This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 High Availability configuration on VM's booted with ISO

I am using UTM9 for site to site SSL VPN functionality which is working fine with on-prem installation and AWS. I have to configure HA mode for On-Prem set up. I got another VM booted up with ISO in same subnet with same configurations as the existing one (master). Now, I have two VM's in same subnet booted with UTM9 ISO and SSL VPN working over Master node. I did all the HA configurations needed in master and slave over second NIC. Master still shows me in Synching state and Slave node seems to be hung/unreachable now. 
I explored further through the documentation but couldnt find anything specific to configuration of HA mode for UTM 9 on VM's booted with ISO. The document says about appliance to be connected with crossover wire in case of UTM appliance. How will the HA mode be configured for VM?


The HA Live logs shows the below logs in loop:

2018:04:27-15:50:42 vmincsp01-2 repctl[8437]: [i] execute(1768): stopped waiting

2018:04:27-15:50:42 vmincsp01-2 repctl[8437]: [i] execute(1768): pg_ctl: could not start server

2018:04:27-15:50:42 vmincsp01-2 repctl[8437]: [i] execute(1768): Examine the log output.

2018:04:27-15:50:42 vmincsp01-2 repctl[8437]: [e] prepare_secondary(352): prepare_secondary: Local db(pg_ctl) start failed

2018:04:27-15:50:42 vmincsp01-2 repctl[8437]: [c] prepare_secondary(360): failed to get database up, waiting for retry

2018:04:27-15:50:42 vmincsp01-2 repctl[8437]: [c] setup_replication(274): setup_replication was not properly executed

2018:04:27-15:50:42 vmincsp01-2 repctl[8437]: [i] setup_replication(278): checkinterval 300

2018:04:27-15:52:09 vmincsp01-1 repctl[8159]: [i] recheck(1057): got ALRM: replication recheck triggered Setup_replication_done = 1

2018:04:27-15:52:14 vmincsp01-1 ha_daemon[7708]: id="38A0" severity="info" sys="System" sub="ha" seq="M: 42 14.116" name="Set syncing.files for node 2"

2018:04:27-15:52:15 vmincsp01-1 ha_daemon[7708]: id="38A0" severity="info" sys="System" sub="ha" seq="M: 43 15.199" name="Clear syncing.files for node 2"

 

Thanks and Regards,
Jay



This thread was automatically locked due to age.
Parents
  • I don't know how to manually create HA in AWS.  Why not use the 'Conversion Utility' in 'AWS Management'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • HA is done on AWS with autoscaling and Lambda, so I dont have issue there.
    HA configuration is required for On-Prem VMs booted with UTM9 ISO. Need help with HA configuration for On-Prem VMs

     

    Thanks and Regards,

    Jay

  • Yes, I read too quickly, Jay.

    Here are the instructions I give to my clients when going to HA:

    1. Do a quick, temporary install so that the new device can download Up2Dates if needed.
    2. Apply the desired Up2Dates (if possible, stop at 9.508 today), do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. [;)]

    If you are loading these two VMs in different physical servers, you may need the prescription offered here four years ago by MrGoodBytes:

    How to resolve issues with Virtual UTMs configured for High Availability:

     1. Login to the UTM console as root.
     2. Enter the following command to determine if HA virtual_mac is enabled:
             cc get ha advanced virtual_mac
     3. If the output is 1, you can disable it by entering the following:
             cc set ha advanced virtual_mac 0
     4. Restart all virtual UTMs.

    Note that there seems to be an HA bug for some using VMs with 9.509.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Yes, I read too quickly, Jay.

    Here are the instructions I give to my clients when going to HA:

    1. Do a quick, temporary install so that the new device can download Up2Dates if needed.
    2. Apply the desired Up2Dates (if possible, stop at 9.508 today), do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. [;)]

    If you are loading these two VMs in different physical servers, you may need the prescription offered here four years ago by MrGoodBytes:

    How to resolve issues with Virtual UTMs configured for High Availability:

     1. Login to the UTM console as root.
     2. Enter the following command to determine if HA virtual_mac is enabled:
             cc get ha advanced virtual_mac
     3. If the output is 1, you can disable it by entering the following:
             cc set ha advanced virtual_mac 0
     4. Restart all virtual UTMs.

    Note that there seems to be an HA bug for some using VMs with 9.509.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data