Hi all, since nearly 2 weeks I'm using Sophos UTM as HA cluster. Before I'm using ASG and Sophos UTM as single node for over 3 years. I updated yesterday to release 9.207. With the single node I'm very happy but since running the HA option I see a lot of issues. I don't know where to post them because they are HA related and there's no special HA topic. So I post them here: Recuring error messages of restarting POP3 proxy on the slave node. See https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49681 The internet connection seems to have often little breaks, i. e. when working at astaro.org I get often the error that the page is unaivalable. So I have to reload the page for many times. My Samsung LED TV can't get access to the internet when the preferred master is running. This node is the original single machine with UTM. When switching to slave node the internet connection works fine. I don't have any error logs on the UTM when the TV couldn't connect to the internet. It gets a reserved internal IP address provided by the UTM via DHCP. I get every event on the UTM as mail. When running the master on the preferred machine all the mails are send (Up2Date etc.). When switching to the slave node I didn't get these mails. But when logging on to the console or the web UI I get the mail information about successful logins immediately. Is anyone here in the forum who has the same issues? For the first point mod2402 is experiencing the same, but is there anyone else? Can anyone provide solutions? The only solution I see for the moment is to break the HA cluster and have two single systems running. Thanks to virtualization I can deactivate the network connection of the second system with the same IP address and for the case of an issue with the first system I can activate them. That's not very nice, because there's no automation and it is breaking the internet connection for a short time but it would be OK. But I don't think that this is the solution. There must be a lot of HA configurations running in professional networks and I can't imagine that the administrators would be happy having such issues, right? Kind Regards TheExpert

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM HA cluster - Some issues

Hi all,

since nearly 2 weeks I'm using Sophos UTM as HA cluster. Before I'm using ASG and Sophos UTM as single node for over 3 years. I updated yesterday to release 9.207.

With the single node I'm very happy but since running the HA option I see a lot of issues. I don't know where to post them because they are HA related and there's no special HA topic. So I post them here:

https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49681

Is anyone here in the forum who has the same issues? For the first point mod2402 is experiencing the same, but is there anyone else?

Can anyone provide solutions? The only solution I see for the moment is to break the HA cluster and have two single systems running. Thanks to virtualization I can deactivate the network connection of the second system with the same IP address and for the case of an issue with the first system I can activate them. That's not very nice, because there's no automation and it is breaking the internet connection for a short time but it would be OK. But I don't think that this is the solution. There must be a lot of HA configurations running in professional networks and I can't imagine that the administrators would be happy having such issues, right?

Kind Regards

TheExpert

This thread was automatically locked due to age.

Parents

0 TheDrew over 10 years ago

Only thing that really stands out, the big question in my mind is why does static assignments work but DHCP does not? Given that DNS is working (I assume you ran tests using dig or nslookup from the clients?) that points to the DHCP handing out bad information. That certain things start working once you point the clients to the UTM's proxies, seems to suggest the traffic can't egress beyond the UTM normally, pointing to a routing issue of some sort.

Best thing to do here, and yes it is some work, is to start from scratch with a new UTM config. Take notes from the old UTM, disable/delete the old UTM instance and any slave nodes you setup, and start from scratch. Do not reuse the old configs as I suspect there may be some corruption in them.

When you go to setup the new UTM, start with basic permissive rules (Allow: LAN - Any -Any ) but do not enable the proxies or security features beyond the basic firewall. Make sure DHCP is handing out working addresses and those clients can access the internet. Good idea, if you haven't already, is to make sure the DHCP range does not overlap with the static IP range. Keeps things cleaner and less likely to have an accidental IP conflict.

Once you have the basics working, routing & firewalling, then feel free to start enabling the various advanced services and tweaking your firewall rules. Once you have both a working basic config and a working advanced config, take a config backup so you have a working baseline.

Then we can discuss HA between two UTM's on separate hosts. [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 TheExpert over 10 years ago in reply to TheDrew

Is there no way to find out, where the configuration may be corrupted? It's a very lot of work to install a new UTM and manually take over the settings. The corruption of the configuration file must be very old. And why is this issue starting without having restored a configuration on the HA after having a provider based break of the internet connection? I restored some older configuration some times later after having no other ideas.

After some more trying with m0n0wall I found out that there's maybe an issue with NAT on my UTM system. Disabling NAT breaked the internet connection, reenabling NAT let it work again.

So I was starting my UTM again. Some of my static client IP adresses are bypassing the proxy because of their client OS (Android, Windows 8.1, SmartTV) on which some services are not working with a (SSL) proxy. Taking out my Windows 8.1 tablet for example the internet access on it is working again.

But again POP3, VoIP etc. aren't still working. And these client systems don't get their IP addresses from DHCP. These are set manually on the client systems themself.

DNS is working fine as expected on all client systems.

After the interruption of the internet connection I had to do some reconfigurations on the AVM FritzBox. Maybe there's an issue?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 TheExpert over 10 years ago in reply to TheDrew

Is there no way to find out, where the configuration may be corrupted? It's a very lot of work to install a new UTM and manually take over the settings. The corruption of the configuration file must be very old. And why is this issue starting without having restored a configuration on the HA after having a provider based break of the internet connection? I restored some older configuration some times later after having no other ideas.

After some more trying with m0n0wall I found out that there's maybe an issue with NAT on my UTM system. Disabling NAT breaked the internet connection, reenabling NAT let it work again.

So I was starting my UTM again. Some of my static client IP adresses are bypassing the proxy because of their client OS (Android, Windows 8.1, SmartTV) on which some services are not working with a (SSL) proxy. Taking out my Windows 8.1 tablet for example the internet access on it is working again.

But again POP3, VoIP etc. aren't still working. And these client systems don't get their IP addresses from DHCP. These are set manually on the client systems themself.

DNS is working fine as expected on all client systems.

After the interruption of the internet connection I had to do some reconfigurations on the AVM FritzBox. Maybe there's an issue?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data