New Sophos Support Phone Numbers in Effect July 1st, 2023

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG-330 High Availability

Hi All:

I have a SG-330 running latest firmware 9.601-5. I have a second SG-330, new in box. I am looking at implementing HA (failover, not active-active).

First, are there any downsides of doing HA? Or would I be better to leave the spare in the box (guessing not, but...).

Should I fire up the spare HA, not connected to anything first? To burn in?

To do HA, do I just connect the second box interaces into the network? (I have five interfaces connected, one of which is a trunk going to a Cisco switch doing VLANs,) Then connect the eth3 HA interface  between the boxes, and fire up the spare box? Is it that simple?

The spare box hasn't had any updates done to it - is that a part of the HA process? Or should it be updated first?

How long does the process take? Minutes? Hours?

Any best practices or rulz to follow?

Thanks !

John S.

This thread was automatically locked due to age.
  • Well, the HA now appears to be working. But not without several calls to Sophos support, two remote sessions - one of which was over 1-1/2 hours. And multiple hours, after hours. 

    Also, per Sophos, the procedure to implement HA seems to be different as shown in this kb  

    This KB has the steps, which, in addition to above, you have to log onto the slave box and configure HA on it before things will work. And to be able to get onto it, the box has to have a valid license. 

    Before seeing this KB, I tried all sorts of things to get it to work following the sage advice of those on this group. After updating to the latest firmware, when attempting to set up HA, the slave box would attempt to sync up, then throw an error, set itself back to factory default and power off. 

    Then after the online chat with Sophos, they said try a different port for the HA. Same results.

    Another call to Sophos, and they emailed back with the KB with the different procedure, and tried that. Set up the slave box so I could log on, and it said the license was expired, even though it had not expired. After 5 or more attempts to get it to take the license, it finally took. 

    I set up the slave box per the instructions (no change needed to the master), applied, and then plugged in all the cables, identical to the master, along with the HA connection.

    It tried to come up, however on the status screen on the master, it showed the slave as being on 9.602 (I think). The master was opn 9.605. Previously I had updated the slave to the same version as the master. And the lcd display on the slave box showed 9.605.

    On the status it showed the slave as updating, but stuck there. After letting it run 45+ minutes, I again called Sophos support. After listening to happy music for 18 minutes, got someone. He did a remote session, then I got him shell access.

    He went through the boxes, initially didn't see anything. We rebooted the slave box, came back up, and still trying to update. 

    He then connected to the slave device, and after all kinds of looking around, found the database on it was corrupted. He went through a bunch of PostgreSQL commands, deleted the database and rebuilt it. 

    Rebooted again, and it showed the slave on 9.605, and syncing. After a few minutes it showed all as OK.

    As a note, I had a constant ping to the master box, and to two external sites, one on the internet, and one through a VPN, and through the entire process, none ever dropped. 

    This last call was nearly 2 hourss. And the person knew what he had to do. Nothing I would ever even think about doing. 

    Don't know if this was an anomaly or what. 


    Some comments on Sophos tech support:

    I tried to submit a help request through the Sophos web page. It would never work. Kept coming back to the page where you put in your user info.

    I tried the online chat, but that was of little use. 

    On the phone, I was dropped three different times. The music on hold would stop, and thought someone was coming on, but just silence. On the first call, when the license was expired, they transferred me to licensing, and after several minutes of music, silence. Called back. pressed buttons, got to licensing, and they were very helpful and sent me a license file, after probably 10 minutes on hold. 

    When I did get through on the phone, once, took 15 minutes, another 18 minutes.

    The persons helping me, the three times I called, were in Asia/Pacific.

    After the first call, I got an initial email back saying the case was being handled by the asia/pacific region and their work times were 3 pm - 11 pm M-F. And asked if I wanted the case transferred to a different region. Because I didn't want to impact users during the work day, I wanted to do this after 4:30 pm central. 

    Now, particularly the second person last Friday afternoon, knew what he was doing, and was in the asia/pacific region. 


    John S. 

  • John, did you complete the survey about your experience with Support, or should we link upper management to your comments below?

    Cheers - Bob
    PS I understand that there are now some SGs being delivered with 'Automatic configuration' not selected by default, but that hasn't been the case with 330s, or did you see that it wasn't selected when you firs looked?  I suspect your entire problem was the broken PostgreSQL database.

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi oh learned one.


    I did complete the survey. The last person certainly knew his stuff. But getting through to Sophos was a pain. And, possibly because it was not a flashing red light emergency, they parked it with one physical area and one time zone. 

    But, was disconcerting that the on-line "open a ticket" didn't work, and tried with different browsers. And got dropped multiple times on the phone.

    When I was doing the updates on the slave box, quite honestly didn't look at HA. In retrospect, should have. But, oh well. 

    John S. 

  • Have had HA running fine for several months.

    Yesterday did the first firmware update on the HA setup.

    Went very smooth. I had a constant ping to the internal IP of the HA cluster, and to,

    It did the update to the standby box, then rebooted it, and then switched traffic over to the second box. It missed two pings to the internal address and three to the

    Then updated the former main box, rebooted it, synced things and put it into the standby mode. 

    So, doing updates with the HA went very smooth.


    John S.