Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
I've been trying to setup my HA (Active/Passive) Cluster with 2 VM in my vSphere ESXi environment for a few days but I haven't succeeded yet.
Following several on-line guides, best practices, forums on the Sophos official website I mainly observe the following guidelines:
And, before starting the configuration, I disable the DHCP Services on all the interfaces, setting my PC with a static IP address.
For the HA environment I have:
Today, the configuration of the VM1 is fully working and pingable where needed.
The VM1 Port8 can ping the VM2 Port8 with the 10.0.0.2 address and viceversa.
I assume all the "To be configured" interfaces on the VM2 will be inherited the configuration from the HA Cluster is UP and first sync.
Next steps I perfom are:
Pinging on VM1 (Primary) Port1 and VM2 (Auxiliary) Port1 addresses I notice that:
The only way to roll-back immediately is to enable console on the vSphere VM1 and manually disable the HA.
Does anyone have any suggestion to fix it? Could the issue be related to the "Peer Administration Port" and "Peer Administration IP" configured on the Primary device?
Thank you all.
Do you have mac address spoof protection and block forged transmits enabled on all your vswitches?
If those are enabled, the HA build will fail.
In reply to EmileBelcourt:
I really don't know, actually.
Where can I check this? (since I've been looking for on my vCenter for a few and I haven't find anything spoofin related).
I use Distribuited switches.
P.S. - can you also tell me about the Peer Administrative Port? How should it be configured on the Primary HA setup?
In reply to Antonio Recchilongo:
You should check this: https://blogs.msdn.microsoft.com/virtual_pc_guy/2011/10/11/an-unusual-reason-to-enable-mac-spoofing/
XG uses vMACs to perform a Takeover. Basically the MAC of Node one will be reused from Node2, in case of Takeover. And vSwitches does not like this.
Regardless the Administration IP / Port. This will be always the "Hardware" MAC (in your case the "Real" MAC of the Interface). And will be used in Case of you want to connect to the Slave for Read only access.
Also this IP / Port will be there, if you Break the HA to connect back to the Slave to reenable the Slave
In reply to LuCar Toni:
Following up your hints, I solved ACCEPTING the
- promiscuous mode
- MAC address changes
- forget trasmits
security features in every PortGroup of my Distribuited Switches.
Thank you all for your replies.
You do not need Promiscuous Mode, that can cause other problems and increased load. It basically turns the switch into a hub and for HA you do not need that function.
Glad you found the settings.