Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 7 subscribers
  • Views 6586 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Replacement of a failed HA node

BeEf

Good Morning,

one of our nodes in a HA cluster failed. The cluster is/was running on firmware 9.706-9.

Found this KB Article regarding the replacement: https://support.sophos.com/support/s/article/KB-000035374?language=en_US


This describes what I need to do:

5. Restoring HA after receiving an RMA'd device.
 

  1. From the primary node, remove the failed node by selecting remove node.
  2. Ensure that the primary node’s configuration has the appliance selected as the preferred primary.
  3. On the auxiliary node to be added Eth3 should be already configured for Automatic Configuration. If not then you may want to do a factory reset and then follow the steps below:
    • Access the appliance, configure the HA operation mode for Automatic Configuration.
  4. Connect the appropriate cables to match the primary configuration along with the interface to act as the HA link.

Syncing should now begin with the connected appliances.


Isn't it necesarry to put the same firmware on the replaced firewall first?
Besides doing a backup is there anything not described that needs to be taken care of? For example regarding licensing ...
As far as I can see there will be no switch during the process. Is that right (would probably kick out a lot of remote users which I want to prevent; failover test will be done during a time when there is much less traffic).

Regards,
BeEf



This thread was automatically locked due to age.
Parents
  • +1

    Hallo,

    Here're the instructions I give to my clients:

         1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
         2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
         3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
             a. Disable and then enable Hot-Standby
             b. Select eth3 as the Sync NIC
             c. Configure it as Node_1
             d. Enter an encryption key (I've never found a need to remember it)
             e. Select 'Enable automatic configuration of new devices'
             f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
         4. Cable eth3 to eth3 on the new device.
         5. Cable all of the other NICs exactly as they are on the original UTM.
         6. Power up the new device and wait for the good news. Wink

    I do not recommend the use of 'Preferred primary'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • +1

    Hallo,

    Here're the instructions I give to my clients:

         1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
         2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
         3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
             a. Disable and then enable Hot-Standby
             b. Select eth3 as the Sync NIC
             c. Configure it as Node_1
             d. Enter an encryption key (I've never found a need to remember it)
             e. Select 'Enable automatic configuration of new devices'
             f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
         4. Cable eth3 to eth3 on the new device.
         5. Cable all of the other NICs exactly as they are on the original UTM.
         6. Power up the new device and wait for the good news. Wink

    I do not recommend the use of 'Preferred primary'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML