Firewall management with two XGs working in HA mode

We have 2 XGs with latest firmware which run in HA mode. I activated Central management and entered the ID of the primary XG. Both XGs were added to Sophos Central and I am able to manage the primary device. Unfortunately the auxiliary device shows up as inactive. It was active right after activating Central management. Additionally the inactive auxiliary device shows it is registered for security heartbeat. What's going wrong here? Is HA still not fully supported?

Parents
  • Looks odd to me.

    Checked two accounts with HAs, both only showing one firewall (Primary).

     

    How did you perform those steps? 

    Which came first, HB, HA,  Central Management?

     

    __________________________________________________________________________________________________________________

  • I have done the Central integration two times before with the same devices. At a certain time it didn't work anymore so I disabled management and re-registered. Same today. I logged in to Sophos Central where the primary fw was visible. Managing it didn't work so I unregistered and started again: first I added the primary device in Sophos Central by entering the serial number. Then I logged in to the fw and registered it with Sophos Central under Syncronized Security. After that both XGs appeared in Central, but I don't know if one of the devices appeared first.

    Edit: the primary device is the one which holds the licence and everything was done with the primary device. I didn't touch the auxiliary device, but I am able to log in to the auxiliary device. A failover works, so I don't think it's an issue with the HA configuration.

    Regards, Jelle

    Sophos XG210-HA (SFOS 17.5.8) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • Suggest following:

     

    Delete the HB. Deregister the Device from Central.

    Stop HA. 

    Check both appliances, if there is something in HB left (Aux and Primary).

    Delete both Serials in Central (General Settings - Registered Firewalls).

    Rebuild HA.

    Waiting 5 Minutes - Register HA as Primary to Central.

    Enable FW Management. 

     

    __________________________________________________________________________________________________________________

  • Hi Guys,

    I recreated the whole thing in my virtual environment.

    XG 1 - QH4B / XG 2 - TJ8E (last digest for identification)

     

    XG 1 will be the initial Primary Appliance.

     

    - Both Appliances are running 17.5.8 with valid licenses

    - Services are all running

     

    First Steps:

    - Delete the HB. Deregister the Device from Central -> No Firewalls are visible in central account

    - Stop HA. -> Done

    - Check both appliances, if there is something in HB left (Aux and Primary). -> Deleted all Central Regisration

    - Delete both Serials in Central (General Settings - Registered Firewalls). ->

    - Rebuild HA.

    ==> Done

     

    - For now we have a working XG Cluster with no Heartbeat / Central Registration.

     

    -> Failover testet by rebooting XG1 and XG2

     

     

     

    - Both Appliances have a 30 days trail license.

    - No Firewalls are added in the central account.

     

    Waiting 5 Minutes - Register HA as Primary to Central.

     

     

     

    -> Registered the actually Primary Appliance XG 1 - QH4B  via Central Synchronization in the XG WebAdmin

    -> Both Firewall are visible now in Central with active

     

    Enable FW Management.

     

     -> Enable FW Management on XG-1 (QH4B)

     

    -> Waiting for approvel -> Approvel in Central for XG-1

     

     

     

    After Approvel  „Managed“ on both Appliance

    In the Webadmin from XG-2 (TJ8E) actually Auxiliary "Manage from Sophos Central" is active and "Managed"

     

     

     

     

     

    Firewall Managment to XG-1 can be openend via Central Management

    Firewall Managment to XG-2 cant be selected

     

     

    Now time for a failover XG-1 –> Reboot XG-1

    XG 2 - TJ8E is now the Primary / Standalone

     

     

    Waiting 10 Minutes

     

    • Heartbeat still active

     

    Via Central i can still only can managed the XG - 1 (QH4B)

     

     

    After 10 – 15 Minutes Syncing -> Cluster is working again

     

     

    Heartbeat is also working

    Both Appliance are getting displayed via „Central Synchronization“ -> „Managed“

     

    In Central i can open Central MGMT for XG 1 – QH4B

     

    Following Error occurs in Central

     

    Die Firewall reagiert nicht so schnell wie erwartet auf die Anmeldeanforderung. Bitte warten Sie einen Moment und versuchen Sie es erneut oder überprüfen Sie, ob bei der Firewall Probleme mit der Internetverbindung bestehen.

    ENG

     

    The firewall does not respond as quickly as expected to the login request. Please wait a moment and try again or check if there are problems with the firewall's Internet connection. The firewall will not respond as quickly as expected to the login request. Please wait a moment and try again or check if the firewall is experiencing problems with your Internet connection.

     

     To me, the whole thing looks like the Central MGMT isn't running one hundred percent in an HA environment yet. 

     Anyone else notice something ?

     

    EDIT - 09:45

    Update from Central MGMT

    HA ist still running

     

    Connection to XG-1 is disjoined

     

     

     

    Kind Regards,

    Max

     

     

  • Hi Luca,

    any idea for that?

    Kind Regards,

    Max

  • Hi,

     

    " To me, the whole thing looks like the Central MGMT isn't running one hundred percent in an HA environment yet. "

     

    Having the exact same problem here - Opened a support case 9446314 on german help desk.

    My setup are two xg330 - since there is no switching back to the "master" or "primary" appliance no more sync to central works.

    The management connection stays as long orphaned as long another failover occurs.

    After switching back to the serialnumber you initially made your first sync / management it begins to work again.

     

    Seems that HA was not regarded within central management !

     

    regards

    bernd

  • Unfortunately, that is correct. Full HA support in Central is not yet implemented. Right now, if both nodes are joined to Central, they will show up as two separate firewalls, and the secondary unit will always show as offline. 

     

    We are working on full support for HA, which will combine the two units together in a single row. The row will show you the status of the combined pair, and also connect into the active primary unit for SSO, when you click on the firewall name. This is a high priority, and will be one of the next features completed after group management. 

Reply
  • Unfortunately, that is correct. Full HA support in Central is not yet implemented. Right now, if both nodes are joined to Central, they will show up as two separate firewalls, and the secondary unit will always show as offline. 

     

    We are working on full support for HA, which will combine the two units together in a single row. The row will show you the status of the combined pair, and also connect into the active primary unit for SSO, when you click on the firewall name. This is a high priority, and will be one of the next features completed after group management. 

Children
  • Thanks for the update

    Regards, Jelle

    Sophos XG210-HA (SFOS 17.5.8) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • Thank you for your update.

     

    regards bernd

  • Same problem with our setup too. 2x xg 430 latest firmware in HA

  • Hi Alan,

    please see below

    AlanT said:

    Unfortunately, that is correct. Full HA support in Central is not yet implemented. Right now, if both nodes are joined to Central, they will show up as two separate firewalls, and the secondary unit will always show as offline. 

     

    We are working on full support for HA, which will combine the two units together in a single row. The row will show you the status of the combined pair, and also connect into the active primary unit for SSO, when you click on the firewall name. This is a high priority, and will be one of the next features completed after group management. 

    I think some people would appreciate a helpful answer to this...

    Thank You

    Best Regards

    Bernd

  • Same problem. We have one XG330 cluster and six XG125 clusters, all of them are not shown correctly in Sophos Central. We expected this to work flawlessly. Please update us about the state of development and the planned timeline for implementing this a bit more precisely.

    Thank you in advance, Peter / Markus

  • Hello,

     

    maybe it is helpful for You to acknowledge that in v18 there is an option to switch back to primary appliance if it is back "up" again after failover...

    But if you want to administrate via central in case of failover without switchback it is no solution for you.

    Have a look at the german web frontend - there should be somthing similar in Your localized web frontend - it is the checkbox at the bottom - "Failback zur primären..."

    Best Regards

     

    Bernd