This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HA (Active/ Pasive)

Hi guys i came to here because Balfson aks me for do it, i was in a mistaken forum for this question, so this is the begining post of the whole situation

https://community.sophos.com/products/unified-threat-management/f/general-discussion/110121/do-the-utm-9-5-will-lost-the-ethernet-connection-if-the-license-goes-out-of-time

 

im trying to do a HA Active/Passive solution, it wasnt the firt goal for solve the last issue, but when i notticed what i can do with this i supposed i could put my current hardware (i am in the middle of an hardware sustitution) for be the pasive one and the new hardware for be the Active, i have to tell you the old hardware is diferent to the new one, both are fisical server with UTM 9.5 software with the newest firmware, and the whole configs are already on both of them, i made all the config from scratch

the pasive server is going to serve only in mean while we can solve the failover´s, not for be permanent !

 

So, the questions are ;

can i do " Active/Passive HA (Hot Standby) ", in my situation or not , and if i cant, why not ?

if i can, i am goin to use only the current licensin, i am not need an another one ! am i correct ?

 

thanks in advance



This thread was automatically locked due to age.
Parents
  • Hola Luis,

    You can do HA with your existing license, but I think this is a different question.  In your other thread (link above), I understood that you were working on a new configuration on the new server, but that the holidays had caused you to not finish configuring before the 30-day license expired.  If you don't want to delete the new configuration, you can't put the new server into HA with the old one.

    I'm not sure what the licensing requirements are, but I think you may be able to apply your current license to the new box to enable you to continue to configure it.

    Have I misunderstood?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No you dont missunderstood nothig, my bad, I mixed two different subject

    ok you said ;
    "If you don't want to delete the new configuration, you can't put the new server into HA with the old one."

    if i understood correctly, in case i put the new server with the old one all the config its going to be errased ?

    a) why is that ?
    b) no mather if is the same config and the same firmware?
    c) it is about the difference betwen the HW ?

    I pretend to keep al the config equals on both server or even better i dont care if we lose somenthing meanwhile i can keep the internet connection, just that !

    thanks

  • It's that your new device must not be configured at all and will require a factory reset.  The only important thing about the hardware is that you have the same number of NICs and that you know how they are numbered et0, eth1, etc.

    Here's my standard approach to setting up Hot-Standby:

    1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
    2. Apply the desired Up2Dates (if possible, stop at 9.509 today), do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. [;)]

    Is that where you wanted to go?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • It's that your new device must not be configured at all and will require a factory reset.  The only important thing about the hardware is that you have the same number of NICs and that you know how they are numbered et0, eth1, etc.

    Here's my standard approach to setting up Hot-Standby:

    1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
    2. Apply the desired Up2Dates (if possible, stop at 9.509 today), do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. [;)]

    Is that where you wanted to go?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • i think i understand the basic process from the first time i read it, what i don't understood is the repercussions about do it

    this is what i supposed it would be;
    a) config my new HW like the Active and the old HW like passive (remenber they are server, they are not appliances from the brand)

    b) wire the two server to the router for have internet conection at the same time, about this, I assumed the passive it will not go online because is the passive server!!

    c) choose the local nic for sinc ethernet

    d) the whole process it would be transparent for user and devices, so i dont need to do anything else but repair the main server and put it to work again meanwhile the passive is keeping everything working

    why i need to do a factory reset? im am not contfortable with that part

    i have no trouble with keep both servers configured , i know is more work to do but it doesn't matter, i know it will be in that way because they are diferent HW have sense for my

    at this point i need to ask if is possible or not to have that behavior with the two servers i have ?

    thaks for all !

  • For automatic setup, the new device must not have any configuration other than the factory-delivered configuration that you had after you loaded the new server with the UTM software from DVD.  If you've already partially configured the new UTM, High Availability cannot be configured.

    Once the new UTM has been synced by the current UTM (READY - READY), you can make the new UTM the Master (ACTIVE) by rebooting the old UTM which will be the new Slave (PASSIVE) after it's rebooted.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • ok, i think right now i'll pass, but i'm going to finish the new Server and put it to work at the old fashioned, and after that set up the Ha solution , in that point, in that order it would be ok !!

    thank for everything