Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +9 person also asked this people also asked this
  • Locked Locked
  • Replies 35 replies
  • Answers 3 answers
  • Subscribers 21 subscribers
  • Views 145529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Updating to 9.506 - Broke HA cluster

Anth

Hi all,

On Friday I patched our Sophos UTM cluster to 9.506 and found that the cluster is broken unless the passive node is switched off. The VM's are on the same ESX host and I have checked that they both have Virtual mac setting set to 0. Has anyone noticed this also and have a work around?

Cheers

Anthony 



This thread was automatically locked due to age.
  • 0 in reply to Thomas Pirson

    Hi Thomas,

    Thomas Pirson said:

    As Patrick Weimer said interfaces on standby node mess with the vSwitch because of their identical runtime MAC addresses. On VMware, this results in VMs on the same physical host as the passive node being unable to contact the firewall, unless you shutdown this node. Using a different vSwitch between VMs and Sophos allows connectivity to the cluster again. We also raised a support request [#7866009] before finding this thread :) 

     

    Did you try  workaround on frankysweb blog?:

    https://community.sophos.com/products/xg-firewall/f/email-protection/94041/sophos-xg-dkim-and-dmarc-no-longer-supported/340573

     

    Look for comments section:

    BAlfson sagt:

    Sorry, my German-speaking brain isn’t creating thoughts at the moment.
    If anyone else has the same problem with VMs as Tom, please let us know if the following fixes your issue:
    How to resolve issues with Virtual UTMs configured for High Availability:
    1. Login to the UTM console as root.
    2. Enter the following command to determine if HA virtual_mac is enabled:
    cc get ha advanced virtual_mac
    3. If the output is 1, you can disable it by entering the following:
    cc set ha advanced virtual_mac 0
    4. Restart all virtual UTMs.
    Bitte auf Deutsch weiterhin.

     

    HTH

     

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0 in reply to twister5800

    Hi Martin,

    Thanks for your input ! Disabling the virtual MAC was one of the very first thing we did during setup, prior setting up the active/passive cluster and even again as it was suggested by others. Unfortunately the command had no effect. We actually reproduce the problem in another environment with the same firmware 9.506-2. On the distributed vSwitch we are running we can see that the passive node advertises the virtual MAC while it should not.

  • 0 in reply to Thomas Pirson

    Okay, I guess we need to wait for the update scheduled for this month :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0

    Sophos Support told me 2 weeks ago that the fix will be released in version 9.508

    There was no ETA back then, but let's hope it's soon.

  • +1 in reply to Thomas Pirson

    we have 2 vms on vmware environment in HA

     

    my successful workaround is :

    placing each vm on a different vswitch - solves the problem

    at least until there is a permanent patch

  • 0

    Hi,

     

    we have the same problem with some virtual UTM clusters in the company.

    We run the utm clusters over different esx hosts. Other systems which run on the same esx host together with the utm slave node can't access the utm cluster.

    Our temp. solution is to run master and slave utm node on the same esx host.

    We opened a sophos ticket and get a confirmation, that this is a bug.

    This will be fixed in next version 9.508, but we dont get an release date.

     

    Br Erik

  • 0

    Also having such issue since December 2017, and it is still not fixed after 3 month( SOPHOS support could not help in this case, explained them situation 3 times from the beginning( they suggested to move 2 VM from 2 datacenters to one physical switch :) ), than transferred to UK based support - took 2 weeks, who gives suggestions once per 2 weeks than disappears).

    Before that case we had few incidents and support solved problems relatively quickly( one of them were split brain situation with HA).

    And it is paid HA solution, my network infrastructure depends on it. This problem solving from SOPHOS part is not for business critical application.

    IMHO really like the concept of UTM but looks like it is last this SOPHOS is working on right now and with this support you can't trust your business to SOPHOS UTM if you have virtual infrastructure.

  • 0 in reply to JDLL

    Very bad support here 100% agree. Feels like the End of UTM, because of their focus to XG. Unfortunatly the software quality here is even worse. Sad since I worked already with Astaro 6.

     

    BTW: My case got closed with the resolution "fixed in version 9.508". So there will be 9.507 and 9.508...

  • +1 in reply to pawl33

    Looks like the updates are out now ! 9.507 and 9.508

     

    https://community.sophos.com/products/unified-threat-management/b/utm-blog

     

     

    Thanks

    Thanks, Duncan

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML