Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Convert XGS 4500 HA from Active-Passive to Active-Active

Hello all,

I'm in the process of replacing infrastructure hardware and I'm working on additional redundancies.  I'm currently replacing my core switches with an active-active HA pair.  I plan to route all traffic through the firewalls for scanning (North/South, and East/West).  My XGS 4500 HA is currently configured as A-P.  Converting this to A-A should allow me to connect each core switch to each firewall for a fully redundant solution.

My question is whether or not the XGS 4500 HA pair can be converted to A-A without needing a full reconfiguration?  If a reconfiguration is necessary could a backup configuration be used without overriding the A-A setup? Are there any caveats I should be aware of with how the XGS 4500 handles traffic in an A-A configuration?



This thread was automatically locked due to age.
Parents
  • Hi Fizzle,
    recreating HA is not very complicated.
    you remove the slave from ha/remove the HA config an get a standalone device. now you can configure a new HA as active-active.
    but i think you didn#t get more redundancy with this action.
    active-activ ha is for load sharing primary ... as i know.
    you should not get additional wiring options .... please correct me if that is the case ...
    be aware, with active-active ha, you need all licenses twice.

    Maybe you would like to share your ideas about cabling with us?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • SFOS HA is a full load balancing option in terms of offloading traffic. Your Primary will be still the one appliance accepting all traffic. 

    See: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/AboutHA/HAArchitecture/index.html#virtual-mac-address 

    The Primary will get all requests in both scenarios.

    A-A means, you will have to buy another license for your cluster. Is your current solution out of capacity? 

    __________________________________________________________________________________________________________________

  • Ahhh, this is what I was missing. I'm not out of capacity.  My HA cores can send data simultaneously to whatever they are connected to. My goal was to connect everything together in redundant fashion so there would be no downtime at all in the event of a firewall or core switch going down.  In an A-P configuration the firewalls still have a short amount of downtime as everything is migrated over to the secondary - which is what I was hoping to avoid with the setup I had in mind.

  • You will still have a break while the old connections time out and reestablish through the alternate firewall.

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • some/most connections should be statefull migrated to other appliance while failover.
    we onle have some seconds while ip addresses switching to the other device


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • some/most connections should be statefull migrated to other appliance while failover.
    we onle have some seconds while ip addresses switching to the other device


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • The stateful migration will happen in a A/P pair but not in a A/A pair because the second firewall would not know about the original connection.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • OK, thanks. That was new to me. You're right.
    Those who can read have a clear advantage Wink


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.