This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Nodes out of sync after update

Hello,

I updated our UTM Cluster 1 1/2 weeks ago and kept one node reserved.

Today I wanted to upgrade the second node




which led to the following status after waiting quite some time:



This does not look in sync. What needs to be done in order to have both nodes in sync?

Regards
BeEf



This thread was automatically locked due to age.
Parents
  • Hallo,

    What process did you use to upload the Up2Dates?  Sophos may need to put out an advisory.

    I see u2d-sys-9.705007-706009.tgz.gpg on the FTP site, so you may need to manually download and apply that via the command line.  You'll definitely want to get Sophos Support's agreement.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello BAlfson,

    I uploaded and installed them from the webinterface.
    My information was that updating from 9.705007 to 706009 will not be supported. I was also wondering why upgrade (slave) node did install 9.705007 at all because I did not use it when upgrading the primary node.

    Is there a way to update the firmware on the slave only and start the syncing Master -> Slave? 

    I already opened a ticket with our partner but no reaction so far. They send out a newsletter that 9.705007 will be a dead end.

    Best regards,
    BeEf

  • Yes, there is a way to do that at the command line, and I would do that for one of my clients if they were in this situation, but I would get Sophos Support's permission first.

    9.705-7 isn't a dead end as the 9.705007-to-9.70609 Up2Date in my earlier post demonstrates.

    You could always disable HA and Up2Date the Slave separately instead of using the command line to Up2Date in place.  Here're the instructions I give to my clients when they have a node that needs to be RMA'd:

       1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
       2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
       3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
           a. Enable Hot-Standby
           b. Select eth3 as the Sync NIC
           c. Configure it as Node_1
           d. Enter an encryption key (I've never found a need to remember it)
           e. Select 'Enable automatic configuration of new devices'
           f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
       4. Cable eth3 to eth3 on the new device.
       5. Cable all of the other NICs exactly as they are on the original UTM.
       6. Power up the new device and wait for the good news. Wink

    Since you disabled HA before starting the above, 3a was modified for your purposes.

    MfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Yes, there is a way to do that at the command line, and I would do that for one of my clients if they were in this situation, but I would get Sophos Support's permission first.

    9.705-7 isn't a dead end as the 9.705007-to-9.70609 Up2Date in my earlier post demonstrates.

    You could always disable HA and Up2Date the Slave separately instead of using the command line to Up2Date in place.  Here're the instructions I give to my clients when they have a node that needs to be RMA'd:

       1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
       2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
       3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
           a. Enable Hot-Standby
           b. Select eth3 as the Sync NIC
           c. Configure it as Node_1
           d. Enter an encryption key (I've never found a need to remember it)
           e. Select 'Enable automatic configuration of new devices'
           f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
       4. Cable eth3 to eth3 on the new device.
       5. Cable all of the other NICs exactly as they are on the original UTM.
       6. Power up the new device and wait for the good news. Wink

    Since you disabled HA before starting the above, 3a was modified for your purposes.

    MfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data