Correct Procedure to Replace Standby Node in UTM 9 (FW 9.355-1) HA Master/Standby Setup

I have inherited a UTM 9 HA system - I have very little historical reference as to how it was setup initially.  The Slave node is dead.  I can login into the web interface of the master node and see under the HA Status that this system is Master and Active. Under the HA configuration tab is set for Hot Standby (active-passive), sync nic is eth17 (not eth3). Enable automatic configuration of new devices is checked.

I have an identical box (hardware and fw) that currently has an expired license on it and minimal config.  I would like to add this as a new slave. So what is the proper way to do this?

Can I just connect this to the current master and power up or is the fact that the sync nic not eth3 an issue?  Should I take a backup of the master and use this to pre-config the new slave first then connect it?

 

Any help would be greatly appreciated as I am not really familiar with these devices.

  • Hi  

    Take a configuration backup and download it to your laptop/desktop.

    First, You need to make sure that the Hardware model and Firmware version are the same for both devices which I read you've done. The second thing is to identify why the interface eth17 is selected for the Master node.

    Since you're not going to plug back the original slave device, You will have to disable the HA configuration(it won't make any impact on the Master device, only connected Slave will do a factory reset) to accommodate the spare device you have. The HA will only be functionally established if all the requirements match for Hardware, Software, and Sync NIC. Once this is taken care of, you can configure HA in Automatic configuration mode.

    You should browse to the High-availability section help here: https://utm.trysophos.com/help/en_US/Content/master/managmt/High_Availability-Configuration.htm 

  • In reply to Jaydeep:

    Jaydeep,

        Thanks for the reply - I have a few follow-up questions which I hope you can answer.  

    First - eth3 is being used for another network. I think the reason eth17 was chosen is because it is the right most eth port on the box and not because there is anything wrong with eth3 port.

    Just to be clear - the slave node is dead, the existing "master" node shows HA mode operational with 1/1 nodes.  Although is says it is master and active it does not see any standby system.  Do I still need to disable HA mode? 

    If so do I disable it before creating the backup off of it?  

    Should I include or remove the unique site data when doing the backup?

    You don't mention what I should do with the backup but I assume I should place it on the new device I want to configure as the slave?  Do I do that through WebAdmin or do I need to use the USB drive method?

    If i use the backup config on the slave - what are the steps I need to take after?  I assume I need to go into the HA settings and make sure it is set for auto-configuration and sync nic eth17, correct? Anything else?

     

    Thanks

  • In reply to Scott Schultz:

    Hi Scott and welcome to the UTM Community!

    He's my "standard" instruction list for connecting a new Slave unit followed by the modifications I suggest for your situation:

    1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
    2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Disable and then enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. Wink

    3.a.
          1. Disable High Availability on the current Master.
          2. Make a backup and download it to a USB memory stick.
          3. Insert the USB into the new Slave and power it on.
          4. After the new Slave has booted completely, login to WebAdmin and do a shutdown.
          5. Enable High Availability on the current Master.
      b. through .f as above!
    4. Cable eth17 to eth17 on the new device.

    If it's possible for you to move the HA connection to eth3, I would do that and then use the "standard" without the modifications - this would avoid having to do the Hokey-Pokey the next time this happens.

    Let us know your approach and result.

    Cheers - Bob

  • In reply to BAlfson:

    Bob,

      Thanks for the reply. This is helpful.

       I still have a question though: Should I include or remove the unique site data when doing the backup?

  • In reply to Scott Schultz:

    I haven't done this with the Sync NIC anywhere but on 3, so I'm making some informed guesses here.  I would think that you would want the full backup.

    Just  out of curiosity, what are the Virtual MACs in the Master now - equal to the hardware MACs?

    Cheers - Bob