Ok so I decided to post about my recent Firewall update from v7.011 to v7.100 (then to v7.101 did it in 2 steps). First my setup:
2 Astaro ASG 220 configured in HA failover mode
We have several servers behind the firewall and as such have DNAT configured to pass inbound traffic to the internal servers.
After the update from v7.011 to v7.100. The slave first patches itself then reboots and once it is up takes over as Master while the previous master patches. This works as expected EXCEPT that once the slave takes over as master no inbound connections are allowed, outbound connections work fine but no inbound connections work. After the other firewall finishes patching and is up and part of the HA as slave, still no inbound connections allowed through. I wait the 15 minutes that the new version requires before rebooting the master firewall, however once the firewalls hand over duties to the Slave all inbound connections are allowed to pass as expected.
The above case is not good because that basically means that I was down for over 20 minutes during that patch process. I mention this because the last patch that required firewall restart had the EXACT same behavior. We have HA so that we reduce the downtime, however having a patch that causes 20 minutes of downtime unexpected is not good.
This thread was automatically locked due to age.