This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Switch to new build in VMware

Hi,

We have a virtual UTM (VMware) which according to support is now undersized - support have advised that hard drive should be 250GB.

We were planning to switch to a newly installed UTM by restoring a backup to it.

Once I have build the UTM and restored the configuration to it I shut down the old utm and powered on the new one. After disconnecting and reconnecting the LAN interface I am able to ping it but the external interface is not reachable and cannot ping anything else.

I suspected this might be a cached MAC on the ISP switch. I tried the process again but set the MAC of the external interface in VMware to match the MAC of the interface from the old UTM. This gave exactly the same result, no comms on the external interface.

Not sure if this is a VMware issue but any help / ideas would be appreciated.

Thanks

Richard



This thread was automatically locked due to age.
Parents
  • Hi Richard,

    the Point with ARP / MAC Table at Provider Site is a good one.

    i've seen an Arp Timeout of 3 hours on Telekom "Deutschland LAN / Company Connect" lines. in that migration we had to call Telekom Support to reset the ARP Table on that router.

    eaven if you avoid arp issues by cloning the mac please ensure the new VM resides on the same hypervisor and the same Uplink Interface of the WAN vSwitch to avoid Mac table issues.

    please set the mac adress in the hypervisor networking adapter not via UTM Webadmin to ensure that the UTM is able to find her NICs in the right order and not to confuse vmware ;) .

     

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • Hi Lukas,

    Thanks for the reply.

    I made the change on the adapter in ESXi but admittedly there are two NICs in the vSwitch for the Internet connection!

    I guess I may have to get permission to change this over the weekend and just leave it until the entries time out of theARP table?

    Rich

  • Hi Rich,

    if you login to your esxi you can view the NIC usage via esxtop.

    after launching esxtop you can switch with "n" to network view and will see with world uses wich NIC.

    while the old one is running check which nic it uses

    after starting the new UTM VM you could force a NIC Failover by disabling the nic which isn't used by the old UTM

    but please keep in mind if you force a NIC Failover other VMs could be affected.

    maybe you could check with your provider if they can reset MAC Table / ARP Table on their switch.

     

    yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • Lukas, it's great that you've started to participate so much in English and German - you're making this a better place!

    Rich (and especially others that find your thread), here's my prescription for moving a configuration to a new Sophos appliance from an older one:

    1. Quick, temporary install so that the new device can download Up2Dates.
    2. Apply the desired Up2Dates (if possible, stop at 9.413 today) and do a factory reset.
    3. On the current UTM in use, on the 'Hardware' tab of 'Interfaces', assign the MAC as the Virtual MAC for the NICs in use.
    4. Create a backup and load it onto a USB memory stick.
    5. Reboot the new device with the USB memory stick in place and remove the memory stick after the boot is complete.
    6. Connect a PC to the new device, upload the license for the new device and then disconnect the PC, leaving the new device powered up.
    7. Power down the old device and move the cables to the new device.  Done.

    As Lukas says, if the new device is not identical to the older one, you will need to worry about NIC order.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Lukas and Bob,

    Thanks both for your help with this!

    Bob, the UTMs in question are virtual so I can't use the USB Boot?

    Also is there a reason for using 9.413?

    Thanks

    Rich

  • I'm not yet telling my clients to Up2Date to 9.503 because of AD-SSO and other issues with 9.414 through 9.502.  I'm almost comfortable with 9.503, but not yet.

    The USB stick is a shortcut for Sophos hardware appliances - if your VM can't access a USB stick, then just upload the backup in WebAdmin.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I have been caught up in other work so haven't had a chance to look at the UTM issues for a couple of days.

    I can see that you are saying "On the current UTM in use, on the 'Hardware' tab of 'Interfaces', assign the MAC as the Virtual MAC for the NICs in use." so that when I restore the backup to the new UTM it has the MAC address restored also.

    In our case I have been manually setting the MAC of the new UTM to match the MAC of the old UTM in VMware. Then we power the old UTM off and the new one on. Still we cannot get a response from the WAN interface when trying to ping anything.

    Is the way we are doing this any different in terms of end result to adding the MAC as the virtual MAC on the old UTM and restoring the backup to the new UTM?

    Rich

  • I've had virtually no hands-on experience with doing that, Rich, but I suspect that there's something else to do in VMware.  It wouldn't hurt to try it in the way that I know works for physical devices.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob,

    I will try this at the earliest opportunity and let you know.

    Rich

Reply Children
No Data