Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=HA-troubleshooting

Troubleshooting - High-availability

Troubleshoot HA issues.

Using the log viewer

You can use the log viewer to view HA logs. The firewall shows the HA logs under the System module. You can apply a filter to the log component to match on HA.

The image below shows HA logs displayed in the log viewer.

Log entries in the log viewer.

Using the raw log files through SSH

You can find the HA log files in the /log directory through the advanced shell. To access log files through SSH, do as follows:

  1. Log in to the CLI console of the primary device using administrator credentials.
  2. Select option 5. Device Management.
  3. Select option 3. Advanced Shell.
  4. Type: cd /log
  5. Press Enter.
  6. To show the list of logs, type: ls
  7. To view a log, type: cat LOGFILENAME

The below table describes the four relevant log files for HA.

Log file Description
msync.log HA synchronization service.
ctsyncd.log Conntrack synchronization service.
applog.log HA configuration and status updates.
csc.log Central service, which manages all services.
Dedicated port failure

If the dedicated port or cable fails, both devices become standalone primary devices and send gratuitous ARP requests (GARPs) to the network switch to take ownership of the virtual MAC address (VMAC). This will likely result in routing issues.

In this scenario, shut down one of the devices and repair the link (assuming it’s not the interface itself). Start the device, it’ll detect the primary and take on the role of the auxiliary.

The example log file entries below show the status change you see when the dedicated link goes down.

Log example on the primary device:

Dedicated port failure log seen on the primary device.

Log example on the auxiliary device:

Dedicated port failure log seen on the auxiliary device.

Defective interface or cable

To verify if a defective interface or cable is causing a failover, review the port status using the dmesg command from the CLI advanced shell, as shown in the image below.

On the CLI, enter the following command: dmesg | grep PortE.

If the port goes up and down, check and correct the speed and duplex settings on both sides of the connection.

You can also do the following:

  • Check for packet drops, errors, and collisions on the interface using ifconfig or show network interfaces commands. See Command line help.
  • Try replacing the cable.
1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link

This issue affects only 1U devices using a FleXi Port as the dedicated HA link. When the first device updates and restarts, the interface speed for the FleXi Port isn't set to auto negotiation. The second device continues to have its interface speed set to auto negotiation and HA is not established.

To resolve this issue, do as follows:

  1. On both devices, go to Network > Interfaces.
  2. Click the Flexi Port interface and go to Advanced settings.
  3. Set the Interface speed for the FLeXi Port to Auto negotiation.

Alternatively, you can set a fixed port as the dedicated HA port.

HA could not be enabled

When you configure HA (active-passive) on the primary device, the error message "HA could not be enabled" is displayed when the HA link isn't connected or the auxiliary firewall isn't reachable.

To resolve this issue, do as follows:

  1. Make sure the HA interface link is connected to both devices.
  2. Go to Diagnostics > Tools, and use the ping tool to check that the auxiliary firewall can receive traffic across the HA link.