or two. These are SDN- switches managed by a controller.

     

     

Reply
  • 0 in reply to lferrara

    It doesn't seem like the XG can do true high availability. It either does WAN failover or device failover, but will not failover if the gateway itself is down on the primary unit but up on the secondary unit.

    For example, my network looks something like this

     

    ISP 1 and ISP 2 are connected to WAN Switch A and WAN Switch B. Each ISP has two cables so Switch A or B can be out and still provide connectivity to either Sophos XG device by either ISP.

    I have 2 cables from WAN Switch A go into WAN (Port 2) on each XG and 2 cables from WAN Switch B go into Port 5 on XG. 

    Both XG have 1 LAN cable coming out and 1 goes into Core Switch A and the other into Core Switch B. Core Switch A and B are connected together as well using a 1' CAT6 cable.

     

    So now if I unplug ISP 1 from WAN Switch A, the XG still shows the port as active on its WAN for the primary device. And if I unplug ISP 2 from WAN Switch A, the primary XG has no Internet but still shows both ports active - so HA port monitoring does nothing.  Device on network is still trying to go out LAN on primary but there's just no Internet.

     

    Monitoring the LAN only is troublesome as the Sophos XG will flip every time the switch reboots for a firmware upgrade. While it's not that frequent, our core switches get firmware updates roughly every month or two. These are SDN- switches managed by a controller.

     

     

Children
No Data