Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I have installed a A/P 135 Cluster and SSL VPN were not working due to CA certificate. I have registred both XG and created the HA cluster but after recreating the CA, now I only have base licensing.
I deleted and recreated the cluster but the Web Interface shows only the base license.
Nothing inside the "tail -f /log/licensing.log "
If I try to input the activation key, in the log I can see that:
Key Preview Failed : License Key already activatedLicense key has already been activated....:(
Any help would be appreciated.
Apologies for the inconvenience caused. Could you please check this KB Article :Sophos XG Firewall: Activation and registration error messages and see if there is any error code matches with error message from your firewall?
In reply to H_Patel:
I do not have any other message in the licensing.log
I tried to disable the HA from master and the license sync does not work either.
In reply to lferrara:
Most likely the License is applied to the second node (slave/aux).
In case of HA, the Master license, which you choose in the HA process, will be sync to the slave.
So assume, you have two Subscriptions, one FG, one Base License.
You chose the Base license to be master, so the Base license will be sync to both nodes.
You can check this by doing the following:
Go to the MySophos Portal or PartnerPortal. Check both serialnumbers and verify, which has the license.
Write down both serials.
(Alternative, check the license schedule send by Sophos to you, should be shown there).
Now comes the quick part, in MySophos, go to Licensetransfer.
Simply transfer the license from SN A to SN B.
Manually Sync the license on XG or wait 24 Hours.
You do not need to disable the HA or something like that.
There is another approach to verify, which appliance was the Master, in case you already did some takeovers and do not know.
nvram get "#li.serial"
Thanks to all.
I fixed the issue friday morning but before transferring the license, I was looking for the correct line into /log/licensing.log.
After several reboots and waiting a day, in the slave appliance logs, I saw: HA node status = slave
License node = serial number xxxxxxx
This was the confirmation that the license was attached to the slave node.
Anyway, since I broke the cluster once, it was strange that the license after breaking the cluster was transferred to the slave node.
For everyone having this issue:
Hope this will never happen after deleting the HA configuration.
In reply to LuCar Toni:
Thanks Lucar for the nvram commands. I will put them in my notes.
After breaking up the HA, you will only see the Master License.
The Slave note has no Uplink to the internet to sync this license.
Most likely, if there is such a case, i simply sync the license in MySophos. It is a easy task to perform but high impact (actually resolves the issue in most of the cases).
LuCar Toni: please read what the issue was and how I fixed it.
Master lost the license during the HA breaking.
Before trasferring the license I was looking for logs to understand what happened with the license. If did not find logs yesterday, I would have opened a ticket with support.
Never happened in other installation where I broke the HA cluster that license went to SLAVE node.
Hope you understand my point of sharing my experience.
As far as i know, there is no License Transfer on XG without MySophos.
So i would expect the following:
Serial A has License
Serial B has Base
A was Master while creating HA. B was Slave.
After some time, the HA switched the current Master / Slave situation.
At the time you broke the HA, B was Master and A was Slave.
After breaking the HA, B was Standalone with Base License. A went to "Ready" without config, but License.
If you now reapply the HA, B will be Master and A will be Slave. The different is, B will sync the Base License to A.
Thats my guess. If you want to dig deeper, you could extract the License log of both appliances and send them to me via PM.
Can verify my point.
Luca, I was not even able to connect on slave node.
The time I broke the cluster, master was the master. I was connected on the master node and the cluster did not switch.
Anyway I fixed the issue but /log/licensing did not help until the day after.