This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG-330 High Availability

Hi All:

I have a SG-330 running latest firmware 9.601-5. I have a second SG-330, new in box. I am looking at implementing HA (failover, not active-active).

First, are there any downsides of doing HA? Or would I be better to leave the spare in the box (guessing not, but...).

Should I fire up the spare HA, not connected to anything first? To burn in?

To do HA, do I just connect the second box interaces into the network? (I have five interfaces connected, one of which is a trunk going to a Cisco switch doing VLANs,) Then connect the eth3 HA interface  between the boxes, and fire up the spare box? Is it that simple?

The spare box hasn't had any updates done to it - is that a part of the HA process? Or should it be updated first?

How long does the process take? Minutes? Hours?

Any best practices or rulz to follow?

Thanks !

John S.



This thread was automatically locked due to age.
  • Hi John,

    as you described it is simple. Connect the cables and fire up the box.

    Two things you have to care for.

    First you have to make sure HA is configured, it is under Management > High Availability > Configuration. Enable configuration of new devices.

    Second make sure the version of the new box is not too far away from the existing one.

    The updates will be automatically handled by the UTM, but if the box is on an very old release it’s better to start with a new iso.

    After powering on a sync process is starting and then you got a HA setup, active/passive or hot standby. Don’t know witch wording is preferred by Sophos.

    If something goes wrong the HA won’t be activated and you could solve the problem.

    The sync process doesn’t take hours, but a couple of minutes.

    Give it a try. And the community is a very good place for questions.

    Best regards

    Alex

    -

  • Alex's prescription is the right one.  I made the following "cheat sheet" for one of my customers:

    1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
    2. Apply the desired Up2Dates (if possible, stop at 9.605 today (changed 2019-10-01)), do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks.

     

    I've got the second SG-330 connected to a PC and to an unused static IP on our external network connection. When I powered up the box, it shows it's on firmware 9.308.

    After connecting to an internet connection, the dashboard shows 41 updates available. When I go to Up2Date, it says the firmware is up to date and no downloads available. I tried both manually, and automatically (letting it sit for several days). I've tried rebooting the box, no change.

    From the second SG, I can ping www.google.com, etc. So appears the internet connection and DNS are both working.

     

    Ideas?

    Thanks,

     

    John S.

  • Instead of Up2Dating from that far back, John, just go to UTM Support Downloads and download the appropriate ssi (hardware) ISO and use that to re-image the device.  Remember that you don't want to have the new 330 at a newer version than your existing box, so you may need to let it download Up2Dates from 9.415.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks. The current production box is on 9.601-5. I downloaded ssi-9.510-5.1 which was the previous one on the web site. I'll try that tomorrow.

     

    Then should I try and update or let the HA process take care of that?

     

    Thanks.

    John S.

  • It should take care of it, John, but I would have just gotten the 9.601 ISO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The download site has ssi-9.601-5.1, and the online box shows 9.601-5 (without the ".1"). Didn't know if that made any difference or not, or if the version just doesn't show the ".1".

  • You could take the 9.601-5.1 from the download site. It's the same version.

    BR
    Alex

    -

  • Hi:

    Well, best laid plans, …  Was working on implementing SA, and got busy with other stuff.

    Decided this week would be the time. I got on what is going to be the backup box, reset to factory with the control panel, rebooted and connected.

    Asked some setup info, then got to a "your license has expired", and wanted a license key. Tried a factory reset again, and same thing.

    I had already updated the backup box to 9.601. The operational box is on 9.605.

    Will this present issues? Or just hook the backup box up, connect the HA ports between the two boxes, and go into the on-line box and set it for HA, and let it rip?

     

    I contacted Sophos tech support and they said during the configuration process to not update the backup box, let them come up, then update the backup box? I thought that if they were on different version, they would update to the same version?

     Ideas, suggestions?

     

    Thanks,

     

    John S.

  • Hi John,

    why just don't follow the steps described above?
    There is no need to connect to the "slave box". Follow the steps of Bob and you'll succeed.

    Best regards

    Alex

    -