Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 27 replies
  • Answers 2 answers
  • Subscribers 47 subscribers
  • Views 6811 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA flop on manual firmware upgrade to 19.5

David Moro

Hi everyone,

i've this problem, when i try to upgrade the firmware from 19.0.1 to 19.5.0 manually with signature file on XGS136 the firewall cluster start to flot from 

primary - auxiliary to standalone - fault...

This happens only if one of the monitored interface has a DHCP server configured on the firewall....

Has anyone had the same problem?



This thread was automatically locked due to age.
Parents
  • 0

    I met exaclty same issue last week. What's more interesting the auxiliary/passive appliance booted with non-active image 18.5.4.
    Workaround was to disable the HA, upgrade the auxiliary appliance to 19.5.0 manually and setup the cluster out from the scratch.

  • 0 in reply to MarekDalke

    Hello Marek,

    Thank you for contacting the Sophos Community.

    Did you, by any chance, create a Ticket for this? If so, do you mind sharing it?

    I believe DEV might be interested in taking a look at your device, would it be possible to share via PM Access ID to your device?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Unfortunately appliances are not mine. I was just outsourced for pre-configuration and migration the config from single XG appliance and I don't have access to the cluster now. I'm more than sure Dev Team should be able to reproduce the problem with any two XGS 136 and they don't need the access to customer enviroment.

  • +1 in reply to MarekDalke

    Hello David, Marek,

    There is one suspected area noticed by dev team related to link flapping in XGS appliances.

    Internal ticket is raised (NC-111325) and team is working on it.

    Someone from engineering will contact you to help us verify the fix once it's ready.

    Meanwhile, you can try this workaround for time being (not full proof but can help reduce the probability):

    - Please disable the HA pair and upgrade both the appliances separately to 19.5 and enable HA again.

    - As HA is sensitive to interface up/down event, I suggest to remove "monitoring links" from HA configuration.

    - It will still have possibility of split-brain if dedicated link will up/down randomly. To minimize its probability, I would suggest to increase "keepalive interval" and "keepalive attempts" to MAX value (500ms and 24 respectively).

    Regards,

    Sanket Shah

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • 0 in reply to sanket.shah

    Hello David,

    We had this problem too while updating for a customer. From 6 updates (HA pairs), we had this problem 4 times.

    I want to get updates from your internal ticket, thus I am writing here.

    I have some more updates planned for Sunday. I will let you know how it went. 

    We do not have at ticket at Sophos for the moment. 

Reply
  • 0 in reply to sanket.shah

    Hello David,

    We had this problem too while updating for a customer. From 6 updates (HA pairs), we had this problem 4 times.

    I want to get updates from your internal ticket, thus I am writing here.

    I have some more updates planned for Sunday. I will let you know how it went. 

    We do not have at ticket at Sophos for the moment. 

Children
Unfiltered HTML