FAQs - High availability
See the answers to the most frequently asked HA questions.
Can the Initial primary be a passive device?
Yes. The initial primary device can be the active or the passive device.
How do I verify which HA device owns the licenses?
Web admin console: Go to System services > High availability and see the High availability status section.
Under the device that owns the licenses, you'll see Initial primary. Holds license for the cluster.
CLI: Do as follows:
- Enter 5 for Device management and enter 3 for Advanced shell.
-
Enter the following command:
nvram get "#li.master"
-
You'll see the license status as follows:
- On the initial primary device, which carries the licenses:
YES
- On the device you configured as auxiliary:
NO
- On the initial primary device, which carries the licenses:
When should I disable HA?
You must disable HA before you do any of the following tasks:
- Reimage an HA device.
- Replace an HA device.
- Transfer licenses from one HA device to the other, for example, if you've assigned the licenses to the auxiliary in active-passive HA and must now assign them to the primary.
The SSH tunnel established between the HA devices' dedicated HA links is based on a one-time passphrase. After the secure tunnel is established, the passphrase is deleted. An SSH tunnel can only be established with a new device if you disable HA and reconfigure it.
How do I RMA a firewall that's part of an HA cluster and uses Sophos Central Synchronized Security?
You must remove the cluster from Sophos Central management before returning the device as part of the RMA process.
When you receive the new firewall, you must re-register the new HA cluster in Sophos Central. This process will remove conflicts with the license and serial number synchronization if the old device is still registered in Sophos Central.
Can I use the dedicated HA link for HSRP?
You can't use the dedicated HA link for Hot Standby Router Protocol (HSRP) because HSRP hello messages can't transit through it.