This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Replacement of a failed HA node

Good Morning,

one of our nodes in a HA cluster failed. The cluster is/was running on firmware 9.706-9.

Found this KB Article regarding the replacement:

This describes what I need to do:

5. Restoring HA after receiving an RMA'd device.

  1. From the primary node, remove the failed node by selecting remove node.
  2. Ensure that the primary node’s configuration has the appliance selected as the preferred primary.
  3. On the auxiliary node to be added Eth3 should be already configured for Automatic Configuration. If not then you may want to do a factory reset and then follow the steps below:
    • Access the appliance, configure the HA operation mode for Automatic Configuration.
  4. Connect the appropriate cables to match the primary configuration along with the interface to act as the HA link.

Syncing should now begin with the connected appliances.

Isn't it necesarry to put the same firmware on the replaced firewall first?
Besides doing a backup is there anything not described that needs to be taken care of? For example regarding licensing ...
As far as I can see there will be no switch during the process. Is that right (would probably kick out a lot of remote users which I want to prevent; failover test will be done during a time when there is much less traffic).


This thread was automatically locked due to age.
  • Hi,

    licence is included within backup.

    I install the same Firmware and make a factory-reset at the new device before rebuilding the cluster.

    I connect initially eth3 only. ETH3 is preconfigured for HA (at most devices)

    There should be no switch-over.


    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello,

    having the same firmware on the second appliace that you want to sync is a very good practise.

    You should have a recent backup of your configuration OUTSIDE primary the firewall system just in case ... So download that to a local drive or a usb stick.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks. I did it exactly like described above, worked well and it even did some minor firmware update as the replaced fw was a little bit behind.

  • Hallo,

    Here're the instructions I give to my clients:

         1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
         2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
         3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
             a. Disable and then enable Hot-Standby
             b. Select eth3 as the Sync NIC
             c. Configure it as Node_1
             d. Enter an encryption key (I've never found a need to remember it)
             e. Select 'Enable automatic configuration of new devices'
             f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
         4. Cable eth3 to eth3 on the new device.
         5. Cable all of the other NICs exactly as they are on the original UTM.
         6. Power up the new device and wait for the good news. Wink

    I do not recommend the use of 'Preferred primary'.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks to everybody. The replacement worked well with the instructions 5. Restoring HA after receiving an RMA'd device - surprisingly even with a different 9.7 firmware on the replacement.