This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Splitting a HA pair for a site move - general process?

Hi all

Thanks in advance for your help on this.  I currently have a pair of UTM 9 firewalls (SG230) running in HA configuration.  We are about to move our office to a new location and my thought process is to prepare for this swap-over by removing the current slave unit, placing it in the new location and then setting this up with the new WAN IP details.  When that's all working as expected, we can move all the infrastructure over and then join both UTMs into HA again.

So, my questions are:

1) Is this a viable process?

2) If so, is there a 'divorce' process when removing the slave, or is it just a case of shutting it down and moving it?

3) I think I've identified all the areas where the new WAN IP addresses need to be changed, but are there any specific areas I need to ensure are updated?

4) I assume that, as the VPN client's .ovpn files have the current external IP address in the 'remote' field, that we will need to get folks to log back into the web interface and download a new .ovpn file once all is up?

Thanks again for your help, all

Lee



This thread was automatically locked due to age.
Parents
  • One possible process could be:

    • Remove one of the units from the HA setup. The removed unit will clear all its configuration and shut down.
      The other unit will continue to run in single-node configuration.
      Note that your old office will have no HA protection after this point.
    • Relocate this unit to the new office and power it on.
      It will come up unconfigured and with the built-in evaluation license valid for 30 days.
    • Depending on your situation (and skill levels) you may now start to configure it from scratch and make it matches the infrastructure of the new office or simply import a backup of the configuration and adapt it.
    • Make sure to avoid collisions when using the same type of resource and addresses. If you i.e. set up a dyndns or fixed dns name for the WAN interface of the UTM it can match either the old or the new office's IP, but not both. Same if you for instance register a SIP trunk, this can also work only from one of the locations.
    • If everything works swap the WAN IP and move to the new office.
    • Make sure the UTM of the old office is erased and re-join it to the other one. Don't forget to apply your license after that.

    The answer to 4) depends on your ovpn file. If it really has the WAN address as digits you need to change it. Note that you can have more than one "remote" lines in the config, so better add it than replacing. If you have a (static or dynamic) DNS name there, no change should be required anyways.

Reply
  • One possible process could be:

    • Remove one of the units from the HA setup. The removed unit will clear all its configuration and shut down.
      The other unit will continue to run in single-node configuration.
      Note that your old office will have no HA protection after this point.
    • Relocate this unit to the new office and power it on.
      It will come up unconfigured and with the built-in evaluation license valid for 30 days.
    • Depending on your situation (and skill levels) you may now start to configure it from scratch and make it matches the infrastructure of the new office or simply import a backup of the configuration and adapt it.
    • Make sure to avoid collisions when using the same type of resource and addresses. If you i.e. set up a dyndns or fixed dns name for the WAN interface of the UTM it can match either the old or the new office's IP, but not both. Same if you for instance register a SIP trunk, this can also work only from one of the locations.
    • If everything works swap the WAN IP and move to the new office.
    • Make sure the UTM of the old office is erased and re-join it to the other one. Don't forget to apply your license after that.

    The answer to 4) depends on your ovpn file. If it really has the WAN address as digits you need to change it. Note that you can have more than one "remote" lines in the config, so better add it than replacing. If you have a (static or dynamic) DNS name there, no change should be required anyways.

Children
No Data