Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 3 answers
  • Subscribers 28 subscribers
  • Views 29693 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA on XG Virtual Appliances: Unable to connect with peer device

Art Of Automation BV

Hi guys,

I'm trying to setup HA Active/Passive on 2 Sophos XG virtual appliances, but am failing...

I've succesfully setup my first Sophos XG virtual appliance. I have 4 physical interfaces, one with a vlan:

I read the manual, it stated the HA Link must be in zone DMZ and SSH must be enabled:

(NB: I'm going to restrict access to the device later when it's up and running in HA)

So, I just imported the auxilary device in vmware with the exact same physical interfaces as the primary. In the console of the appliance I can only configure PortA. I do see PortB as well there, but can't configure it. Anyway: I configure PortA with ip 10.113.110.21/24. 

So: I browse to the admin web interface of the auxilary device and choose: "Configure Auxilary HA Device":

On the next screen, I supply all the required information:

Next I configure HA on the primary device and click "Enable HA":

In the advanced shell (tcpdump) I see the two appliances are having a conversation:

14:51:34.436504 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [S], seq 1388654196, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:51:34.436607 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [S.], seq 3770200183, ack 1388654197, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:51:34.436775 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [.], ack 1, win 229, length 0
14:51:34.436811 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1, win 229, length 510
14:51:34.436825 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 511, win 237, length 0
14:51:34.441136 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 511, win 237, length 390
14:51:34.441280 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [.], ack 391, win 237, length 0
14:51:34.441360 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 391, win 237, length 48
14:51:34.481167 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 559, win 237, length 0
14:51:34.503880 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 559, win 237, length 624
14:51:34.506202 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1015, win 247, length 16
14:51:34.506237 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 575, win 237, length 0
14:51:34.506265 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1015, win 247, length 120
14:51:34.506277 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 695, win 237, length 0
14:51:34.506526 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 695, win 237, length 52
14:51:34.513686 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 695, win 237, length 68
14:51:34.513871 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [.], ack 1135, win 247, length 0
14:51:34.513895 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1135, win 247, length 100
14:51:34.553191 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 795, win 237, length 0
14:51:34.861238 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 795, win 237, length 68
14:51:34.861482 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1203, win 247, length 84
14:51:34.861521 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 879, win 237, length 0
14:51:35.197246 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 879, win 237, length 68
14:51:35.197497 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1271, win 247, length 84
14:51:35.197533 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 963, win 237, length 0
14:51:35.497253 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 963, win 237, length 68
14:51:35.497528 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1339, win 247, length 84
14:51:35.497562 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 1047, win 237, length 0
14:51:35.885279 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [P.], ack 1047, win 237, length 68
14:51:35.885519 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [P.], ack 1407, win 247, length 84
14:51:35.885555 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 1131, win 237, length 0
14:51:36.293553 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [F.], seq 1407, ack 1131, win 237, length 0
14:51:36.293803 PortD, IN: IP 10.111.30.1.49529 > 10.111.30.2.22: Flags [F.], seq 1131, ack 1408, win 247, length 0
14:51:36.293851 PortD, OUT: IP 10.111.30.2.22 > 10.111.30.1.49529: Flags [.], ack 1132, win 237, length 0

But unfortunately the primary device tells me "Unable to connect with peer device".

In applog.log I see the following two lines appear:

Jul 05 15:51:33 enableha: enableha called from GUI
Jul 05 15:51:36 enableha: peer sanity check failed !!!

Obviously something is not right in my setup. I'm thinking maybe the interface / vlan configuration should be in sync?

Please advice!

Kind regards,

Tom van Leeuwen



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Art Of Automation BV

    Hi ,

    In order the HA to work , you may need to have identical device.

    HW SFOS is compatible with another with the same model and HW version and the same is applicable to Virtual.

    In order to check the version please go to Console > option 4

    console> system diagnostics show version-info

    In other words VM will only work with VM and HW will work with HW with the same model and HW version.

    Conditions:
    1. SFOS OS should have a same build and version.
    2. HW model and HW version should be the same.
    3. No of ports should be the same.(some HW would have expended ports/wireless with the same model).
    4.Port 22 (SSH) should be reachable and ping-able from the dedicated port.
    5. Administrative port should be reachable and ping-able.

    HA configuration should be as per the KB article sophos.com/.../123174 

    In-case you have received a different model then you may need to contact your vendor for HA compatible device.