I have a pair og SG650 in Active/Standby, the Master works perfectly, but if I initiate a failover to the slave, either via a takeover from CLI or a reboot of the primary etc. I am unable to contact the new primary (previous slave) via Eth1.
Both devices are connected to from Eth1 into a single switch which has the most basic config on those corresponding interfaces. They're both in the same vlan.
I've updated the devices to the latest fitmware, but didn't expect that to resolve the issue.
It's as if the slave never picks up the primary's IP address.
I'm pretty new to the Sophos lineup, but know CISCO ASA failover config really well, I figured it's be similar whereby the secondary/slave unit takes over the primary address, but in this instance this doesn't seem to be occuring.
Any ideas as to what the cause could be? I've ruled out faulty NIC's on the switch.
Thank you for contacting the Sophos Community!
Try resetting the modem/switch, I suspect the modem/switch is not saving the MAC address of the HA.
The switch is a 3650, the mac address has an aging time of 300 seconds. If the MAC were not being saved I wouldn't have comms to the primary unit when it was active either as there is a virtual MAC configured.
Thank you for the follow-up!
Did you have the change to test after doing the failover?
you didn't put the "HA" interface(s) into a switch, did you?
This has to be a direct cabling, nothing between the both SG-devices.
Do you have a message "unlinked" in the display?
Mit freundlichem Gruß, Regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
No the HA interface is a direct connection between Master and Slave. when checking the status they show as Active and Ready
stills sounds like an ARP cache problem, like Emmanuel already suspects.
You write about a virtual MAC, you don't mean you configured one at the switches?
Within the UTM config you can set a virtual MAC address for each individual interface, rather than using the BIA of the physical interface.
via the webgui, Interfaces>Hardware>edit
Yes, I know that, I was just stumbling over your wording.
What, if you'd remove that virtual MAC for a test cycle?
apologies, wasn't trying to teach you to suck eggs
I'll try removing the virtual MAC and get back to you
If you lost the connection after failover ... what happens if the ports on the switch are swapped? (or simply short pulled)I saw quite a lot there: defective ports / cables, switch features, misconfiguration, etc.I would switch off the slave for this time.
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.