Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=HA-troubleshooting

Troubleshooting - High availability

Troubleshoot HA issues.

Dedicated port failure

If the dedicated port or cable fails, both devices become standalone primary devices and send gratuitous ARP requests (GARPs) to the network switch to take ownership of the virtual MAC address (VMAC). This will likely result in routing issues.

In this scenario, shut down one of the devices and repair the link (assuming it's not the interface itself). Start the device, it detects the primary and takes on the role of the auxiliary.

The example log file entries below show the status change you see when the dedicated link goes down.

Log example on the primary device:

Dedicated port failure log seen on the primary device.

Log example on the auxiliary device:

Dedicated port failure log seen on the auxiliary device.

Validation Failed For Ha interface IP

If the administration ports of both devices aren't in the same subnet, validation fails, and the following error message appears in /log/syslog.log on the primary device.

Validation Failed For Ha interface IP

Defective interface or cable

To verify if a defective interface or cable is causing a failover, review the port status.

On the Advanced shell, enter the following command: dmesg | grep PortE

Verify the port status.

If the port goes up and down, check and correct the speed and duplex settings on both sides of the connection.

You can also do the following:

  • Check for packet drops, errors, and collisions on the interface using ifconfig or show network interfaces commands. See Command line help.
  • Try replacing the cable.
1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link

This issue affects only 1U devices using a FleXi Port as the dedicated HA link. When the first device updates and restarts, the interface speed for the FleXi Port isn't set to auto negotiation. The second device continues to have its interface speed set to auto negotiation and HA is not established.

To resolve this issue, do as follows:

  1. On both devices, go to Network > Interfaces.
  2. Click the Flexi Port interface and go to Advanced settings.
  3. Set the Interface speed for the FleXi Port to Auto negotiation.

Alternatively, you can set a fixed port as the dedicated HA port.

The 1U devices are as follows:

  • XGS 2100, 2300, 3100, 3300, 4300, and 4500
  • XG 210, 230, 310, 330, 430, and 450
HA could not be enabled

When you configure HA (active-passive) on the primary device, the error message HA could not be enabled is shown when the dedicated HA link isn't connected or the auxiliary firewall isn't reachable.

To resolve this issue, do as follows:

  1. Make sure an Ethernet cable or switch connects the dedicated HA link interface of both devices.
  2. On both devices, go to Network > Interfaces and check if the port shows Connected status.
  3. On the primary device, go to Diagnostics > Tools and use the ping tool to check if you can ping the auxiliary's dedicated HA link port.