Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 3 answers
  • Subscribers 28 subscribers
  • Views 29684 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA on XG Virtual Appliances: Unable to connect with peer device

Art Of Automation BV

Hi guys,

I'm trying to setup HA Active/Passive on 2 Sophos XG virtual appliances, but am failing...

I've succesfully setup my first Sophos XG virtual appliance. I have 4 physical interfaces, one with a vlan:

I read the manual, it stated the HA Link must be in zone DMZ and SSH must be enabled:

(NB: I'm going to restrict access to the device later when it's up and running in HA)

So, I just imported the auxilary device in vmware with the exact same physical interfaces as the primary. In the console of the appliance I can only configure PortA. I do see PortB as well there, but can't configure it. Anyway: I configure PortA with ip 10.113.110.21/24. 

So: I browse to the admin web interface of the auxilary device and choose: "Configure Auxilary HA Device":

On the next screen, I supply all the required information:

Next I configure HA on the primary device and click "Enable HA":

In the advanced shell (tcpdump) I see the two appliances are having a conversation:

14:51:34.436504 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [S], seq 1388654196, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:51:34.436607 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [S.], seq 3770200183, ack 1388654197, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:51:34.436775 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [.], ack 1, win 229, length 0
14:51:34.436811 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1, win 229, length 510
14:51:34.436825 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 511, win 237, length 0
14:51:34.441136 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 511, win 237, length 390
14:51:34.441280 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [.], ack 391, win 237, length 0
14:51:34.441360 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 391, win 237, length 48
14:51:34.481167 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 559, win 237, length 0
14:51:34.503880 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 559, win 237, length 624
14:51:34.506202 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1015, win 247, length 16
14:51:34.506237 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 575, win 237, length 0
14:51:34.506265 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1015, win 247, length 120
14:51:34.506277 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 695, win 237, length 0
14:51:34.506526 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 695, win 237, length 52
14:51:34.513686 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 695, win 237, length 68
14:51:34.513871 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [.], ack 1135, win 247, length 0
14:51:34.513895 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1135, win 247, length 100
14:51:34.553191 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 795, win 237, length 0
14:51:34.861238 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 795, win 237, length 68
14:51:34.861482 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1203, win 247, length 84
14:51:34.861521 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 879, win 237, length 0
14:51:35.197246 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 879, win 237, length 68
14:51:35.197497 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1271, win 247, length 84
14:51:35.197533 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 963, win 237, length 0
14:51:35.497253 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 963, win 237, length 68
14:51:35.497528 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1339, win 247, length 84
14:51:35.497562 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 1047, win 237, length 0
14:51:35.885279 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 1047, win 237, length 68
14:51:35.885519 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1407, win 247, length 84
14:51:35.885555 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 1131, win 237, length 0
14:51:36.293553 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [F.], seq 1407, ack 1131, win 237, length 0
14:51:36.293803 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [F.], seq 1131, ack 1408, win 247, length 0
14:51:36.293851 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 1132, win 237, length 0

But unfortunately the primary device tells me "Unable to connect with peer device".

In applog.log I see the following two lines appear:

Jul 05 15:51:33 enableha: enableha called from GUI
Jul 05 15:51:36 enableha: peer sanity check failed !!!

Obviously something is not right in my setup. I'm thinking maybe the interface / vlan configuration should be in sync?

Please advice!

Kind regards,

Tom van Leeuwen



This thread was automatically locked due to age.
Parents Reply Children