Splitting a HA pair for a site move - general process?

Hey LHodges ,

Thank you for reaching out to the community, is your HA cluster in Active-Active OR Active-Passive deployment ?

Just checked - Active/Passive  :-)

Nope not a viable process, as soon as you disconnect one appliance from the cluster the deployment shifts into the standalone. And as active-passive does not load balance it just act has a failover when the primary goes down or any of the monitored interface fluctuates. 

If you are shifting, shift both together. 

Thanks Vivek.  So looking at this a little more, if we do move out the passive device, what you're saying is that we've then got two standalone units.  If this is the case, what's the problem with that?  Ok, it means that any failure of the remaining (now standalone) device in the current office means the WAN goes down, but if we want to minimise potential downtime when the switch-over occurs by getting the new site in a working (albeit standalone) state in advance of the move, surely this is an acceptable risk?

Thanks

Lee

But the passive appliance will not have any license, and with no license the modules of the firewall will not work, hence not a feasible idea ! In a HA Active-Passive cluster, it runs on the primary one license, so in the times of a failover all the config including license will be transferred from active to passive !

Ok, thanks.  You hadn't mentioned the license issue prior to this and I wasn't aware of that situation.

My bad, but here is the guide that illustrates the difference between the two deployment - Sophos UTM: Set up High Availability in Hot-Standby (Active-Passive) or Cluster (Active-Active) mode.

Cluster (active-active) mode

In this mode, both nodes are actively handling traffic. This mode allows for increased throughput in your UTM environment since all nodes are doing their share of the workload.

Hot Standby (active-passive) mode

In this mode, there is a primary node that is handling all of the traffic. The other node is ready and waiting to take over should the primary fail. This mode allows for HA but without the performance gain.

Due to the way the Sophos UTM is licensed, this is a very attractive deployment since only the active node needs to be licensed. In a virtual deployment, it is not required to purchase the UTM hardware. It is therefore almost a given that if there is enough virtual infrastructure, it is recommended to configure an active-passive pair.

One possible process could be:

• Remove one of the units from the HA setup. The removed unit will clear all its configuration and shut down.
  The other unit will continue to run in single-node configuration.
  Note that your old office will have no HA protection after this point.
• Relocate this unit to the new office and power it on.
  It will come up unconfigured and with the built-in evaluation license valid for 30 days.
• Depending on your situation (and skill levels) you may now start to configure it from scratch and make it matches the infrastructure of the new office or simply import a backup of the configuration and adapt it.
• Make sure to avoid collisions when using the same type of resource and addresses. If you i.e. set up a dyndns or fixed dns name for the WAN interface of the UTM it can match either the old or the new office's IP, but not both. Same if you for instance register a SIP trunk, this can also work only from one of the locations.
• If everything works swap the WAN IP and move to the new office.
• Make sure the UTM of the old office is erased and re-join it to the other one. Don't forget to apply your license after that.

The answer to 4) depends on your ovpn file. If it really has the WAN address as digits you need to change it. Note that you can have more than one "remote" lines in the config, so better add it than replacing. If you have a (static or dynamic) DNS name there, no change should be required anyways.