Hi!I am currently operating two Sophos UTM behind a router which is running great.
For redundancy reasons I now want to add another pair to operate in HA mode.
The issue: All UTM's use the SAME Interface MAC when switching to HA mode.
I can manually adjust the virtual MAC (Interface > Hardware) but after some times it's automatically chaning back to default.
Now I have two Sophos UTM (pairs in HA mode) with the same virtual MACs - my router & network of course doesn't like this.
I found an old article that it seems chaning the virtual MAC is no supported in HA mode.
Is there any solution / workaround available?
Hallo Patrick and welcome to the UTM Community!
Reading between the lines, I guess that you are in Cluster mode, not Hot-Standby - correct?
Are both clusters in the same subnet?
Cheers - Bob
no, they are in Hot Standby (Active-Passive).
Both have one interface in the same (DMZ) Subnet - this is the conflicting subnet since both Interfaces have the same MAC.
Cheers - Patrick
Hey P4TR1CK V3LT3 ,Can you share a screenshot of the High Availability status , configuration, and under the interface & routing > Interfaces > Hardware !
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Let me clarify - you have TWO PAIRS of UTM, each of them in HA mode?
By any chance did you commission the second pair using a backup of the configuration of the first pair to save typing?
We did so and ran into the same trouble and also some other issues (i.e. not being able to register both in the SUM).
Sophos support came up with the recommendation to- break up HA- manually set different MACs for at least the ports sharing the same uplink (we did it for all).- setup HA again.
Quite an effort but then HA took over the manually set IPs.
Yes correct, I have TWO UTM, each in HA mode (total of 2x2).
The second pair has configured with an configuration import of the first pair – have not found a way to just import/export the definitions and have many devices, networks etc. configured there.
I already tried to break up HA, but I did not manually adjust the default MAC because it is already different – not sure if I should still manually change it to trigger some sort of „overwrite“ in the background or so?!
Here are some screenshots, the error and behavior is reproducible.
HA disabled. Both UTM’s have different MAC Addresses for all Hardware Interfaces.
Screenshot 2: Now enable HA
Screenshot 3: Enabling HA has automatically enabled the virtual MAC addresses in Interfaces > Hardware.
This is now a MAC conflict, since the virtual MAC addresses at the left are similar to the virtual MAC addresses at the right.
I now have manually adjusted all 6 virtual MAC addresses. They are now unique.
After some time, the virtual MAC addresses automatically fall back to the initial/wrong address, causing a conflict again (duplicate).
I have now tried this two times and every time the same fallback to the wrong virtual MAC happens. Whatever I manually enter in the virtual MAC address, it does not stay and reverts back. I were not able to find out when it fall back, feels like it reverts back after 1 hour or so but not instantly.
the HA Config is:
The HW Interfaces - with the MAC Conflicts (right side and left side are identical!)
Patrick, you said that you "did not manually adjust the default MAC" - does that mean that the MACs into the DMZ the same on both HA pairs? I think you must disconnectthe slave and then manually set the MAC on both Master and Slave. It might be necessary to break HA before changing the MACs.
the physical MACs are different everywhere at all UTMs.
Once I enable HA, the virtual MACs are defaulting to the same virtual MACs, causing a conflict.
If I then change the virtual MAC manually, it will not stay. After some time, the virtual MACs revert back to "default".
See above Screenshot 3. As soon as I enable HA, the virtual MAC will get automatically set to "00:1a:8c:f0:7a:60" at both eth0's.
I then manually change the virtual MAC to "00:1a:8c:f0:7a:70" at UTM1 and "00:1a:8c:f0:7a:80" at UTM2 - reference Screenshot 4. Hoewever, it does not stay like this. After some time, the MACs automatically resetting to "00:1a:8c:f0:7a:60" at all appliances.
So for whatever reason, the virtual MACs are always getting changed back to "00:1a:8c:f0:7a:60" no matter what I do.
I have the impression that "00:1a:8c:f0:7a:60" is a default virtual MAC for HA's and all appliances are resetting to this MAC in HA Mode.
this sounds exactly like the issue we had.
Reason is that with the import of the configuration some internal parameters (most notably the ASG_ID, a long hex number which is stored in /etc/asg) have been the same on both pairs.
If you set up HA and then change the MAC of an interface the change will not persist. It'll last up to 20 minutes - just long enough to make you happy and let the consultant go - and then revert to "automatic" values maybe derived from the database or the ID.
What we had to do was
I was now following the steps you've mentioned.
Unfortunately this did not solve the issue.
Any other idea is highly appreciated.