Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 7 subscribers
  • Views 1444 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with RMA-replaced UTM in HA

hagman_01

Backstory: In our remote office, one of two SG310 appliances had broken down (probably for electrical reasons) and would not boot back into the HA cluster.

Thanks to Sophos support, we tried to boot teh firmware from a USB stick, which at least looked like a complete boot according to the LCD display, but we still did not get HA back: The dead node was previously deleted from the master and master was configured to auto-detect new devices, so the freshly installed node should have been detected and brought into HA. As this did not happen, we initiated a replacement through support.

Today, the replacement arrived, we hooked it up and waited - but again nothing happened. After some hours, we went through the display and made a factory reset - no change. Before bothering support once again, I'd like to know if someone here has expereinced someting like this. I feel like we somehow overlooked something totally stupid.

What we do observe (by flipping through the LCD display):

  • Firmware version is 9.705, as is master
  • HA Config is set to "Not a HA device" and apparently this cannot be changed. Not sure if this is expected in this state and would change only after a successful sync.
  • eth0 seems to be set to 192.168.0.1/24 as expected for a new device. However, I cannot ping this address (from a Windows PC configued with an 192.168.0.x address - our standard LAN is in the 10.*.*.* range). It does not even do ARP resolution!
  • The LAN switch sees practically no traffic on the port connected to eth0. It did not even learn a MAC address for that port


This thread was automatically locked due to age.
Parents
  • 0

    Have you gone through the initial configuration on the replacement UTM?  From past experience it won't start syncing until you get past the screen that asks for organization name, location, email etc.

  • 0 in reply to fish123

    We've had similar experience from before we learned how auto-snycing new devices works.

    Unfortunately, even doning the initial configuration was has not been possible yet: IP 192.168.0.1 seems not to respond, and doing the config vie LCD display is not something I'll try by phone directions to only a "layperson" available on-site right now. This may be something we try, however, when one of us admins visits the site next week. As of now and until controlled by someone more qualified, it may very well turn out to be a very facepalm-y fault at work

    I'll keep y'all informed

  • 0 in reply to hagman_01

    It'll be interesting to hear the end of the story.

    For others that might find this thread, here's what I give to my clients:

    1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
    2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
        a. Disable and then enable Hot-Standby
        b. Select eth3 as the Sync NIC
        c. Configure it as Node_1
        d. Enter an encryption key (I've never found a need to remember it)
        e. Select 'Enable automatic configuration of new devices'
        f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. Wink

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to hagman_01

    The story continues:

    Turns out we could not get any further with accessing the UTM, not even via a cross-over cable and laptop 192.168.0.2 -> 192.168.0.1

    Out of curiosity, we tried the USB stick firmware reinstall that was formerly suggested to us by support for the original appliance (see original post). This finally produces something reachable, but also explained why we were out of luck back then: The image turned the appliance into an XG instead of SG and it is hardly surprising that these won't do HA together well.

    Right now, we are trying to bring back an SG image, but that seems to be harder than first thought. Still work in progress.

Reply
  • 0 in reply to hagman_01

    The story continues:

    Turns out we could not get any further with accessing the UTM, not even via a cross-over cable and laptop 192.168.0.2 -> 192.168.0.1

    Out of curiosity, we tried the USB stick firmware reinstall that was formerly suggested to us by support for the original appliance (see original post). This finally produces something reachable, but also explained why we were out of luck back then: The image turned the appliance into an XG instead of SG and it is hardly surprising that these won't do HA together well.

    Right now, we are trying to bring back an SG image, but that seems to be harder than first thought. Still work in progress.

Children
No Data
Unfiltered HTML