Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 1665 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QuickHA High Availability on Sophos XG230 SFOS 18.0.5 MR-5-Build586 cannot be establishedd

Jakob Dohse

Hi everyone, 

today we tried to connect our two XG230 to an active passive HA. First handshake should have worked but sync could not be completed. Error logs on the active device shows: 

May 18 18:05:10 HA cannot be configured when Interface Not In Administration Port List.May 18 18:05:10 ha: pollenableha: enableha failed

Webinterface page for HA shows:

The update as described here: 

https://community.sophos.com/sophos-xg-firewall/f/discussions/126273/quickha-high-availability-on-sophos-xg230-sfos-18-0-4-mr-4-cannot-be-established

and here: 

https://community.sophos.com/sophos-xg-firewall/f/discussions/125184/sophos-xg-330-ha-a-p-validation-failed-for-ha-interface-ip-error/458822#458822

has not helped. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi ,

    I got the same problem. Just Preconfigured some new Sophos XGs 135 and can't enable HA because of the Administration Port List error.

    Did you manage to get it working?

    Greetings

    Manuel

  • 0 in reply to Manuel Zink


    Any error message while enabling the quick HA Mode? Screenshot/Error message

    • HA status (system ha show details from SF console)
    • Output of msync.log file and indicate time issue occurred
    • Output of applog.log | grep ha: for both the appliances
    • Speed/duplex settings on both the appliances for all Interfaces
    • Output of ethtool or ifconfig for all Interfaces

    -----------------------

    Thank & Regards,

    Nilesh Mojidra

    If a post solves your question, use the 'Verify Answer' link.

  • 0 in reply to NM_1987

    Hi Nilesh

    Thanks for the replay

    msync.log is empty

    In the applog.log: cannot be configured when interface not in Administration Port list

    I would configure the HA without QuickHA, but it only works with a dedicated HA Port

    - 1000 Mbps - Full Duplex

    Will check for ifconfig, but i only configured the WAN Port and Port 5 for the Admin Access. i wanted to use Port 8 for HA

  • 0 in reply to Manuel Zink

    If you use QuickHA, which Ports do you use to "start the process?" 

    Because QuickHA will use the Port, you are currently connecting to start the QuickHA and also use the IP, you are currently logged in on the second appliance.

    So for example, if you are logged in on PortA via 172.16.16.16:4444 on Aux, and the Primary has 172.16.16.16 on PortA as well, it does not work. 

    It also need to be the same port in terms of access of the Webadmin for this process to work. 

    __________________________________________________________________________________________________________________

  • 0 in reply to Manuel Zink

    Sign in to the web admin console of the auxiliary Sophos Firewall from Port A, and go to Network > Interfaces. Make sure the IP address of Port A is in same subnet as Port A of primary Sophos Firewall.

    For example, if Port A of the primary node is 192.168.3.254/24, then Port A of the auxiliary node can be 192.168.3.253/24. However, it cannot be 172.16.16.16/24

    In this example, we will configure Port A as the peer administration port. So, Port A of the auxiliary node must be in same subnet as Port A of the primary node. If it isn't, Quick HA won't work, and the following error appears in /log/syslog.log on the primary node.

    Validation Failed For Ha interface IP.

    I would request you to double check this link: Quick HA Setup

    -----------------------

    Thank & Regards,

    Nilesh Mojidra

    If a post solves your question, use the 'Verify Answer' link.

Reply
  • 0 in reply to Manuel Zink

    Sign in to the web admin console of the auxiliary Sophos Firewall from Port A, and go to Network > Interfaces. Make sure the IP address of Port A is in same subnet as Port A of primary Sophos Firewall.

    For example, if Port A of the primary node is 192.168.3.254/24, then Port A of the auxiliary node can be 192.168.3.253/24. However, it cannot be 172.16.16.16/24

    In this example, we will configure Port A as the peer administration port. So, Port A of the auxiliary node must be in same subnet as Port A of the primary node. If it isn't, Quick HA won't work, and the following error appears in /log/syslog.log on the primary node.

    Validation Failed For Ha interface IP.

    I would request you to double check this link: Quick HA Setup

    -----------------------

    Thank & Regards,

    Nilesh Mojidra

    If a post solves your question, use the 'Verify Answer' link.

Children
  • 0 in reply to NM_1987

    It's now working, reset all my Interfaces and started from scratch.

    Disabled Port 1 on both devices and configured my Access Port for WebAdmin on Port 5.

    Now it's working like a charm.

    I think the Problem was the different subnet.

    Thanks for the hints

    Best Regards

    Manuel

Unfiltered HTML