Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 8462 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Shutdown one unit in HA setup

KarstenStolten

Hi!

I want to physically move my UTM boxes (SG310). They run in a HA setup.

My question is - how do I do this with the least amount of downtime?

I'm guessing that I should

1. shutdown (power off) the SLAVE unit (how?)
2. physically move SLAVE unit
3. reconnect all cables to SLAVE unit and power it back on
4. wait for sync
5. make SLAVE unit MASTER (how?)
6. repeat steps 1-3 for new SLAVE unit

Is this the right approach?

Also note my questions regarding shutdown of a single node (SLAVE unit) and switching MASTER role between units. (steps 1 and 5)

Kind regards

Karsten Stolten



This thread was automatically locked due to age.
  • 0

    Hi Karsten,

    your steps are correct so far.

    For step one just go to the appliance and use the front panel to shutdown the device. This also applies to step 5.

    Here you just power off the MASTER device after the sync is successful.

    Best Regards
    DKKDG

  • +1

    Your stepa are ok.

    Within webadmin goto "management / high availability".

    here you see booth nodes.

    click shutdown to slave first.

    after slave is online again (no longer syncing = state "ready") you can shutdown the master from here too.

    The slave becomes your new master.

    Or use the frontpannel as explained already.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Hej Karsten and welcome to the UTM Community!

    I would not do it like that.  My recommendation is:

    1. shutdown (power off) the SLAVE unit
    2. physically move SLAVE unit
    3. reconnect all cables to SLAVE unit and power it back on
    4. wait for sync
    5. shutdown (power off) the current MASTER (the unit not yet moved) and the unit already moved will become MASTER
    6. repeat steps 1-3 for new SLAVE unit

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to dirkkotte

    Thank you dirkkotte - for the detailed steps. Exactly what I needed! ;o)

     

    Kind regards

    K. Stolten

  • 0 in reply to BAlfson

    Hi Bob,

    I'm in a similar situation to the above but we're moving to a new datacentre and have a pair of SG450s (UTM 9.605-1) running in an Active-Passive HA configuration that we need to move.

    The new datacenter will use the same IP subnets (internal and external) as the old datacentre. Ideally rather than moving both UTMs in one go we would like to do a test of the new datacentre by moving just one of the UTMs over first, then briefly switch the routing of the internal and external IPs to the new datacentre to ensure everything works okay prior to the final cutover. My question is, is this possible? I'm not clear how this is best achieved (if actually possible). Here would be what I would hope to be able to do:

    1. Shutdown UTM2 (currently Slave), leaving UTM1 running (currently Master) in old datacentre..

    2. Move UTM2 to the new datacentre (not currently connected to any network), cable it up (all IPs and subnets are identical), then power it up.

    3. When ready to do our test run we will disconnect the old datacentre from the network, connect the new datacentre to the network, and then route the internal and external traffic to the new datacentre.

    4. Check that all expected connectivity in the new datacentre is working as it was in the old datacentre.

    5. Once testing is completed, disconnect the new datacentre from the network, reconnect the old datacentre and switch the routing back to the old datacentre. Leaving UTM2 in the new datacentre.

    6. When ready to do the final cutover to the new datacentre, power down UTM1, move to new datacenter and cable back up including reconnecting HA cable.

    7. Power up UTM1 and let the UTMs sync.

    8. Disconnect old datacentre. Switch all routing to new datacentre.

    Does this sound feasible? UTM1 and UTM2 while in separate datacentre will not have any HA connectivity as only one datacentre will ever be live on the network at any one point. I guess the questions are:

    - Would UTM2 on being powered back up in the new datacentre switch to being a Master as it would no longer have UTM1 connected?

    - Would UTM2 go back to being a slave when UTM1 was moved over to the new datacentre and reconnected exactly as the UTMs were in the old datacentre?

    Being able to test the new datacentre would help de-risk the migration as we don't want to find out there are problems on the final cutover when we bring all the servers over from the old datacentre. Any advice or comments would be gratefully received.

     

    Thanks,


    Colin

  • 0 in reply to Colin Fraser

    If you separate the cluster nodes, this will result in 2 Master-nodes.
    If you join the node from old DC to running master within new DC, this node become slave and syncprocess writes data from new DC-node to this node.
    You will lose data/logfiles from old DC.  
    But this should work.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Thanks Dirk, that's great.

    So UTM2 will declare itself the Master when UTM1 comes over to join it even though they will still both be Masters?

  • 0 in reply to Colin Fraser

    If two SG's getting together after booth are master, the device with most uptime is the new master.

    I recommend to build HA connection and then start the second device.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Colin Fraser

    Agreed with Dirk that this should work, Colin.  Just out of an abundance of caution I would probably disable/enable all Interfaces after powering the UTM up in the new DC - I'm not sure what will happen due to the different MAC addresses in the new DC.  Then when bringing the second UTM to the new DC, I would, again, out of an abundance of caution, do a factory reset of that device and power it down before connecting all of the cables.

    Please let us know your results!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi @all,

     

    we are Planning to Upgrade our HA Cluster.

     

    We are running two Sophos SG 310 in a HA Cluster and want to Upgrade to two Sophos SG450. Can we do it also like Karsten it described:

     

    1. shutdown (power off) the SLAVE unit (how?)
    2. change SLAVE unit to the new one?
    3. reconnect all cables to SLAVE unit and power it back on
    4. wait for sync
    5. make SLAVE unit MASTER (how?)
    6. repeat steps 1-3 for new SLAVE unit

     

    Best Regards

    Manuel

Unfiltered HTML