Sophos XG - HA port & MTU



Just wanted to see if anyone knows if the HA port can run over a standard MTU of 1500 across switches. There is mention that the SG series can be dropped to 100mbp on the HA port to achieve this but nothing about the XG's capabilities.


Any info would be appreciated.





  • Hi  

    It would be great if you could share more details on the setup and your requirements to be achieved, it would help us to assist you better.

  • In reply to Keyur:

    We have 2 Datacentre locations with layer 2 connectivity between them. I'd want to assign a VLAN just for the HA traffic at each DC and then a port at each end for each XG HA port to connect into however allowing jumbo frames between these two locations may be problematic. We do the same for Cisco ASA firewalls and there are no problems using standard 1500 MTU for the Failover links.

    The XG HA setup guide doesn't specific many requirements for the HA port and does state it can run through a switched network but have a nagging feeling it requires a high MTU but just can't confirm.

    XG model we would use is the 450.

  • In reply to Rich5312:


    Please refer to the article-

    Jumbo frames can't be supported as of now.

  • In reply to Rich5312:


    Jumbo frames are not supported on the XG on v17.5 or lower versions.  This will be supported from v18 and onwards.

    Now for your query, the XG has been designed to work with HA across geographical distances.  However there is a caveat to this.  The round trip time must be less than 7 seconds.  Anything more and you will have issues forming HA or even keeping the devices from flapping between master/slave roles.

    You can use this command here:  ifconfig <dedicated interface> down;date;ifconfig <dedicated interface> up;ping -c 50 -W 1 <peer dedicated link ip> 

    Please replace "<dedicated interface>" with the interface being used for HA and replace "<peer dedicated link ip>" with the slave's HA port IP address.  This can be done without the need for configuring HA but you will need to configure the interfaces.

    As stated, anything more than 7 seconds and you will have issues.  I would say a safe number would be a consistent 6 seconds for those 50 packets being sent via the ping command above.

    Hope this information helps you going forward.