Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG HA Auxiliary device management address

Dear Forum,

I created a new active-passive HA setup which is working flawlessly in terms of basically everything, except one thing which is the auxiliary device management.
For some reason i not able to reach it via the aux management ip address, when i created the cluster they had different ip addresses in the same subnet/vlan (eg. 172.16.35.254 and 253). At the configuration page i configured the "peer administration setting" where i defined the 172.16.35.253 ip address on the correct interface.
There is no ip address conflict or anything in the network, so i don't understand what is going on and why am i not able to reach this address. If i go through the Active device with an ssh session to the Aux device i'm only able to do that via the HA link ip address and after that i see the 172.16.35.253 address on the aux device and the deivce itself can ping that ip address but no other devices within  the same network are not able to ping it/reach it.

Version: SFOS 21.0.0 GA-Build169

What do you think?

Thanks



Edited TAGs
[edited by: Erick Jan at 11:15 PM (GMT -8) on 28 Nov 2024]
Parents
  • Hi  ,

    Thank you for reaching out to the community, can you please share the ha details under the device console:
    # To see the status of HA on the device
    system ha show details

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi
    Here is the output:

    console> system ha show details
     HA details

     HA status                           |   Enabled
     HA mode                             |   Active-passive
     Cluster ID                          |   0
     Initial primary                     |   CXXXXXXXXXXXXXX (XG_0)
     Preferred primary                   |   No preference
     Load balancing                      |   Not applicable
     Dedicated port                      |   Port5
     Monitoring port                     |   -
     Keepalive request interval          |   250
     Keepalive attempts                  |   16
     Hypervisor-assigned MAC addresses   |   Disabled

     Local node

     Serial number (nodename)            |   VXXXXXXXXXXXXXX (XG_1)
     Current HA role                     |   Primary
     Dedicated link's IP address         |   10.0.0.2
     Last status change                  |   11:10:43 PM, Nov 26, 2024

     Peer node

     Serial number (nodename)            |   CXXXXXXXXXXXXXX (XG_0)
     Current HA role                     |   Auxiliary
     Dedicated link's IP address         |   10.0.0.1
     Last status change                  |   11:10:39 PM, Nov 26, 2024

     Adminstrative settings of auxiliary

     Admin port                          |   LAG_0
     IPv4 address of admin port          |   172.16.35.253
     IPv6 address of admin port          |   -

  • so this is a lag / LACP interface?

    you'd be only able to manage the primary machine then.

    you could link a free LAN interface of each appliance with your network and then you could access both independently but then you need to setup HA again.

    What's the use of accessing Webadmin of the HA peer device for you?

    You can already access the peer node via SSH from the first firewall.

  • Thanks for your answer.
    Yes thats true, i dont need to manage the aux device, but when it comes to monitoring its neccessary to have the ip address for just a simple ping and yes i know that if something happens to the aux or primary device it will send notifications and/or i can connect the to sophos central yes, but i have to monitor the currently aux device as well via that ip address.
    The interesting thing that i had a same deployment with SFOS v20 and with LAG and i was able to reach it through that management ip address

Reply
  • Thanks for your answer.
    Yes thats true, i dont need to manage the aux device, but when it comes to monitoring its neccessary to have the ip address for just a simple ping and yes i know that if something happens to the aux or primary device it will send notifications and/or i can connect the to sophos central yes, but i have to monitor the currently aux device as well via that ip address.
    The interesting thing that i had a same deployment with SFOS v20 and with LAG and i was able to reach it through that management ip address

Children