This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos sg-230 UTM 9 HA(Active-Passive) Licensing and Setup

Hello,

I would like to create an HA Active-Passive between 2 Sophos Sg-230.

Right now I have only one sophos SG-230 with network Protection Licence, Also its firmware is 9.600-5

I bought a second SG-230 and I want to configure it as a Slave on the HA

I follow the above instructions of the above link

https://techbast.com/2015/04/configuring-high-availability-ha-on-sophos-utm.html

And I have configured only the Master node.

So right now I have to configure the Slave node and I'm confused.

What I should select in the HA menu of the second node? I have the options auto-configuration and active-passive ha ?

I'm afraid if I connect the second node it will be become as a master and my old sophos lose its configuration.

Also the new sophos I haven't install any licence I thought the licence of the Master Node will be transferred when the HA will finish syncing.

Also the new sophos has an older firmware 9.311 I tried to update it with Up2Date but nothing is happening, in the dashboard it finds that updates should be installed but when I click on it in the Up2Date page it shows that sophos is up to date.

So I was wondering if I select in the high availability in menu Hot-Standby(active-passive)

and I fill the Device Name with a name, the Node id  with 2, the encryption key with the key that I gave in node1 and I check enable automatic configuration of new devices and finally connect them with a cross cable, 

I will be fine? The node 2 will be the slave of the HA and then it will sync configuration licence and firmware from the master?

or I have to do something else?



This thread was automatically locked due to age.
  • Hi Panox X13,

    if you have configured the master node correctly you do not need to configure the second appliance.

    You just have to connect the devices by the HA port (default eth3). The rest goes automaticlly when you power on the second appliance.

    You have configured the second device so you have to make an factory reset to make sure there are no errors.

    But before making an factory reset bring the second device on the same firmware version as the master node.

    If the normal up2date process does not work just reimage the appliance via cd/usb with the sophos image(Faster then loading the updates to the appliance and factory reset included) or check the up2date logs to look up why no updates are loaded.

    Best Regards
    DKKDG

  • Hi,

    please note that HA only work between SG230 with the same hardware revision.
    Rev. 1 will nor work with rev. 2

    Regards

    Thomas

  • Thank you very much.

    Where I can find instructions how to reimage the sophos?

    Also if I proceed without firmware update it will be a problem? When the sync of the HA is completed It will not transfer and the latest firmware that the Master has to the new sophos?

    Also does the sync procedure of HA have downtime? so I have to try this in no working hours or I will be fine if I do this during wokring hours?

    Thx

  • How I can see the hardware version of two sg230?

  • Hi,

    check the serial Numer of your UTM on this webpage community.sophos.com/.../118143 or on the system label of your UTM to find the hardware rev.

    To reimaging the UTM download the iso www.sophos.com/.../utm-downloads.aspx and use www.fastvue.co/.../  to creat a usb drive.

    HA sync has no downtime you can enable it during work hours.
    The slave UTM should have the same software version as the master UTM
    The UTM with the longer uptime automatically becomes the master during setup.

    Regards Thomas

  • Thank you so much,

    I will try it and I will post

  • Hello again,

    finally I updated my new sophos to the same firmware as the master node has. I was a bit afraid to reimage the sg230 so I look to troubleshoot the up2date proceess.

    As I found the problem was with the disk space, there where too many updates and the sophos couldn't store all of them. So I updated it manually.

    Right now on the sophos that is my main firewall (Master Node) I have configured in the HA menu

     Hot-Standby(active-passive)

    I have fill the Device Name with a name(Node1), the Node id  with 1, the encryption key and I have checked enable automatic configuration of new devices and finally in the Preferred Master I select Node1.

    So now, if I have understood right  I have to factory reset the sophos sg230 (the node that I want for slave) then to connect the eth3 interface of my two sophos and power up the machine that I want to be the slave?

    If I reset to factory default the firmware updates that I installed will not be lost?

    Also the cable should be cross or straight?

  • Hi Panox X13,

    the firmware updates are not lost when doing a factory reset only the configuration will be lost.

    Cable should be no problem whether straight or crossed.

    Best Regards
    DKKDG

  • I would like to thank you for helping me everything went fine

  • hi guys

    I recently began to study the way for avoid fail over situation, and yours post help me alot , but i have only one question remaining;

     

    can i set up 2 diferents server (Not Sophos aplliance) and i mean diferent harware like HA (Active-Passive) ?

     

    the firmware version its the same and also the number of ethernet nics, and all the config i have in the one i whant it like master is also in the one going to be slave

    is this way to work possible ?

     

    thanks in advance