Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM HA node stuck in RESERVED state

Hey there,

I have a active passive UTM-Cluster which got configured by an external.

The second node is configured to be reserved after a fw-update and was there reserved at 9.710 since the upgrade to 9.711.

In the meantime the active node got updated to 9.711 and on monday to 9.712. After the update to 9.712 I recognized that the slave node is in reserved state and I wanted to upgrade it to the latest state, but it only got updated to 9.711 and came back up in reserved state.

If I now trigger it to update to the latest version it shows the following in the HA log:

2022:09:07-08:39:21 fw-extern-1 ha_up2date[31269]: starting system up2date to '9.712012'
2022:09:07-08:39:21 fw-extern-1 ha_up2date[31269]: No up2date path to '9.712012', try to fix it 
2022:09:07-08:39:21 fw-extern-1 ha_up2date[31269]: calling /sbin/audld.plx --types=sys --ha-override --proxy
2022:09:07-08:39:21 fw-extern-2 ha_proxy[4959]: Connect (file descriptor 5): node1 []
2022:09:07-08:39:22 fw-extern-2 ha_proxy[4959]: Request (file descriptor 5): CONNECT HTTP/1.1
2022:09:07-08:39:22 fw-extern-2 ha_proxy[4959]: No proxy for
2022:09:07-08:39:22 fw-extern-2 ha_daemon[4441]: id="38A0" severity="info" sys="System" sub="ha" seq="M:  222 22.106" name="Node 1 changed state: RESERVED(4096) -> UP2DATE(256)"
2022:09:07-08:39:22 fw-extern-2 ha_proxy[4959]: Established connection to host "" using file descriptor 7.
2022:09:07-08:39:22 fw-extern-2 ha_proxy[4959]: Not sending client headers to remote machine
2022:09:07-08:39:33 fw-extern-2 ha_proxy[4959]: Closed connection between local client (fd:5) and remote client (fd:7)
2022:09:07-08:39:33 fw-extern-2 ha_proxy[29206]: Connect (file descriptor 6): node1 []
2022:09:07-08:39:33 fw-extern-2 ha_proxy[29206]: Request (file descriptor 6): CONNECT HTTP/1.1
2022:09:07-08:39:33 fw-extern-2 ha_proxy[29206]: No proxy for
2022:09:07-08:39:33 fw-extern-2 ha_proxy[29206]: Established connection to host "" using file descriptor 7.
2022:09:07-08:39:33 fw-extern-2 ha_proxy[29206]: Not sending client headers to remote machine
2022:09:07-08:39:35 fw-extern-2 ha_proxy[29206]: Closed connection between local client (fd:6) and remote client (fd:7)
2022:09:07-08:39:35 fw-extern-1 ha_up2date[31269]: calling /sbin/auisys.plx --types=sys --upto 9.712012
2022:09:07-08:39:35 fw-extern-1 ha_up2date[31269]: done (auisys has gone into the background)

And then nothing happens anymore until I click the reboot button for this machine in the webadmin which leads to a reserved state in 9.711 again.

Unfortunately I am not able to ssh into the slave machine and push the gpg files to it, as I don't have the former SSH password for it as the configuration was done by an external. I habe changed the loginusers ssh password at the active machine, but it does not sync to the reserved one.

Has somebody a clue how I can fix this? Maybe there is a possibility to sync the gpg file 9.711 to 9.712 to the reserved node without ssh into it?

Thanks in advance for every help provided and best regards


This thread was automatically locked due to age.
Parents Reply Children
  • Hello Vivek Jagad,

    Thank you for your reply. For this I think I need physical access to the UTM, which is not ideal. I will first contact the external guy which did the initial configuration. Maybe he can provide me the ssh password.

    Best regards


  • Hello Vivek Jagad,

    I reached out to the external guy and he still got the loinusers and root users SSH passwords, so I was able to connect to the reserved machine and copy the files over. Then I was successfully able to do the upgrade process and everything is fine now.

    Thanks for your hints!

    Best regards