This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Updating to 9.506 - Broke HA cluster

Hi all,

On Friday I patched our Sophos UTM cluster to 9.506 and found that the cluster is broken unless the passive node is switched off. The VM's are on the same ESX host and I have checked that they both have Virtual mac setting set to 0. Has anyone noticed this also and have a work around?

Cheers

Anthony

This thread was automatically locked due to age.

Parents

0 Thomas Pirson over 6 years ago

As Patrick Weimer said interfaces on standby node mess with the vSwitch because of their identical runtime MAC addresses. On VMware, this results in VMs on the same physical host as the passive node being unable to contact the firewall, unless you shutdown this node. Using a different vSwitch between VMs and Sophos allows connectivity to the cluster again. We also raised a support request [#7866009] before finding this thread :)
Cancel
Vote Up 0 Vote Down

Cancel
0 twister5800 over 6 years ago in reply to Thomas Pirson

Hi Thomas,

Thomas Pirson said:

As Patrick Weimer said interfaces on standby node mess with the vSwitch because of their identical runtime MAC addresses. On VMware, this results in VMs on the same physical host as the passive node being unable to contact the firewall, unless you shutdown this node. Using a different vSwitch between VMs and Sophos allows connectivity to the cluster again. We also raised a support request [#7866009] before finding this thread :)

Did you try BAlfson workaround on frankysweb blog?:

https://community.sophos.com/products/xg-firewall/f/email-protection/94041/sophos-xg-dkim-and-dmarc-no-longer-supported/340573

Look for comments section:

BAlfson sagt:

2. Dezember 2017 um 22:26

Sorry, my German-speaking brain isn’t creating thoughts at the moment.
If anyone else has the same problem with VMs as Tom, please let us know if the following fixes your issue:
How to resolve issues with Virtual UTMs configured for High Availability:
1. Login to the UTM console as root.
2. Enter the following command to determine if HA virtual_mac is enabled:
cc get ha advanced virtual_mac
3. If the output is 1, you can disable it by entering the following:
cc set ha advanced virtual_mac 0
4. Restart all virtual UTMs.
Bitte auf Deutsch weiterhin.

HTH

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v20 Architect
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 twister5800 over 6 years ago in reply to Thomas Pirson

Hi Thomas,

Thomas Pirson said:

As Patrick Weimer said interfaces on standby node mess with the vSwitch because of their identical runtime MAC addresses. On VMware, this results in VMs on the same physical host as the passive node being unable to contact the firewall, unless you shutdown this node. Using a different vSwitch between VMs and Sophos allows connectivity to the cluster again. We also raised a support request [#7866009] before finding this thread :)

Did you try BAlfson workaround on frankysweb blog?:

https://community.sophos.com/products/xg-firewall/f/email-protection/94041/sophos-xg-dkim-and-dmarc-no-longer-supported/340573

Look for comments section:

BAlfson sagt:

2. Dezember 2017 um 22:26

Sorry, my German-speaking brain isn’t creating thoughts at the moment.
If anyone else has the same problem with VMs as Tom, please let us know if the following fixes your issue:
How to resolve issues with Virtual UTMs configured for High Availability:
1. Login to the UTM console as root.
2. Enter the following command to determine if HA virtual_mac is enabled:
cc get ha advanced virtual_mac
3. If the output is 1, you can disable it by entering the following:
cc set ha advanced virtual_mac 0
4. Restart all virtual UTMs.
Bitte auf Deutsch weiterhin.

HTH

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v20 Architect
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Thomas Pirson over 6 years ago in reply to twister5800

Hi Martin,

Thanks for your input ! Disabling the virtual MAC was one of the very first thing we did during setup, prior setting up the active/passive cluster and even again as it was suggested by others. Unfortunately the command had no effect. We actually reproduce the problem in another environment with the same firmware 9.506-2. On the distributed vSwitch we are running we can see that the passive node advertises the virtual MAC while it should not.
Cancel
Vote Up 0 Vote Down

Cancel
0 twister5800 over 6 years ago in reply to Thomas Pirson

Okay, I guess we need to wait for the update scheduled for this month :-)

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v20 Architect
Cancel
Vote Up 0 Vote Down

Cancel
+1 lior me over 6 years ago in reply to Thomas Pirson

we have 2 vms on vmware environment in HA

my successful workaround is :

placing each vm on a different vswitch - solves the problem

at least until there is a permanent patch
Cancel
Vote Up 0 Vote Down

Cancel