This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG125W in HA : no more Webmin, USB restore, physical reset but one firewall runs correctly !

Hi all,

We have two SG125W in active/passive HA with 2 ISP, installed on a remote office, and connected to our distant office by IPsec VPN.

Following an ISP change, we changed the IPSec VPN settings to update it. Then the tunnel stopped, nothing more normal. But… the firewall has since refused to display the webmin which can not be reached in the LAN at his usual IPv4 address. Internet works, the WiFi also but the VPN tunnel is stopped and our team was blocked.

We have tried many solutions, without success, whereas the SSH mode was disabled on the device :

- try to understand if one of the Firewalls had a material issue ; all diodes had normal status
- restore the last backup on a USB stick (in Fat32 mode) on one or the other of the two USB ports and rename backup file by “restore.abf” : impossible to know if the action is successful
- reset the firewalls on physical button : no result !
- connect a keyboard and a screen and authenticate to the Admin account. The only way to go on was to reset loginuser and admin password in GRUB, connect to the firewall in command line, and reset it ! And after, reconfigure from scratch the firewall.

In summary, it seems to be a default in active/passive HA mode ! The firewalls refuse to be joined. We need now to test if the HA mode can be used again.

But, in active/passive mode, how can we be sure that the second firewall is not the origin of this blocking issue ?

Thanks,



This thread was automatically locked due to age.
  • Salut,

    This is an unusual problem.  If you're running successfully now on one of the SG 125s, try the following:

    1. Login to WebAdmin on the Master and set HA to "Off."  This should cause the Slave to do a Factory Reset and power down.
    2. Once the Slave is down, check that all cables are correctly connected.
    3. On the Master, re-enable Hot-Standby.
    4. Power the Slave node back on and watch the 'High Availability' 'System Status' in WebAdmin to confirm that HA is working.

    If that didn't work, you will want to detach the node and reload it from ISO.  Remember that it must be on the same version as the Master, so don't forget to do a Factory Reset if you've had to do a temporary install to get any Up2Dates loaded on it.

    If all of that failed, you might have a hardware problem and should get a case opened with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA