Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 8237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall - HA Active/Passive

Dillynn Els

Hi All,

I have an issue getting HA - Active/Passive to work between 2 VMWARE Clusters In my environment. I have set these up many times and ran into a few issues. Hoping someone can assist.

VM Spec - Cluster 1

VM Spec - Cluster 2

HA Setup:

VM01

 

VM02

 

Once Firewalls are put in HA they fail immediately and seem to flip flop when pining them simultaneously. One will respond and then the other on their management interfaces (Port A) which should both be accessible at all times. 

I also had an issue where I would configure 2 IP's on the A and C Ports and will not be able to ping between the two firewalls but from a server device in the same layer 2 network i could ping both. I then changed the IP's on both firewalls and then both could respond between one another. HA would not connect before this as they were unable to ping the IP's that were set. 

E.G.

FW01

PortA: 172.16.22.254 255.255.255.0 (Can't Ping PortA on FW02 : Can Ping Server01)

PortC: 192.168.254.253 255.255.255.0 (Can't Ping PortC on FW02 : Can Ping Server01)

 

FW02

PortA: 172.16.22.253 255.255.255.0 (Can't Ping PortA on FW01 : Can Ping Server01)

PortC: 192.168.254.253 255.255.255.0 (Can't Ping PortC on FW01 : Can Ping Server01)

 

Server01

Nic1: 172.16.22.27 255.255.255.0 (Can Ping PortA on FW01 & FW02)

        192.168.254.39 255.255.255.0 (Can Ping PortC on FW01 & FW02)

Changed to Below:

 

FW01

PortA: 172.16.22.254 255.255.255.0 (Can Ping PortA on FW02 & Server01)

PortC: 192.168.254.1 255.255.255.0 (Can Ping PortC on FW02 & Server01)

 

FW02

PortA: 172.16.22.154 255.255.255.0 (Can Ping PortA on FW01 & Server01)

PortC: 192.168.254.2 255.255.255.0 (Can Ping PortC on FW01 & Server01)

 

Server01

Nic1: 172.16.22.27 255.255.255.0 (Can Ping PortA on FW01 & FW02)

        192.168.254.39 255.255.255.0 (Can Ping PortC on FW01 & FW02)



This thread was automatically locked due to age.

  • Hi Dillyn

     

    I had these symptoms trying to HA 2 XG VMs in Hyper-V

    i turns out i have to turn on mac address spoofing for all network adapters on each of the VMs and then it worked as advertised  

     

    Good luck 

  • in reply to PhilSmith

    Hi Phil,

    I did have the spoofing enabled on the hyper visor. This turned out to be an issue with the Sophos XG MAC address tables that had static entries that never flushed or were updated when the Machines were migrated.

    We were finally able to resolve this by flushing the MAC Address Tables on the Sophos XG's which then resolved the issue. 

    From Main Menu:

    5. Device Management 

    3. Advanced Shell

    (Display ARP Table)

    arp -n

    (Flush ARP Table)

    ip -s -s neigh flush all

    I have requested this to be published in the HA troubleshooting with Sophos. I am not sure if this has been done however hopefully these commands will help people in the future.

    Appreciate your reply. 

  • in reply to Dillynn Els

    You have multiple Setups in VMware? 

    You should update to V18 and use the new MAC Addresses. 

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/sophos-xg-firewall-v18-eap-2-firmware-has-been-released

     

    A part of HA enhancement (other improvements have been planned in EAP 3)

    • Added cluster ID to eliminate VMAC conflict limitation
    • Now supports option to use host/ hypervisor MAC to eliminate vSwitch Promiscuous mode limitation
    • Now supports pre-emption/ Failback
    • Eliminated downtime in case of upgrade using “Firmware Upgrade now and boot later” option
    • HA synchronization now happens over SSH tunnel based secure communication

    On XG:

    __________________________________________________________________________________________________________________

  • HI Dillynn,

    are the 2 XG connected to a physical switch or directly to VMware servers?

    Thanks

Unfiltered HTML