HA Active Passive on vmware esx vsphere


I've been trying to setup my HA (Active/Passive) Cluster with 2 VM in my vSphere ESXi environment for a few days but I haven't succeeded yet.

Following several on-line guides, best practices, forums on the Sophos official website I mainly observe the following guidelines:

  • Both devices in the HA cluster (i.e. Primary Device and Auxiliary Device) are the same model and revision.
  • Both devices are correctly registered.
  • Both devices have the same number of interfaces.
  • Both devices have the same firmware version installed.

And, before starting the configuration, I disable the DHCP Services on all the interfaces, setting my PC with a static IP address.

For the HA environment I have:

  • VM1 (Master):
    • Port1 - Management Network (i.e. initial xxx.xxx.xxx.1/27);
    • Port2 - DMZ Services;
    • Port3 - Guest Network;
    • Port4 - IoT Nework;
    • Port5 - Monitoring Network;
    • Port6 - AVAILABLE;
    • Port7 - Internal LAN;
    • Port8 - DMZ for HA Port ( - SSH and Ping enabled);
    • Port9 - WAN (Static IP connected to Router);
  • VM2 (Auxiliary candidate):
    • Port1 - Management Network (i.e. initial xxx.xxx.xxx.30/27);
    • Port2 - To be configured
    • Port3 - To be configured
    • Port4 - To be configured
    • Port5 - To be configured
    • Port6 - To be configured
    • Port7 - To be configured
    • Port8 - DMZ for HA Port ( - SSH and Ping enabled);
    • Port9 - WAN To be configured

Today, the configuration of the VM1 is fully working and pingable where needed.

The VM1 Port8 can ping the VM2 Port8 with the address and viceversa.

I assume all the "To be configured" interfaces on the VM2 will be inherited the configuration from the HA Cluster is UP and first sync.

Next steps I perfom are:

  1. I connect to the VM2 and configure the details of the Auxiliary Device
  2. I connect to the VM1 and configure the Primary device as follows:
    • HA Configuration Mode: Active-Passive
    • Initial HA Device State: Primary
    • Passphrase: Enter the same passphrase as the auxiliary device.
    • Dedicated HA Link Port: Port8 (the same port as the auxiliary device).
    • Peer HA Link IPv4:
    • Peer Administration Port: Select the administration port for the auxiliary or peer device (Port1)
    • Peer Administration IP: xxx.xxx.xxx.30
    • Select ports to be monitored: Port1, Port9.

 Pinging on VM1 (Primary) Port1 and VM2 (Auxiliary) Port1 addresses I notice that:

  • VM1 address is not reachable any more from ping;
  • VM2 in the only address I can ping (a bit instable, since some pings are lost);
  • I don't have any sort of Internet connection from my internal fixed-IP PC;
  • I can only login to VM2 https/xx.xx.xx.30:4444 but with admin account I have read-only permissions;

The only way to roll-back immediately is to enable console on the vSphere VM1 and manually disable the HA.

Does anyone have any suggestion to fix it? Could the issue be related to the "Peer Administration Port" and "Peer Administration IP" configured on the Primary device?

Thank you all.