We'd love to hear about it! Click here to go to the product suggestion community
I managed to setup my firewalls in Active-Active mode but the primary ip doesn't respond to either ping or https. I can only connect to the auxiliary FW using the secondary IP but it is on read-only mode.
vMware ESXI 6.7
Cisco L3 router 37xx
Sophos XG 17.5 GA
Thanks in advance.
Forgot to mention the steps i have taken.
- Rebuild FWs from scratch (like 4 times)
- Restore factory defaults (9 times)
- Disable and enable HA (3 times)
Just wondering if you guys knew anything about this behavior.
Links i followed: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Active-HA-Configuration.pdf
Dummy stuff first. Are all ports with switches? Meaning port one must be on both XG on a switch and then connected to your lan switch. Port2 (probably wan) must be from both XG on a switch and then to the modem.
Is the HA enabled? If you go to the console of the primary and enter "system ha show details" without quotes what do you get?
Can you post your configuration of the HA?
In reply to Panagiotis Vakerlis:
Thank you for your reply. I am sorry for the late response.
Each port group is on its own vlan. Since this is a VM i separated them into different vlans. Communication is not a problem between them or to the rest of the infrastructure. As far as HA please see below.
So right after i enable HA i completely lose connection with the primary FW.
In reply to Tippmann:
I am having the same problem here. From the console I can ping the IP of the primary but not from the network. Also I cant ping the other devices IP. I can only get to the auxiliary IP from the same network these are all on.
In reply to Super CM:
My manage VM has a NIC on the same network as the FW and still can't ping the primary device. That rolls out the possibility of a missing gateway.
All of mine are on the same network.
Also Ill point out that my setup is with Hyper-V. I also tried setting up active-passive but had the same problem. Is there really no fix for this?
Active-Passive didn’t work for me either on vmware
Okay so I was able to get this working. On the hyper v host (for each of the nics in the vms), I had to enable Mac address spoofing.
I am glad you got it going. I will take a look to see if i have the same setting on vmware. thank you!
This is required because the primary will own/use the virtual mac for the cluster ports and the secondary uses the normal mac address.
Without MAC spoofing (VMware has its equivalent to this), the hypervisor will drop all traffic to the host, if you failover you will see the same behavior for the new primary (now the new secondary will be reachable).
Thank you all,
I was able to get it working by setting the LAN portgroup and the WAN portgroup inside vMware as follow.
Thank you for your support.