Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 2564 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Missing Heartbeat - HA nodes showing different computers

LHerzog

Just wondering, I have an 19.5.3 HA cluster

Node 1 shows 5 computers with missing heartbeat. 2 are over 100 days old.

Now after switching HA nodes manually (Node 2 manually rebooted first) Node 2 shows only 3 computers, all are older than 100 days.

None of the 3 computers did appear on the list of Node 1.

Heartbeat is advertised to be synchronized security. Why each HA node hold's individual bad Heartbeat lists?



This thread was automatically locked due to age.
  • 0

    with the latest reboot of the nodes and HA failover this could again be seen.

    we can read that the HB db is 1:1 sync between the nodes. How can it happen you switch the HA node and it proves that each node holds its own "missing heartbeat"

    now these zombies will not disappear

  • 0

    Missing heartbeat data not synced between HA nodes. This behaviour is the same from day-1 of missing heartbeat feature, It does not impact any policy enforcement as, After switchover the EP traffic without heartbeat will not be allowed because of FW rule, even though the EP is not reported as missing on Aux node.

  • 0 in reply to SurendraJha

    what sense does it make then, that this missing HB information is stored at all on the aux node?

    It's only causing confusion when you see a device that may not even exist any more and you need support do get rid of it by altering the sqlite3  DB.

  • 0 in reply to LHerzog

    one more reference community.sophos.com/.../any-way-to-kick-computer-heartbeat-sessions-on-xg

    you have Missing HB of computer A on PRI

    you Failover to AUX.

    Computer A has missing HB on AUX

    Computer A fixes the missing HB and has green HB on AUX.

    You retire computer A and remove it from the network

    The next HA failover to PRI

    Computer A is shown with HB missing on PRI until Sophos support manipulates the sqlite3 DB.

  • +1 in reply to LHerzog

    even more reference  Remove non-existing Clients from missing heartbeat list

    This should no longer be ignored. I filed 2 Feature requests today towards our SE.

    What is it good for only GES Support can remove such computers and why should this not be synced on the H/A Cluster? I'd be happy to learn a valid reason.

    Support Case: 07094205 / get rid of clients showing with missing heartbeat on firewall dashboard 

    Feature Request:
    Sync missing Heartbeat status in H/A cluster

    Allow Firewall administrator to delete Hosts with missing Heartbeat status


    1.    Sync missing Heartbeat status in H/A cluster
    We see no advantage of storing only the MISSING heartbeat on each firewall HA node individually while the rest is synced cluster-wide. Not even regular Support was aware of this situation.
    Missing Heartbeat should be fully synced between the H/A cluster nodes.


    2.    Allow Firewall administrator to delete Hosts with missing Heartbeat status
    Only Sophos Support can delete hosts with status missing heartbeat from the sqlite database. That situation arises when hosts that do not exist in Sophos Central anymore and have been decommissioned (no longer exist) still have a status of Heartbeat missing on the Sophos Firewall. It should not require a support case (that goes up to GES) to delete something that may happen in everyday-work. The Firewall administrator should be able to delete those missing Heartbeat computers on GUI or with regular CLI commands and this deletion must then be automatically synced H/A cluster-wide -> see first FR.

Unfiltered HTML