Cannot set the "preferred primary device"

Hello LeonardoM ,

Thank you for reaching out to the community, refer the Updating HA devices.

Good morning Vivek Jagad ,

thank you for your answer but this is not what I am looking for. It is not about updating the clusters but set the preferred primary node in the HA clusters.

Best regards,

Leonardo

Hello  LeonardoM ,

Ideally, the active device is the one which is able to sync the license with the Sophos Server/Licensing Portal. 

You may validate the master/active device using the below command from the advanced shell:

nvram get '#li.master'

If it says; "yes", you should be able to sync the license from this and the license should exist on the same appliance at the portal.

If it says no, which means the auxiliary device is master/active and new licenses can only be synced from that device. At the same time, the license should exist on this device over the customer portal.

You may refer below KBA to understand more about licensing part:
https://support.sophos.com/support/s/article/KB-000038005?language=en_US#whathighavailability

Also, refer below KBA to transfer the license over to the user portal.
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/HALicenseTransfer/index.html

Hello  LeonardoM ,

Ideally, the active device is the one which is able to sync the license with the Sophos Server/Licensing Portal. 

You may validate the master/active device using the below command from the advanced shell:

nvram get '#li.master'

If it says; "yes", you should be able to sync the license from this and the license should exist on the same appliance at the portal.

If it says no, which means the auxiliary device is master/active and new licenses can only be synced from that device. At the same time, the license should exist on this device over the customer portal.

You may refer below KBA to understand more about licensing part:
https://support.sophos.com/support/s/article/KB-000038005?language=en_US#whathighavailability

Also, refer below KBA to transfer the license over to the user portal.
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/HALicenseTransfer/index.html

Good morning,

thank you for your answer, I think you misunderstood my problem. My HA clusters are correctly configured and I have no issues related to them.

The problem I have is just related to a HA preference. In System Services > High Availability > Preferred primary device, I cannot set my masters, in both my clusters, as preferred nodes. If I try to do it, and I click on "Save", the error message that I get is "Couldn't update HA".

Thank you and have a nice day!

Best regards,

Leonardo

Hi LeonardoM: I am suspecting the bridge interface has been selected under Peer administration settings in your HA.

Can you please confirm under "Peer administration settings" any bridge interface has been selected in your current HA settings? If yes then you are as of now impacted by the known issue NC-114932. You may use the mentioned workaround and post that you may update the required settings in HA.

Reference: doc.sophos.com/.../index.html

Hello Vishal_R ,

thank you for your answer. Actually, I have no Peer administration settings configured:

Thank you and have a nice day!

Best regards,

Leonardo

Hi LeonardoM In that case we may need to check CSC debug and applog to confirm more during an error time when you are trying to update HA settings. Can you please log a support case to have a further investigation on the same, if a case is already open then please share the case ID for reference here?  

Hi Vishal_R ,

I already opened a support case with the following ID: 06358412. I will keep you updated.

Thank you and have a nice day!

Best regards,

Leonardo

Hi LeonardoM  Thanks for sharing the case ID. let me review the case status and add a note over there.

Hi LeonardoM  I have reviewed the collected logs and below is the observations.

Applog.log

Mar 23 14:07:20Z apiInterface:entityjson::::::::system::updatehaconfiguration=HASH(0xbaed410)
Mar 23 14:07:20Z Info:: Transaction will not be rolled back for opcode updateha. If any operation fails, request is part of multiple request :
Mar 23 14:07:20Z updateha: begin!
Mar 23 14:07:20Z
checkPortIsValid called !
Mar 23 14:07:20Z updateha: updateha failed !!!
Mar 23 14:07:47Z apiInterface:: Deleting Entity and Event for legacy mode base operation
Mar 23 14:07:47Z Request type = 1

postgres.log
8288 2023-03-23 14:07:20.269 GMTERROR: list_interface:::Invalid ipfamily:<NULL>
8288 2023-03-23 14:07:20.269 GMTSTATEMENT: select count(*)::INT as count from list_interface($1,false,$2) where ipassigntype in($3,$4) and interface=$5

CSC Debug logs:

DEBUG   Mar 23 14:07:20Z [worker:8250]: # OPCODE Called: 'updateha'DEBUG   Mar 23 14:07:20Z [worker:8250]: {"response":{"method":"opcode","name":"updateha","version":"1.14","type":"text","length":46,"data":{ "statusmessage": "failed", "status": "500"

+++

DEBUG     Mar 23 14:07:20Z  [updateha:8250]: do_prep_query: PREPSTMT with ARGS: select count(*)::INT as count from list_interface(?,false,?) where ipassigntype in(?,?) and interface=?
DEBUG     Mar 23 14:07:20Z  [updateha:8250]: get_txid:Transaction ID: 794259
ERROR     Mar 23 14:07:20Z  [updateha:8250]: get_query_status: DB has returned error code: P0001
ERROR     Mar 23 14:07:20Z  [updateha:8250]: get_query_status:Query Error: ERROR:  list_interface:::Invalid ipfamily:<NULL>
CRITICAL  Mar 23 14:07:20Z  [updateha:8250]: csc_prep_query: execute_prepare_query failed for Execute Query.
ERROR     Mar 23 14:07:20Z  [updateha:8250]: do_prep_query: Failed PREPSTMT: 'select count(*)::INT as count from list_interface(?,false,?) where ipassigntype in(?,?) and interface=?'

Were there any changes on any settings on any interfaces which are part of HA  after which you started observing this error? 

can you post an ifconfig and remove sensitive details if needed?

please mark, which is the HA interface

collect that from both nodes (login ssh to the other node)

eventually both nodes have different network settings

Hello Vishal_R ,

thank you for your answer. I did not make any configuration change anywhere.

Thank you and have a nice day!

Best regards,

Lately I have not been able to update/change the HA settings until I set an IPv4 address in the "Peer Management Settings".

Possibly a bug, but after setting the IP it always worked.