Nodes out of sync after update

Hello BeEf

This state tells you, that Node2 is currently updating. Wait until it reboots. Then it will show "SYNCING" for a while (be patient). Then it will change to "READY" and the update of Node2 is done.

Thanks. But it seems to be stuck. I started the process 80 minutes ago ...

Could you provide HA logs.

I just saw, that in your first screen there are different versions compared to the second "9.705-3 -> 9.706-9" vs "9.705-7 -> 9.706-9"

ThomW

thanks for your answer.

Before the updates both nodes were 9.705-3. I needed to implement the Exilim Patch.

I updated the first node 9.705-3 -> 9.706-8 -> 9.706-9. I used this path as I was told that there is currently no update path from 9.705-7 to 9.706.

With the first node I never did an update to 9.705-7 so I am wondering why the second node is now on 9.705-7 ...

Hallo,

What process did you use to upload the Up2Dates?  Sophos may need to put out an advisory.

I see u2d-sys-9.705007-706009.tgz.gpg on the FTP site, so you may need to manually download and apply that via the command line.  You'll definitely want to get Sophos Support's agreement.

Cheers - Bob

Hello BAlfson,

I uploaded and installed them from the webinterface.
My information was that updating from 9.705007 to 706009 will not be supported. I was also wondering why upgrade (slave) node did install 9.705007 at all because I did not use it when upgrading the primary node.

Is there a way to update the firmware on the slave only and start the syncing Master -> Slave? 

I already opened a ticket with our partner but no reaction so far. They send out a newsletter that 9.705007 will be a dead end.

Best regards,
BeEf

Yes, there is a way to do that at the command line, and I would do that for one of my clients if they were in this situation, but I would get Sophos Support's permission first.

9.705-7 isn't a dead end as the 9.705007-to-9.70609 Up2Date in my earlier post demonstrates.

You could always disable HA and Up2Date the Slave separately instead of using the command line to Up2Date in place.  Here're the instructions I give to my clients when they have a node that needs to be RMA'd:

   1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
   2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
   3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
   4. Cable eth3 to eth3 on the new device.
   5. Cable all of the other NICs exactly as they are on the original UTM.
   6. Power up the new device and wait for the good news. 

Since you disabled HA before starting the above, 3a was modified for your purposes.

MfG - Bob