Link Aggregation for dedicated HA Port

Hello!

We are trying to build an HA Cluster over two datacenters, each with two switches and one Sophos XG 330 (FW v17.5.7 MR-7). The LAN and WAN ports on the firewall are both LAG ports, connected to each switch. We would like to also use a LAG port for the dedicated HA port for an Active-Passive cluster, however, it seems we can't choose a LAG interface for the HA port even though it is in the DMZ zone with SSH access (the list of available ports is just empty).

Right now we just use one normal port for the HA, however after some failover tests, we noticed that if the switch with the HA link goes down, we have a split brain situation with the firewalls, since both firewalls at both datacenters still have a working LAN and WAN port.

So we were wondering if there is a way to use an LAG port for the dedicated HA port? I found some older threads discussing this over the old UTM firewalls and it seems like it was possible back then, so we are kinda confused why it doesn't work with the new XG anymore.

BR Daniel

  • Hi  

    Please refer to the given article for LAG and HA scenario, I will further check your requirement and provide you further details about your scenario.

    https://community.sophos.com/kb/en-us/128161

    https://community.sophos.com/kb/en-us/123100

  • In reply to Keyur:

    Hi Keyur,

    thanks for your answer.

    We already have LAG interfaces configured for WAN and LAN, however, we can't do this for the HA interface. Please see the diagram below:

     

    Currently we are only able to use a normal single port connection to one of the switches for the dedicated HA port. But we would like to also use a LAG interface for this, since the failure of one switch could cause a split brain, since LAN and WAN are still up and running for both switches. If we set up a LAG interface and configure it for HA according to the links you provided, we simply cannot choose it as a 'Dedicated HA Port'.

    BR Daniel

  • In reply to Daniel Boschofsky:

    Hi Daniel,

    This cannot be done currently on XG. I have asked for this feature since V15 came out. Sophos can't seem to understand the need for HA port redundancy. I did extensive HA failover testing and the XG's will split brain if the HA link goes down. Terrible design on their part since SG could do it.