Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - HA port & MTU

Hello,

 

Just wanted to see if anyone knows if the HA port can run over a standard MTU of 1500 across switches. There is mention that the SG series can be dropped to 100mbp on the HA port to achieve this but nothing about the XG's capabilities.

 

Any info would be appreciated.

 

 

Thanks,

Rich



This thread was automatically locked due to age.
Parents Reply
  • We have 2 Datacentre locations with layer 2 connectivity between them. I'd want to assign a VLAN just for the HA traffic at each DC and then a port at each end for each XG HA port to connect into however allowing jumbo frames between these two locations may be problematic. We do the same for Cisco ASA firewalls and there are no problems using standard 1500 MTU for the Failover links.

    The XG HA setup guide doesn't specific many requirements for the HA port and does state it can run through a switched network but have a nagging feeling it requires a high MTU but just can't confirm.

    https://community.sophos.com/kb/en-us/123174

    XG model we would use is the 450.

Children
  • Hi  

    Please refer to the article- https://community.sophos.com/kb/en-us/131880

    Jumbo frames can't be supported as of now.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi  

    Jumbo frames are not supported on the XG on v17.5 or lower versions.  This will be supported from v18 and onwards.

    Now for your query, the XG has been designed to work with HA across geographical distances.  However there is a caveat to this.  The round trip time must be less than 7 seconds.  Anything more and you will have issues forming HA or even keeping the devices from flapping between master/slave roles.

    You can use this command here:  ifconfig <dedicated interface> down;date;ifconfig <dedicated interface> up;ping -c 50 -W 1 <peer dedicated link ip> 

    Please replace "<dedicated interface>" with the interface being used for HA and replace "<peer dedicated link ip>" with the slave's HA port IP address.  This can be done without the need for configuring HA but you will need to configure the interfaces.

    As stated, anything more than 7 seconds and you will have issues.  I would say a safe number would be a consistent 6 seconds for those 50 packets being sent via the ping command above.

    Hope this information helps you going forward.

    Thanks.

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link