Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 1670 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QuickHA High Availability on Sophos XG230 SFOS 18.0.5 MR-5-Build586 cannot be establishedd

Jakob Dohse

Hi everyone, 

today we tried to connect our two XG230 to an active passive HA. First handshake should have worked but sync could not be completed. Error logs on the active device shows: 

May 18 18:05:10 HA cannot be configured when Interface Not In Administration Port List.May 18 18:05:10 ha: pollenableha: enableha failed

Webinterface page for HA shows:

The update as described here: 

https://community.sophos.com/sophos-xg-firewall/f/discussions/126273/quickha-high-availability-on-sophos-xg230-sfos-18-0-4-mr-4-cannot-be-established

and here: 

https://community.sophos.com/sophos-xg-firewall/f/discussions/125184/sophos-xg-330-ha-a-p-validation-failed-for-ha-interface-ip-error/458822#458822

has not helped. 



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out to the Community! 

    Your original issue is resolved in the new firmware version v18.0 MR5, and this new issue isn’t related to your previous post

    Please provide the screenshot of interfaces and HA configuration from both appliances via personal message. 

    PS: Tip: QuickHA assigns the peer administration port based on the interface you’re currently using to access the web admin console of the auxiliary Sophos Firewall web admin console. For example, if you're connected to PortA, this interface becomes the peer administration port on both Sophos Firewall devices.

    Reference document: QuickHA

    Thanks,

  • 0

    Hi ,

    I got the same problem. Just Preconfigured some new Sophos XGs 135 and can't enable HA because of the Administration Port List error.

    Did you manage to get it working?

    Greetings

    Manuel

  • 0 in reply to Manuel Zink


    Any error message while enabling the quick HA Mode? Screenshot/Error message

    • HA status (system ha show details from SF console)
    • Output of msync.log file and indicate time issue occurred
    • Output of applog.log | grep ha: for both the appliances
    • Speed/duplex settings on both the appliances for all Interfaces
    • Output of ethtool or ifconfig for all Interfaces

    -----------------------

    Thank & Regards,

    Nilesh Mojidra

    If a post solves your question, use the 'Verify Answer' link.

  • 0

    Hi Jakob,

    maybe this is related to known issue NC-68595 on https://docs.sophos.com/releasenotes/index.html?productGroup. Checkt the prerequisites and even when they do not match 100% it might still be the issue ...

    Regards,
    BeEf

  • 0 in reply to NM_1987

    Hi Nilesh

    Thanks for the replay

    msync.log is empty

    In the applog.log: cannot be configured when interface not in Administration Port list

    I would configure the HA without QuickHA, but it only works with a dedicated HA Port

    - 1000 Mbps - Full Duplex

    Will check for ifconfig, but i only configured the WAN Port and Port 5 for the Admin Access. i wanted to use Port 8 for HA

  • 0 in reply to Manuel Zink

    If you use QuickHA, which Ports do you use to "start the process?" 

    Because QuickHA will use the Port, you are currently connecting to start the QuickHA and also use the IP, you are currently logged in on the second appliance.

    So for example, if you are logged in on PortA via 172.16.16.16:4444 on Aux, and the Primary has 172.16.16.16 on PortA as well, it does not work. 

    It also need to be the same port in terms of access of the Webadmin for this process to work. 

    __________________________________________________________________________________________________________________

  • 0 in reply to Manuel Zink

    Sign in to the web admin console of the auxiliary Sophos Firewall from Port A, and go to Network > Interfaces. Make sure the IP address of Port A is in same subnet as Port A of primary Sophos Firewall.

    For example, if Port A of the primary node is 192.168.3.254/24, then Port A of the auxiliary node can be 192.168.3.253/24. However, it cannot be 172.16.16.16/24

    In this example, we will configure Port A as the peer administration port. So, Port A of the auxiliary node must be in same subnet as Port A of the primary node. If it isn't, Quick HA won't work, and the following error appears in /log/syslog.log on the primary node.

    Validation Failed For Ha interface IP.

    I would request you to double check this link: Quick HA Setup

    -----------------------

    Thank & Regards,

    Nilesh Mojidra

    If a post solves your question, use the 'Verify Answer' link.

  • 0 in reply to NM_1987

    It's now working, reset all my Interfaces and started from scratch.

    Disabled Port 1 on both devices and configured my Access Port for WebAdmin on Port 5.

    Now it's working like a charm.

    I think the Problem was the different subnet.

    Thanks for the hints

    Best Regards

    Manuel

Unfiltered HTML