Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA flop on manual firmware upgrade to 19.5

Hi everyone,

i've this problem, when i try to upgrade the firmware from 19.0.1 to 19.5.0 manually with signature file on XGS136 the firewall cluster start to flot from 

primary - auxiliary to standalone - fault...

This happens only if one of the monitored interface has a DHCP server configured on the firewall....

Has anyone had the same problem?



This thread was automatically locked due to age.
Parents Reply Children
  • Unfortunately appliances are not mine. I was just outsourced for pre-configuration and migration the config from single XG appliance and I don't have access to the cluster now. I'm more than sure Dev Team should be able to reproduce the problem with any two XGS 136 and they don't need the access to customer enviroment.

  • Hello David, Marek,

    There is one suspected area noticed by dev team related to link flapping in XGS appliances.

    Internal ticket is raised (NC-111325) and team is working on it.

    Someone from engineering will contact you to help us verify the fix once it's ready.

    Meanwhile, you can try this workaround for time being (not full proof but can help reduce the probability):

    - Please disable the HA pair and upgrade both the appliances separately to 19.5 and enable HA again.

    - As HA is sensitive to interface up/down event, I suggest to remove "monitoring links" from HA configuration.

    - It will still have possibility of split-brain if dedicated link will up/down randomly. To minimize its probability, I would suggest to increase "keepalive interval" and "keepalive attempts" to MAX value (500ms and 24 respectively).

    Regards,

    Sanket Shah

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • Hello David,

    We had this problem too while updating for a customer. From 6 updates (HA pairs), we had this problem 4 times.

    I want to get updates from your internal ticket, thus I am writing here.

    I have some more updates planned for Sunday. I will let you know how it went. 

    We do not have at ticket at Sophos for the moment. 

  • Hello Facundo,

    Could you please share the Case ID with us.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.