Cannot sync license - After registering the XG 135 and changing the CA, I have only base license

Dear Community,

I have installed a A/P 135 Cluster and SSL VPN were not working due to CA certificate. I have registred both XG and created the HA cluster but after recreating the CA, now I only have base licensing.

I deleted and recreated the cluster but the Web Interface shows only the base license.

Nothing inside the "tail -f /log/licensing.log "

If I try to input the activation key, in the log I can see that:

Key Preview Failed : License Key already activatedLicense key has already been activated....:(

Any help would be appreciated.

Regards

  • Hi lferrara,

    Apologies for the inconvenience caused. Could you please check this KB Article :Sophos XG Firewall: Activation and registration error messages and see if there is any error code matches with error message from your firewall? 

    Thanks,

  • In reply to H_Patel:

    Hi H_Patel

    I do not have any other message in the licensing.log

    I tried to disable the HA from master and the license sync does not work either.

    Any suggestion?

  • In reply to lferrara:

    Most likely the License is applied to the second node (slave/aux).

    In case of HA, the Master license, which you choose in the HA process, will be sync to the slave.

    So assume, you have two Subscriptions, one FG, one Base License.

    You chose the Base license to be master, so the Base license will be sync to both nodes. 

     

    You can check this by doing the following: 

    Go to the MySophos Portal or PartnerPortal. Check both serialnumbers and verify, which has the license. 

    Write down both serials. 

    (Alternative, check the license schedule send by Sophos to you, should be shown there). 

     

    Now comes the quick part, in MySophos, go to Licensetransfer.

    https://community.sophos.com/kb/en-us/126360

    Simply transfer the license from SN A to SN B.

    Manually Sync the license on XG or wait 24 Hours. 

     

    You do not need to disable the HA or something like that. 

     

     

    There is another approach to verify, which appliance was the Master, in case you already did some takeovers and do not know.

     

    1. Log on XG firewall SSH terminal using admin account.
    2. Once authenticated, you will be presented with the Sophos Firewall console menu
    3. Go to 5. Device Management > 3. Advanced Shell
    4. Run the following commands:
      • nvram get "#li.serial"
        • The serial number of the XG firewall is then displayed
      • nvram get "#li.master"
        • if output of nvram get "#li.master" is YES as shown below, then the XG firewall is the initial HA primary Node:
          XG210_WP02_SFOS 17.5.9 MR-9# nvram get "#li.master"
          YES
  • In reply to lferrara:

    Thanks to all.

    I fixed the issue friday morning but before transferring the license, I was looking for the correct line into /log/licensing.log.

    After several reboots and waiting a day, in the slave appliance logs, I saw: HA node status = slave

    License node = serial number xxxxxxx

    This was the confirmation that the license was attached to the slave node.

    Anyway, since I broke the cluster once, it was strange that the license after breaking the cluster was transferred to the slave node.

    For everyone having this issue:

    • check the /log/licensing.log and search for HA node status = slave and License node = serial number xxxxxxx
    • if the license is hold by the slave node, use the MySophos to trasfer the license to the other node

    Hope this will never happen after deleting the HA configuration.

    Regards

  • In reply to LuCar Toni:

     

    Thanks Lucar for the nvram commands. I will put them in my notes.

  • In reply to lferrara:

    After breaking up the HA, you will only see the Master License. 

    The Slave note has no Uplink to the internet to sync this license.

     

     

    Most likely, if there is such a case, i simply sync the license in MySophos. It is a easy task to perform but high impact (actually resolves the issue in most of the cases). 

  • In reply to LuCar Toni:

    : please read what the issue was and how I fixed it.

    Master lost the license during the HA breaking.

    Before trasferring the license I was looking for logs to understand what happened with the license. If did not find logs yesterday,  I would have opened a ticket with support.

    Never happened in other installation where I broke the HA cluster that license went to SLAVE node.

    Hope you understand my point of sharing my experience.

    Regards

  • In reply to lferrara:

    As far as i know, there is no License Transfer on XG without MySophos.

    So i would expect the following:

     

    Serial A has License

    Serial B has Base

     

    A was Master while creating HA. B was Slave.

     

    After some time, the HA switched the current Master / Slave situation.

     

    At the time you broke the HA, B was Master and A was Slave.

    After breaking the HA, B was Standalone with Base License. A went to "Ready" without config, but License.

     

    If you now reapply the HA, B will be Master and A will be Slave. The different is, B will sync the Base License to A. 

     

     

    Thats my guess. If you want to dig deeper, you could extract the License log of both appliances and send them to me via PM. 

    Can verify my point. 

  • In reply to LuCar Toni:

    Luca, I was not even able to connect on slave node.

    The time I broke the cluster, master was the master. I was connected on the master node and the cluster did not switch.

    Anyway I fixed the issue but /log/licensing did not help until the day after.

    Regards