Hi all, since nearly 2 weeks I'm using Sophos UTM as HA cluster. Before I'm using ASG and Sophos UTM as single node for over 3 years. I updated yesterday to release 9.207. With the single node I'm very happy but since running the HA option I see a lot of issues. I don't know where to post them because they are HA related and there's no special HA topic. So I post them here: Recuring error messages of restarting POP3 proxy on the slave node. See https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49681 The internet connection seems to have often little breaks, i. e. when working at astaro.org I get often the error that the page is unaivalable. So I have to reload the page for many times. My Samsung LED TV can't get access to the internet when the preferred master is running. This node is the original single machine with UTM. When switching to slave node the internet connection works fine. I don't have any error logs on the UTM when the TV couldn't connect to the internet. It gets a reserved internal IP address provided by the UTM via DHCP. I get every event on the UTM as mail. When running the master on the preferred machine all the mails are send (Up2Date etc.). When switching to the slave node I didn't get these mails. But when logging on to the console or the web UI I get the mail information about successful logins immediately. Is anyone here in the forum who has the same issues? For the first point mod2402 is experiencing the same, but is there anyone else? Can anyone provide solutions? The only solution I see for the moment is to break the HA cluster and have two single systems running. Thanks to virtualization I can deactivate the network connection of the second system with the same IP address and for the case of an issue with the first system I can activate them. That's not very nice, because there's no automation and it is breaking the internet connection for a short time but it would be OK. But I don't think that this is the solution. There must be a lot of HA configurations running in professional networks and I can't imagine that the administrators would be happy having such issues, right? Kind Regards TheExpert

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM HA cluster - Some issues

Hi all,

since nearly 2 weeks I'm using Sophos UTM as HA cluster. Before I'm using ASG and Sophos UTM as single node for over 3 years. I updated yesterday to release 9.207.

With the single node I'm very happy but since running the HA option I see a lot of issues. I don't know where to post them because they are HA related and there's no special HA topic. So I post them here:

https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49681

Is anyone here in the forum who has the same issues? For the first point mod2402 is experiencing the same, but is there anyone else?

Can anyone provide solutions? The only solution I see for the moment is to break the HA cluster and have two single systems running. Thanks to virtualization I can deactivate the network connection of the second system with the same IP address and for the case of an issue with the first system I can activate them. That's not very nice, because there's no automation and it is breaking the internet connection for a short time but it would be OK. But I don't think that this is the solution. There must be a lot of HA configurations running in professional networks and I can't imagine that the administrators would be happy having such issues, right?

Kind Regards

TheExpert

This thread was automatically locked due to age.

Parents

0 TheDrew over 10 years ago

I'm assuming your fritzbox grabs an IP from the DSL modem then provides it's own IP addresses for devices behind it. Typically a 192.168. address? The UTM grabs one of those addresses for it's own WAN interface then provides own IP addresses on the inside? Also a 192.168. addresses? If so, you're double NATing to get internet access which often works but some strange errors can crop up because of it.

If the UTM is not NATing properly (or at all) then the FritzBox needs a static route to the UTM so it knows where to send packets bound for behind the UTM.

Two further questions:

1) What are the subnet's behind the FritzBox and the UTM? (IP address of device w/ subnet is fine)

2) Do the devices with static IP's and the DHCP assigned IP's share the same subnet and/or interfaces behind the UTM? If you had to setup a static route in the FritzBox to get the DHCP addresses working but the static's already did, that suggests a problem with the two address ranges not being NAT/MASQ'd properly.

Last question, Given this is a double NAT scenario, is there any reason why the FritzBox has to be between the DSL modem and the UTM? Unless the FritzBox is the DSL modem (diagram wasn't clear), the UTM can interface with most DSL modems so the FritzBox is not needed. If The FritzBox has to be there, can it be switched to a bridge mode rather then a gateway mode?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 TheDrew over 10 years ago

I'm assuming your fritzbox grabs an IP from the DSL modem then provides it's own IP addresses for devices behind it. Typically a 192.168. address? The UTM grabs one of those addresses for it's own WAN interface then provides own IP addresses on the inside? Also a 192.168. addresses? If so, you're double NATing to get internet access which often works but some strange errors can crop up because of it.

If the UTM is not NATing properly (or at all) then the FritzBox needs a static route to the UTM so it knows where to send packets bound for behind the UTM.

Two further questions:

1) What are the subnet's behind the FritzBox and the UTM? (IP address of device w/ subnet is fine)

2) Do the devices with static IP's and the DHCP assigned IP's share the same subnet and/or interfaces behind the UTM? If you had to setup a static route in the FritzBox to get the DHCP addresses working but the static's already did, that suggests a problem with the two address ranges not being NAT/MASQ'd properly.

Last question, Given this is a double NAT scenario, is there any reason why the FritzBox has to be between the DSL modem and the UTM? Unless the FritzBox is the DSL modem (diagram wasn't clear), the UTM can interface with most DSL modems so the FritzBox is not needed. If The FritzBox has to be there, can it be switched to a bridge mode rather then a gateway mode?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 TheExpert over 10 years ago in reply to TheDrew

Two further questions:

1) What are the subnet's behind the FritzBox and the UTM? (IP address of device w/ subnet is fine)

2) Do the devices with static IP's and the DHCP assigned IP's share the same subnet and/or interfaces behind the UTM? If you had to setup a static route in the FritzBox to get the DHCP addresses working but the static's already did, that suggests a problem with the two address ranges not being NAT/MASQ'd properly.

Last question, Given this is a double NAT scenario, is there any reason why the FritzBox has to be between the DSL modem and the UTM? Unless the FritzBox is the DSL modem (diagram wasn't clear), the UTM can interface with most DSL modems so the FritzBox is not needed. If The FritzBox has to be there, can it be switched to a bridge mode rather then a gateway mode?

1) Network between UTM and FritzBox 7390: 172.16.0.0/24, Network behind UTM: 192.168.0.0/24

2) Yes, DHCP-Range 50-90, 90-100 is reserved for static mappings, rest is for manual setting

3) The FritzBox is the DSL modem. So it only can be used in gateway mode.
Cancel
Vote Up 0 Vote Down

Cancel