Splitting a HA pair for a site move - general process?

Question

Hi all 
 
 Thanks in advance for your help on this. I currently have a pair of UTM 9 firewalls (SG230) running in HA configuration. We are about to move our office to a new location and my thought process is to prepare for this swap-over by removing the current slave unit, placing it in the new location and then setting this up with the new WAN IP details. When that's all working as expected, we can move all the infrastructure over and then join both UTMs into HA again. So, my questions are: 
 1) Is this a viable process? 
 2) If so, is there a 'divorce' process when removing the slave, or is it just a case of shutting it down and moving it? 
 3) I think I've identified all the areas where the new WAN IP addresses need to be changed, but are there any specific areas I need to ensure are updated? 
 4) I assume that, as the VPN client's .ovpn files have the current external IP address in the 'remote' field, that we will need to get folks to log back into the web interface and download a new .ovpn file once all is up? 
 
 Thanks again for your help, all 
 
 Lee

Alan Brand · Answer

One possible process could be: 
 
 Remove one of the units from the HA setup. The removed unit will clear all its configuration and shut down. The other unit will continue to run in single-node configuration. Note that your old office will have no HA protection after this point. 
 Relocate this unit to the new office and power it on. It will come up unconfigured and with the built-in evaluation license valid for 30 days. 
 Depending on your situation (and skill levels) you may now start to configure it from scratch and make it matches the infrastructure of the new office or simply import a backup of the configuration and adapt it. 
 Make sure to avoid collisions when using the same type of resource and addresses. If you i.e. set up a dyndns or fixed dns name for the WAN interface of the UTM it can match either the old or the new office's IP, but not both. Same if you for instance register a SIP trunk, this can also work only from one of the locations. 
 If everything works swap the WAN IP and move to the new office. 
 Make sure the UTM of the old office is erased and re-join it to the other one. Don't forget to apply your license after that. 
 
 The answer to 4) depends on your ovpn file. If it really has the WAN address as digits you need to change it. Note that you can have more than one "remote" lines in the config, so better add it than replacing. If you have a (static or dynamic) DNS name there, no change should be required anyways.

Vivek Jagad · Answer

But the passive appliance will not have any license, and with no license the modules of the firewall will not work, hence not a feasible idea ! In a HA Active-Passive cluster, it runs on the primary one license, so in the times of a failover all the config including license will be transferred from active to passive !

Vivek Jagad · Answer

My bad, but here is the guide that illustrates the difference between the two deployment - Sophos UTM: Set up High Availability in Hot-Standby (Active-Passive) or Cluster (Active-Active) mode . 
 Cluster (active-active) mode 
 In this mode, both nodes are actively handling traffic. This mode allows for increased throughput in your UTM environment since all nodes are doing their share of the workload. 
 Hot Standby (active-passive) mode 
 In this mode, there is a primary node that is handling all of the traffic. The other node is ready and waiting to take over should the primary fail. This mode allows for HA but without the performance gain. Due to the way the Sophos UTM is licensed, this is a very attractive deployment since only the active node needs to be licensed. In a virtual deployment, it is not required to purchase the UTM hardware. It is therefore almost a given that if there is enough virtual infrastructure, it is recommended to configure an active-passive pair.

Splitting a HA pair for a site move - general process?

Top Replies