Hi all, since nearly 2 weeks I'm using Sophos UTM as HA cluster. Before I'm using ASG and Sophos UTM as single node for over 3 years. I updated yesterday to release 9.207. With the single node I'm very happy but since running the HA option I see a lot of issues. I don't know where to post them because they are HA related and there's no special HA topic. So I post them here: Recuring error messages of restarting POP3 proxy on the slave node. See https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49681 The internet connection seems to have often little breaks, i. e. when working at astaro.org I get often the error that the page is unaivalable. So I have to reload the page for many times. My Samsung LED TV can't get access to the internet when the preferred master is running. This node is the original single machine with UTM. When switching to slave node the internet connection works fine. I don't have any error logs on the UTM when the TV couldn't connect to the internet. It gets a reserved internal IP address provided by the UTM via DHCP. I get every event on the UTM as mail. When running the master on the preferred machine all the mails are send (Up2Date etc.). When switching to the slave node I didn't get these mails. But when logging on to the console or the web UI I get the mail information about successful logins immediately. Is anyone here in the forum who has the same issues? For the first point mod2402 is experiencing the same, but is there anyone else? Can anyone provide solutions? The only solution I see for the moment is to break the HA cluster and have two single systems running. Thanks to virtualization I can deactivate the network connection of the second system with the same IP address and for the case of an issue with the first system I can activate them. That's not very nice, because there's no automation and it is breaking the internet connection for a short time but it would be OK. But I don't think that this is the solution. There must be a lot of HA configurations running in professional networks and I can't imagine that the administrators would be happy having such issues, right? Kind Regards TheExpert

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM HA cluster - Some issues

Hi all,

since nearly 2 weeks I'm using Sophos UTM as HA cluster. Before I'm using ASG and Sophos UTM as single node for over 3 years. I updated yesterday to release 9.207.

With the single node I'm very happy but since running the HA option I see a lot of issues. I don't know where to post them because they are HA related and there's no special HA topic. So I post them here:

https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49681

Is anyone here in the forum who has the same issues? For the first point mod2402 is experiencing the same, but is there anyone else?

Can anyone provide solutions? The only solution I see for the moment is to break the HA cluster and have two single systems running. Thanks to virtualization I can deactivate the network connection of the second system with the same IP address and for the case of an issue with the first system I can activate them. That's not very nice, because there's no automation and it is breaking the internet connection for a short time but it would be OK. But I don't think that this is the solution. There must be a lot of HA configurations running in professional networks and I can't imagine that the administrators would be happy having such issues, right?

Kind Regards

TheExpert

This thread was automatically locked due to age.

0 TheExpert over 10 years ago in reply to TheDrew

Is there no way to find out, where the configuration may be corrupted? It's a very lot of work to install a new UTM and manually take over the settings. The corruption of the configuration file must be very old. And why is this issue starting without having restored a configuration on the HA after having a provider based break of the internet connection? I restored some older configuration some times later after having no other ideas.

After some more trying with m0n0wall I found out that there's maybe an issue with NAT on my UTM system. Disabling NAT breaked the internet connection, reenabling NAT let it work again.

So I was starting my UTM again. Some of my static client IP adresses are bypassing the proxy because of their client OS (Android, Windows 8.1, SmartTV) on which some services are not working with a (SSL) proxy. Taking out my Windows 8.1 tablet for example the internet access on it is working again.

But again POP3, VoIP etc. aren't still working. And these client systems don't get their IP addresses from DHCP. These are set manually on the client systems themself.

DNS is working fine as expected on all client systems.

After the interruption of the internet connection I had to do some reconfigurations on the AVM FritzBox. Maybe there's an issue?
Cancel
Vote Up 0 Vote Down

Cancel
0 TheExpert over 10 years ago

Looking on the FritzBox I saw that there's no static route for the internal network behind the UTM. Don't know if I had such a route before the changes after the interruption of the internet connection last Friday. But why must I set a route for the network behind the UTM? With m0n0wall I didn't need to set the route.

After setting the route, alle clients have internet access again even when allowed to bypass the (SSL) proxy. POP3 and SMTP work fine, too. VoIP works outgoing but not incoming yet.
Cancel
Vote Up 0 Vote Down

Cancel
0 TheDrew over 10 years ago

I'm assuming your fritzbox grabs an IP from the DSL modem then provides it's own IP addresses for devices behind it. Typically a 192.168. address? The UTM grabs one of those addresses for it's own WAN interface then provides own IP addresses on the inside? Also a 192.168. addresses? If so, you're double NATing to get internet access which often works but some strange errors can crop up because of it.

If the UTM is not NATing properly (or at all) then the FritzBox needs a static route to the UTM so it knows where to send packets bound for behind the UTM.

Two further questions:

1) What are the subnet's behind the FritzBox and the UTM? (IP address of device w/ subnet is fine)

2) Do the devices with static IP's and the DHCP assigned IP's share the same subnet and/or interfaces behind the UTM? If you had to setup a static route in the FritzBox to get the DHCP addresses working but the static's already did, that suggests a problem with the two address ranges not being NAT/MASQ'd properly.

Last question, Given this is a double NAT scenario, is there any reason why the FritzBox has to be between the DSL modem and the UTM? Unless the FritzBox is the DSL modem (diagram wasn't clear), the UTM can interface with most DSL modems so the FritzBox is not needed. If The FritzBox has to be there, can it be switched to a bridge mode rather then a gateway mode?
Cancel
Vote Up 0 Vote Down

Cancel
0 TheExpert over 10 years ago in reply to TheDrew

Two further questions:

1) What are the subnet's behind the FritzBox and the UTM? (IP address of device w/ subnet is fine)

2) Do the devices with static IP's and the DHCP assigned IP's share the same subnet and/or interfaces behind the UTM? If you had to setup a static route in the FritzBox to get the DHCP addresses working but the static's already did, that suggests a problem with the two address ranges not being NAT/MASQ'd properly.

Last question, Given this is a double NAT scenario, is there any reason why the FritzBox has to be between the DSL modem and the UTM? Unless the FritzBox is the DSL modem (diagram wasn't clear), the UTM can interface with most DSL modems so the FritzBox is not needed. If The FritzBox has to be there, can it be switched to a bridge mode rather then a gateway mode?

1) Network between UTM and FritzBox 7390: 172.16.0.0/24, Network behind UTM: 192.168.0.0/24

2) Yes, DHCP-Range 50-90, 90-100 is reserved for static mappings, rest is for manual setting

3) The FritzBox is the DSL modem. So it only can be used in gateway mode.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

3) To configure in bridged mode - in the web interface, in 'internet / account information /', set 'Connection = Internet connection via DSL' and 'Operating Mode = Use FRITZ!Box as a DSL modem'.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 TheExpert over 10 years ago in reply to BAlfson

Thank you, but this isn’t possible because the FritzBox is also VoIP client to my ISP and I’m using its DECT base, ISDN and the phone options, too.
Cancel
Vote Up 0 Vote Down

Cancel
0 TheDrew over 10 years ago

You're stuck with a double NAT which isn't optimal but unless you plan anything really fancy with VPN's you should be okay.

The thing I'd like to know now (preferably screen scrapes), as this is still feeling like a bad NAT rule, is the NAT and Masquerade rules you have in place. If the Static IP's can get internet without needing a static route, and the DHCP one's can't, suggests some difference in config between the two ranges.
Cancel
Vote Up 0 Vote Down

Cancel
0 TheExpert over 10 years ago in reply to TheDrew

Hi all,

after a new selfmade accident with my network while trying to solve the VoIP issue I decided to restore older configurations on the both FritzBox (7390 for internet connection, 7270 for DECT and WLAN) and on the UTM.

Since then, everything is working fine again. Maybe there were some configuration settings lost on the 7390 last friday as of the crash of my internet connection.

Now I have the settings which I use without any issues since 3 years.

Thank you all for your support.

TheExpert
Cancel
Vote Up 0 Vote Down

Cancel