Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 1174 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active/Standby, failover unable to contact firewall

Richard Priest1

Hi,

I have a pair og SG650 in Active/Standby, the Master works perfectly, but if I initiate a failover to the slave, either via a takeover from CLI or a reboot of the primary etc. I am unable to contact the new primary (previous slave) via Eth1.

Both devices are connected to from Eth1 into a single switch which has the most basic config on those corresponding interfaces. They're both in the same vlan.

I've updated the devices to the latest fitmware, but didn't expect that to resolve the issue.

It's as if the slave never picks up the primary's IP address.

I'm pretty new to the Sophos lineup, but know CISCO ASA failover config really well, I figured it's be similar whereby the secondary/slave unit takes over the primary address, but in this instance this doesn't seem to be occuring.

Any ideas as to what the cause could be? I've ruled out faulty NIC's on the switch.

Cheers

Rich



This thread was automatically locked due to age.
Parents
  • 0

    Hello Rich,

    you didn't put the "HA" interface(s) into a switch, did you?

    This has to be a direct cabling, nothing between the both SG-devices.

    Do you have a message "unlinked" in the display?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to jprusch

    No the HA interface is a direct connection between Master and Slave. when checking the status they show as Active and Ready

  • 0 in reply to Richard Priest1

    Hello Rich,

    stills sounds like an ARP cache problem, like Emmanuel already suspects.

    You write about a virtual MAC, you don't mean you configured one at the switches?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to jprusch

    Within the UTM config you can set a virtual MAC address for each individual interface, rather than using the BIA of the physical interface.

    via the webgui, Interfaces>Hardware>edit

    Cheers

Reply Children
  • 0 in reply to Richard Priest1

    Yes, I know that, I was just stumbling over your wording.

    What, if you'd remove that virtual MAC for a test cycle?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to jprusch

    apologies, wasn't trying to teach you to suck eggs Slight smile

    I'll try removing the virtual MAC and get back to you

    Cheers

  • 0 in reply to Richard Priest1

    If you lost the connection after failover ... what happens if the ports on the switch are swapped? (or simply short pulled)
    I saw quite a lot there:  defective ports / cables, switch features, misconfiguration, etc.
    I would switch off the slave for this time.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Unfiltered HTML