Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot sync license - After registering the XG 135 and changing the CA, I have only base license

Dear Community,

I have installed a A/P 135 Cluster and SSL VPN were not working due to CA certificate. I have registred both XG and created the HA cluster but after recreating the CA, now I only have base licensing.

I deleted and recreated the cluster but the Web Interface shows only the base license.

Nothing inside the "tail -f /log/licensing.log "

If I try to input the activation key, in the log I can see that:

Key Preview Failed : License Key already activatedLicense key has already been activated....:(

Any help would be appreciated.

Regards



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi lferrara,

    Apologies for the inconvenience caused. Could you please check this KB Article :Sophos XG Firewall: Activation and registration error messages and see if there is any error code matches with error message from your firewall? 

    Thanks,

  • Hi H_Patel

    I do not have any other message in the licensing.log

    I tried to disable the HA from master and the license sync does not work either.

    Any suggestion?

  • Most likely the License is applied to the second node (slave/aux).

    In case of HA, the Master license, which you choose in the HA process, will be sync to the slave.

    So assume, you have two Subscriptions, one FG, one Base License.

    You chose the Base license to be master, so the Base license will be sync to both nodes. 

     

    You can check this by doing the following: 

    Go to the MySophos Portal or PartnerPortal. Check both serialnumbers and verify, which has the license. 

    Write down both serials. 

    (Alternative, check the license schedule send by Sophos to you, should be shown there). 

     

    Now comes the quick part, in MySophos, go to Licensetransfer.

    https://community.sophos.com/kb/en-us/126360

    Simply transfer the license from SN A to SN B.

    Manually Sync the license on XG or wait 24 Hours. 

     

    You do not need to disable the HA or something like that. 

     

     

    There is another approach to verify, which appliance was the Master, in case you already did some takeovers and do not know.

     

    1. Log on XG firewall SSH terminal using admin account.
    2. Once authenticated, you will be presented with the Sophos Firewall console menu
    3. Go to 5. Device Management > 3. Advanced Shell
    4. Run the following commands:
      • nvram get "#li.serial"
        • The serial number of the XG firewall is then displayed
      • nvram get "#li.master"
        • if output of nvram get "#li.master" is YES as shown below, then the XG firewall is the initial HA primary Node:
          XG210_WP02_SFOS 17.5.9 MR-9# nvram get "#li.master"
          YES

    __________________________________________________________________________________________________________________

  • Thanks to all.

    I fixed the issue friday morning but before transferring the license, I was looking for the correct line into /log/licensing.log.

    After several reboots and waiting a day, in the slave appliance logs, I saw: HA node status = slave

    License node = serial number xxxxxxx

    This was the confirmation that the license was attached to the slave node.

    Anyway, since I broke the cluster once, it was strange that the license after breaking the cluster was transferred to the slave node.

    For everyone having this issue:

    • check the /log/licensing.log and search for HA node status = slave and License node = serial number xxxxxxx
    • if the license is hold by the slave node, use the MySophos to trasfer the license to the other node

    Hope this will never happen after deleting the HA configuration.

    Regards

Reply
  • Thanks to all.

    I fixed the issue friday morning but before transferring the license, I was looking for the correct line into /log/licensing.log.

    After several reboots and waiting a day, in the slave appliance logs, I saw: HA node status = slave

    License node = serial number xxxxxxx

    This was the confirmation that the license was attached to the slave node.

    Anyway, since I broke the cluster once, it was strange that the license after breaking the cluster was transferred to the slave node.

    For everyone having this issue:

    • check the /log/licensing.log and search for HA node status = slave and License node = serial number xxxxxxx
    • if the license is hold by the slave node, use the MySophos to trasfer the license to the other node

    Hope this will never happen after deleting the HA configuration.

    Regards

Children
No Data