Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 3076 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrating from Astaro ASG 525 to Sophos SG 210

Luc Baurant

Hello,

 

We are in the process of migrating from an Astaro ASG 525 Appliance, to a cluster of 2 Sophos SG 210 appliances.

I first made sure they have the last Firmware and pattern version on all systems. They are now on V 9.408-4.

I made a backup from the old Appliance, having checked the "Unique site data " option so it would be removed.

But when I try to restore the backup file to the one of the new Appliances (I tried with both with same results) I immediately loose the ethernet ports and, obviously loose the connection to the Appliance.

The only solution I found (so far) to get it back, is to do a "Factory reset" on the new Appliance.

Any idea ? Am I forgetting something ? Or are the two appliances (525 and 210) somehow incompatible ?

 

My apologies if I double post, but I haven't found the exact same issue anywhere else.

 

Thx for your help.

 

Luc.



This thread was automatically locked due to age.
  • 0

    Hi, Luc, and welcome to the UTM Community!

    You're making this more complicated than it needs to be.  Unless you need to change the host name of the UTM or you want to change all of the certificates, start with a full backup from the 525.  Load that onto one of the two new 210s, leaving the other one off and completely unconfigured - if you've configured it at all, do a Factory Reset from the front panel and power it off.

    In the running 210, make the needed changes in 'Management >> High Availability'.  Cable the other 210 identically to the first one, connect the sync interfaces of the two units and then power the second unit on.  The unit you configured will take over the second unit as its Slave and will sync the configuration to it.

    You used the word "Cluster" in your description.  If you want an Active-Active setup, you will need to modify the license so that it is for two nodes - that will reduce the length of the subscription by half.  If you want an Active-Passive (the second unit only does work when the first one fails and the second unit takes over as the new Master), you do not need to modify your license.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for your reply. I'm afraid I didn't make myself clear.

     

    I'm doing it exactely the way you describe. But you say : "start with a full backup from the 525.  Load that onto one of the two new 210s". Well, that is precisely the part that's not working. As soon as I start to load the backup to one of the new 210, its NIC freezes (both led's turn off) and I loose the connection to it.

    I join a screenshot where it hangs when I restore the backup file to the 210.

     

    (Percentage may vary with each attempt, it's sometimes more.)

    At that point, all NICs seem to be deactivated. The only way to get them back is to do a factory reset. Well, not exactly all NICs. The only one that still "lives" is E3/HA. But I'm unable to use it to dialog with the 210.

    Hope this clears things up.

     

    But your reply made me think about another possible solution. Maybe I could do it in a three steps procedure. But I'm not sure this could work. (It depends if I can build a cluster with two different appliances)

    1. Build a cluster with the first 210 along with the old 525. That should copy the configuration to the new 210.

    2. Remove the 525 and leave the first 210 as standalone.

    3. Build the definitive cluster by adding the second 210.

     

    I'm just afraid to "damage" the 525 which is in production as firewall of my company's network. What do you think?

     

    Thanks again for your help. It's highly appreciated.

     

    Luc.

  • 0 in reply to Luc Baurant

    It's not possible to have a 210 and a 525 in the same High Availability group, so that shortcut idea can't work.

    You cannot have any network cables attached to the 210 when you upload the backup. It would probably be a good idea to connect a laptop at this point and confirm that you have the same order of NICs in your 210 as you do in the 525 - they're different enough that I'm a bit paranoid that you might not know which cable to plug in where.  At the command line:

    more </etc/udev/rules.d/70-persistent-net.rules

    Once you've done that and you have it powered up near the 525, power down the 525 and move the Ethernet cables to the 210.  Now you connect all of the Ethernet cables to the second 210, power it up and off it should go.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML