Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to update to V18 MR4

this is a continuation from this thread ;

https://community.sophos.com/xg-firewall/f/discussions/124771/xg-firewall-v18-mr-4-feedback-and-experiences

My Hardware is as follows;

I have a VMware 6.7 virtual system that is host to current 2 VMs

  • Sophos XG v18 MR3 HA in Active-Passive setup.
  • They VM have 2 x CPU, 6Gb RAM, 60Gb HDD & 3 x NIC (the NIC are VMXnet3 Cards within VMware).

I had installed and setup v18 MR3 in an active-passive ha setup without any issues, and it was configured in less than 10 minutes.

Upgrading to v18 MR4 was another matter.

  1. I tried to upgrade the firmware via the usual place, but was denied stating it was in HA configuration.
  2. disabled HA, and then upgraded both the units.
  3. tried to configure HA, and this is where it just wouldn't identify the other (Passive) unit.

it even got stuck with HA being in an inconsistent state.

on the Active unit the GUI would free on refresh with the following screen

    

when I ran the command 'system HA disable' it stated that it was already disabled.

this is on MR4, and both units were on MR4 before trying to re-connect.

I have the systems still there but have had to rebuild from scratch.

any help or guidance on this would be helpful and may well be for others who come across this.

you said in the previous thread that this is a known bug, I could only see four bugs for HA, and neither seemed to represent the one I am experiencing;

  • NC-62868 [HA] HA - Certificate Sync fails in Aux
  • NC-64269 [HA] IPv6 MAC based rule not working when traffic is load balanced to Auxiliary
  • NC-64907 [HA] The auxiliary appliance crashes when broadcast packet is generated from it
  • NC-61282 [Firewall, HA] Failed to enable HA when a New XG is replaced in place of another XG


This thread was automatically locked due to age.
  • FWIW, same issue at a customer. My Case is 03502772

  • Support has confirmed a bug in MR4.

    Hello Patrick,

    Thanks for the reply!

    I have confirmed this internally and this bug has already been reported to our DEV team with bug ID  NC-66978.

    The current target fix for this issue is on the next release MR5.

    Let us know if you have any additional inquiries regarding this or this case can be closed for now.

    Regards,

    Niño Rowel Olid
    Sophos Technical Support

  • Hi Patrick,

    I have the same problem with MR4, but I don't have available MR5. Do you know when is it going to be available?

  • Has anybody had success rebuilding HA? We had the patches from NC-66978 installed, and we are able to access the "System Services -> HA page" again. We were able to stop the still running previous failed HA initiate on the primary and auxiliary. We then tried to initiate HA again on both, but it failed immediately. We couldn't reboot the primary, yet, as we need a service window for that due to missing HA... Maybe a reboot is necessary.

  • I always had to factory default and then run HA manually not using quickHA mode.

  • So, it appears that you can still successfully establish HA with interactive mode. All steps from breaking HA to fixed HA:

    Upgrade from 18.0.3 -> 18.0.4

    Due to problems with 18.0.4, HA was disabled (Problem is that one LAG has only the second of the two configured interfaces connected, and does not come up reliably when the firewall is booted, I'll have to create a case for that soon)

    Try reestablishing HA with QuickHA, which failed for unknown reasons.

    System Services -> HA page hangs

    Factory reset AUX node

    Patch from NC-66978 was installed on both nodes

    System Services -> HA page working again, but Quick HA still fails.

    Session with Sophos Support, all it took was HA with interactive mode