This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM HA Confusions

I have been using Astaro/Sophos UTM for over 12 years now.  The one thing that confused me was the one step not discuss regarding HA.  There is no information/direction about creation of the 'Slave' node.  Directions always begins with a n existing UTM to enable as a Node2 'Slave'.  Have watched YT, read FastVue, different forums, etc and it seems the Node2 was always built.

By the way all my experience has been with the Software Appliance UTM's running on old servers.

My first time creating a HA 'Slave' node was to spin up server with a bootable ISO like any UTM install.  Questions began with type of install to do, what license to use after the install, etc.  Call Sophos and they sent me a 90-day license.   Bringing up my first HA, the sync actually went the wrong direction wiping out the 'Production' UTM.   Assume that the 'Slave'  had been up longer than the 'Master' node.  Now always reboot the  Node2 'Slave' before patching the cables.  

Since this happen, have been always rebooting the Node2 'Slave' before patching the cables, use eth3 for syncing NIC and uses 'Auto-Config' on Node2.

We had a weird event a month ago, where there was a HA roll over and  got a call on Saturday that some computers where not connecting to network.  Found that DHCP service was running on the 'Slave' node but DHCP on 'Master' was not responding to any DHCP requests.   Tried resetting DHCP services and reboots but did not resolve the situation.  Fix problem by disabling HA Operation mode to 'Off so all services are running on Node1 which was 'Master' and reset Node2 to default.      This UTM has the Full' option license. 

 This week went back to enable HA, browsed Node2 WebAdmin and was prompt that license has expired.   The previous time had used Node1 license key. 

So what gives?   Thought the 'Slave' node did not require a license when in 'Active-Passive' mode.

What is the proper steps for creating the 'Slave' Node2?

Bob G.  



This thread was automatically locked due to age.
  • I learned this so long ago, Bob, that I don' remember if there were instructions beyond the Help.  First, you should not have a different license on the Slave.

    Here are the instructions I give to my clients on first setting up Hot-Standby (Active/Passive):

       1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
       2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
       3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
           a. Enable Hot-Standby
           b. Select eth3 as the Sync NIC
           c. Configure it as Node_1
           d. Enter an encryption key (I've never found a need to remember it)
           e. Select 'Enable automatic configuration of new devices'
           f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
       4. Cable eth3 to eth3 on the new device.
       5. Cable all of the other NICs exactly as they are on the original UTM.
       6. Power up the new device and wait for the good news. Wink

    Since you already have the Slave at the same software version, I would set 'Operation mode: Off' on the 'Configuration' tab of 'High Availability' on the Master.  This will cause the Slave to do a Factory Reset and shut down.  After the Slave has shut down, start with 3 above.  The "current" unit would be your Master and you would substitute your current eth in place of eth3.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA