We have 2 XGs with latest firmware which run in HA mode. I activated Central management and entered the ID of the primary XG. Both XGs were added to Sophos Central and I am able to manage the primary device. Unfortunately the auxiliary device shows up as inactive. It was active right after activating Central management. Additionally the inactive auxiliary device shows it is registered for security heartbeat. What's going wrong here? Is HA still not fully supported?
V18.0 MR3 implemented the first HA Support for Central Management.
Looks odd to me.
Checked two accounts with HAs, both only showing one firewall (Primary).
How did you perform those steps?
Which came first, HB, HA, Central Management?
I have done the Central integration two times before with the same devices. At a certain time it didn't work anymore so I disabled management and re-registered. Same today. I logged in to Sophos Central where the primary fw was visible. Managing it didn't work so I unregistered and started again: first I added the primary device in Sophos Central by entering the serial number. Then I logged in to the fw and registered it with Sophos Central under Syncronized Security. After that both XGs appeared in Central, but I don't know if one of the devices appeared first.
Edit: the primary device is the one which holds the licence and everything was done with the primary device. I didn't touch the auxiliary device, but I am able to log in to the auxiliary device. A failover works, so I don't think it's an issue with the HA configuration.
Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced
If a post solves your question use the 'This helped me' link.
Delete the HB. Deregister the Device from Central.
Check both appliances, if there is something in HB left (Aux and Primary).
Delete both Serials in Central (General Settings - Registered Firewalls).
Waiting 5 Minutes - Register HA as Primary to Central.
Enable FW Management.
I recreated the whole thing in my virtual environment.
XG 1 - QH4B / XG 2 - TJ8E (last digest for identification)
XG 1 will be the initial Primary Appliance.
- Both Appliances are running 17.5.8 with valid licenses
- Services are all running
- Delete the HB. Deregister the Device from Central -> No Firewalls are visible in central account
- Stop HA. -> Done
- Check both appliances, if there is something in HB left (Aux and Primary). -> Deleted all Central Regisration
- Delete both Serials in Central (General Settings - Registered Firewalls). ->
- Rebuild HA.
- For now we have a working XG Cluster with no Heartbeat / Central Registration.
-> Failover testet by rebooting XG1 and XG2
- Both Appliances have a 30 days trail license.
- No Firewalls are added in the central account.
-> Registered the actually Primary Appliance XG 1 - QH4B via Central Synchronization in the XG WebAdmin
-> Both Firewall are visible now in Central with active
Enable FW Management.
-> Enable FW Management on XG-1 (QH4B)
-> Waiting for approvel -> Approvel in Central for XG-1
After Approvel „Managed“ on both Appliance
In the Webadmin from XG-2 (TJ8E) actually Auxiliary "Manage from Sophos Central" is active and "Managed"
Firewall Managment to XG-1 can be openend via Central Management
Firewall Managment to XG-2 cant be selected
Now time for a failover XG-1 –> Reboot XG-1
XG 2 - TJ8E is now the Primary / Standalone
Waiting 10 Minutes
Via Central i can still only can managed the XG - 1 (QH4B)
After 10 – 15 Minutes Syncing -> Cluster is working again
Heartbeat is also working
Both Appliance are getting displayed via „Central Synchronization“ -> „Managed“
In Central i can open Central MGMT for XG 1 – QH4B
Following Error occurs in Central
Die Firewall reagiert nicht so schnell wie erwartet auf die Anmeldeanforderung. Bitte warten Sie einen Moment und versuchen Sie es erneut oder überprüfen Sie, ob bei der Firewall Probleme mit der Internetverbindung bestehen.
The firewall does not respond as quickly as expected to the login request. Please wait a moment and try again or check if there are problems with the firewall's Internet connection. The firewall will not respond as quickly as expected to the login request. Please wait a moment and try again or check if the firewall is experiencing problems with your Internet connection.
To me, the whole thing looks like the Central MGMT isn't running one hundred percent in an HA environment yet.
Anyone else notice something ?
EDIT - 09:45
Update from Central MGMT
HA ist still running
Connection to XG-1 is disjoined
any idea for that?
" To me, the whole thing looks like the Central MGMT isn't running one hundred percent in an HA environment yet. "
Having the exact same problem here - Opened a support case 9446314 on german help desk.
My setup are two xg330 - since there is no switching back to the "master" or "primary" appliance no more sync to central works.
The management connection stays as long orphaned as long another failover occurs.
After switching back to the serialnumber you initially made your first sync / management it begins to work again.
Seems that HA was not regarded within central management !
Unfortunately, that is correct. Full HA support in Central is not yet implemented. Right now, if both nodes are joined to Central, they will show up as two separate firewalls, and the secondary unit will always show as offline.
We are working on full support for HA, which will combine the two units together in a single row. The row will show you the status of the combined pair, and also connect into the active primary unit for SSO, when you click on the firewall name. This is a high priority, and will be one of the next features completed after group management.
Thanks for the update AlanT
Thank you for your update.
Same problem with our setup too. 2x xg 430 latest firmware in HA