This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Downtime during HA Active-Passive setup

Hello,

I took over a sophos installation from a previous admin and the way they set it up is bit problematic. We have two UTM SG230 appliances, but one is always kept as offline spare. This makes updates always a pain, especially since we can not be down for any period of time.

Because of that I want to add the secondary UTM as Failover Host. What I absolutely cannot do is bring the network down with it.

So can I add a Failover Partner without a downtime on the current master?

What steps would you suggest I take in what order to get this running as smooth as possible?



This thread was automatically locked due to age.
Parents
  • Hi  

    We would request you to perform the HA configuration operation during off overs as a safe side.

    The provided configuration link has all the details required to configure HA in Sophos UTM 9.

    https://community.sophos.com/kb/en-us/133642

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • That would be easy. I know how the HA setup works. I have the problem that I have no downtime windows. I whish that was different but I can't change that for the moment.

    If you tell me it is not possible without downtime I will just leave it for now, but I hoped it was possible.

  • Hi  

    I have confirmed with my team and found out that you can configure HA without nay downtime, please configure the Slave device as per required HA configuration and verify Master device HA configuration, put the slave device into the network, make connection and enable HA from Master device and it will up without any downtime for master device.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hallo Christopher and welcome to the UTM Community!

    I agree that it's unlikely that there will be a problem caused by bringing the units into High Availability.  In addition to the KB, here's prescription I gave to client that had purchased a new SG to use for High Availabililty:

    1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
    2. Apply the desired Up2Dates, do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I just switched from single-device to HA.   As far as I could tell, all I lost was one ping packet while switching cables.

    Before

    inside switch - UTM1 - Outside router

    After

    Inside switch - UTM1 - Outside switch/Private_VLAN \__ Outside router
    Inside switch - UTM2 - Outside switch/Private_VLAN /

    New unit - Offline

    • I already had a CD of my running firmware.   Installed the new UTM using that CD to have matching versions.
    • Copied the config file from the running machine to the new unit to have matching configurations.
    • Configured HA Autoconfigure using port E4
    • Racked the new unit.
    • With unit powered off, connect network cables.

    Outside switch

    • Prepared VLAN with 4 ports UTM1, UTM2, Router, spare port for future monitoring.

    Old unit - Onlne

    • Configure HA Autoconfigure using port E4
    • Swap cable to use Private VLAN instead of direct-connect.
    • Verify normal traffic using old unit.
    • Boot new unit
    • Watch the HA live log as the new unit boots.

    Synchronization took about 5 minutes.

    Previously, I had configured a spare interface for emergency-access using a direct-connected laptop.   This caused both units to show status "Unlinked", but the old unit remained as Master.  HA considers a network problem to be occurring if any enabled interfaces are down.  So I disabled the unused interface, another Slave Sync occurred, and then the unit went into Active-Standby mode as desired. 

     

    Good luck!

Reply
  • I just switched from single-device to HA.   As far as I could tell, all I lost was one ping packet while switching cables.

    Before

    inside switch - UTM1 - Outside router

    After

    Inside switch - UTM1 - Outside switch/Private_VLAN \__ Outside router
    Inside switch - UTM2 - Outside switch/Private_VLAN /

    New unit - Offline

    • I already had a CD of my running firmware.   Installed the new UTM using that CD to have matching versions.
    • Copied the config file from the running machine to the new unit to have matching configurations.
    • Configured HA Autoconfigure using port E4
    • Racked the new unit.
    • With unit powered off, connect network cables.

    Outside switch

    • Prepared VLAN with 4 ports UTM1, UTM2, Router, spare port for future monitoring.

    Old unit - Onlne

    • Configure HA Autoconfigure using port E4
    • Swap cable to use Private VLAN instead of direct-connect.
    • Verify normal traffic using old unit.
    • Boot new unit
    • Watch the HA live log as the new unit boots.

    Synchronization took about 5 minutes.

    Previously, I had configured a spare interface for emergency-access using a direct-connected laptop.   This caused both units to show status "Unlinked", but the old unit remained as Master.  HA considers a network problem to be occurring if any enabled interfaces are down.  So I disabled the unused interface, another Slave Sync occurred, and then the unit went into Active-Standby mode as desired. 

     

    Good luck!

Children
No Data