This thread references the config (basically disabling the HA virtual MAC and the VM configure of the virtual interfaces i.e. ethernet.ignoreMACAddressConflict = "TRUE")
https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/28602
This worked great up to 9.1. In 9.0x the Master node used it's own MAC address assigned to the virtual adapter for the IP address. When the device would failover to the secondary node, the secondary would use its own MAC and send a gratuitous arp to update the ARP/CAM table on devices.
In 9.1 it appears that 1 mac address is moved between the active and passive node. This would seem to indicate a virtual mac. I have verified that the virtual mac isn't configured for use via the CC interface. It actually appears to be the MAC address is selected from the 1st master node and moved to the secondary during failover. The end result is that vmhosts on the secondary node can't reach the the firewall because the ESXi virtual switch thinks the MAC address lives on a VM on that hypervisor.
Maybe this was done by design, but I don't see HA modifications mentioned in the release notes.
I had to rollback to 9.006-5 to recover.
Thanks,
Jeff
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
